nsaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:01 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x4c00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3320.129167][T23033] kvm: apic: phys broadcast and lowest prio 04:41:01 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:01 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x6, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:01 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) arch_prctl$ARCH_MAP_VDSO_32(0x2002, 0x6) ioctl$UI_GET_VERSION(r0, 0x8004552d, &(0x7f0000000100)) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:01 executing program 4: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000280)='/dev/dsp\x00', 0x4000, 0x0) ioctl$DRM_IOCTL_GEM_FLINK(0xffffffffffffff9c, 0xc008640a, &(0x7f00000002c0)={0x0, 0x0}) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffff9c, 0xc010640b, &(0x7f0000000300)={0x0, 0x0, 0x5}) ioctl$DRM_IOCTL_GEM_OPEN(r0, 0xc010640b, &(0x7f0000000340)={r1, r2, 0x20}) r3 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcs\x00', 0x80080, 0x0) ioctl$DRM_IOCTL_ADD_CTX(0xffffffffffffff9c, 0xc0086420, &(0x7f00000000c0)={0x0}) ioctl$DRM_IOCTL_SET_SAREA_CTX(r3, 0x4010641c, &(0x7f0000000240)={r4, &(0x7f0000000100)=""/195}) ioctl$UI_SET_EVBIT(0xffffffffffffffff, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(0xffffffffffffffff, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) sysfs$1(0x1, &(0x7f0000000000)='&@\x00') ioctl$UI_SET_LEDBIT(0xffffffffffffffff, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x5501, 0x0) 04:41:01 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x6000000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:01 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3320.409474][T23048] input: syz0 as /devices/virtual/input/input1020 [ 3320.415462][T23047] kvm: apic: phys broadcast and lowest prio 04:41:01 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:01 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x6800000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:01 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3320.634971][T23166] input:  as /devices/virtual/input/input1021 [ 3320.724734][T23175] input:  as /devices/virtual/input/input1022 04:41:02 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) syz_open_dev$cec(&(0x7f0000000040)='/dev/cec#\x00', 0x0, 0x2) r1 = syz_open_dev$amidi(&(0x7f0000000080)='/dev/amidi#\x00', 0xfffffffffffffffe, 0x0) openat$dlm_plock(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm_plock\x00', 0x1, 0x0) openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vga_arbiter\x00', 0x400, 0x0) syz_open_dev$audion(&(0x7f0000000140)='/dev/audio#\x00', 0x4, 0x40000) r2 = open(&(0x7f0000000180)='./file0\x00', 0x9811fd55dcc9448d, 0x4) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x8010000000000084) listen(r3, 0x5) r4 = socket$inet6_sctp(0xa, 0x5, 0x84) r5 = accept4(r3, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) connect$rds(r1, &(0x7f00000001c0)={0x2, 0x4e23, @loopback}, 0x10) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:02 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{0x0, 0x0, 0x3}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x802, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r1 = openat$vfio(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vfio/vfio\x00', 0x40000, 0x0) r2 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_bt_cmtp_CMTPCONNADD(r1, 0x400443c8, &(0x7f0000000100)={r2, 0x10000}) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:02 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:02 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x3a, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:02 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x6c00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:02 executing program 4: ioctl$UI_SET_EVBIT(0xffffffffffffffff, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(0xffffffffffffffff, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(0xffffffffffffffff, 0x40045569, 0xa) r0 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x5, 0x101000) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3321.059488][T23193] input: syz0 as /devices/virtual/input/input1023 [ 3321.086345][T23187] kvm: apic: phys broadcast and lowest prio 04:41:02 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:02 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x6, 0x8000) ioctl$SNDRV_SEQ_IOCTL_PVERSION(r1, 0x80045300, &(0x7f0000000080)) 04:41:02 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x7400000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3321.238690][T23306] input:  as /devices/virtual/input/input1024 [ 3321.250773][T23307] input:  as /devices/virtual/input/input1025 04:41:02 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3321.349481][T23312] kvm: apic: phys broadcast and lowest prio [ 3321.366122][T23315] binder_alloc: 23314: binder_alloc_buf, no vma 04:41:02 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000040)='net/udp\x00') r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000140)='/dev/mixer\x00', 0xc2401, 0x0) perf_event_open$cgroup(&(0x7f00000000c0)={0x5, 0x70, 0x3, 0x2b3, 0x77, 0x2, 0x0, 0x100000000, 0x10040, 0x4, 0x6, 0x1, 0x9, 0x7f, 0x100000000, 0x200, 0x939, 0x4, 0x5a3, 0x3, 0x80000001, 0x32, 0x0, 0xfffffffffffff239, 0x66b2, 0xeb, 0x0, 0x8, 0x6, 0xae, 0x6, 0x3, 0x2, 0x6, 0xa0, 0x2, 0x2, 0x1, 0x0, 0x8, 0x4, @perf_config_ext={0xdf, 0x200}, 0x100, 0x7f, 0x101, 0x9, 0x8, 0x1, 0x7}, r1, 0x0, r2, 0x8) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3321.400080][T23315] binder: 23314:23315 transaction failed 29189/-3, size 24-8 line 3147 04:41:02 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x2, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3321.448931][T23318] input: syz0 as /devices/virtual/input/input1026 [ 3321.711255][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:03 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x200, 0x0) io_setup(0x0, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000200)={0x0, 0x18, 0xfa00, {0x4, &(0x7f00000001c0)={0xffffffffffffffff}, 0x13f, 0x1009}}, 0x20) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f0000000340)={0xe, 0x18, 0xfa00, @id_tos={&(0x7f0000000180)=0xffffffffffffffa7, r1, 0x0, 0x0, 0x1}}, 0x20) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000080)='TIPC\x00') ioctl$RTC_WIE_OFF(r0, 0x7010) sendmsg$TIPC_CMD_GET_NETID(r0, &(0x7f0000000140)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x1c, r3, 0x102, 0x70bd25, 0x25dfdbff, {}, ["", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x5}, 0x800) r4 = socket$inet6_sctp(0xa, 0x5, 0x84) r5 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) ioctl$RTC_AIE_OFF(r2, 0x7002) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:03 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x42, 0x0) setsockopt$SO_VM_SOCKETS_CONNECT_TIMEOUT(r1, 0x28, 0x6, &(0x7f0000000080), 0x10) 04:41:03 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x7a00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:03 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00', 0x20000000000000}) ioctl$UI_SET_FFBIT(r0, 0x4004556b, 0xd) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:03 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:03 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x3, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3322.061278][T23543] binder_alloc: 23542: binder_alloc_buf, no vma [ 3322.067797][T23538] input:  as /devices/virtual/input/input1027 [ 3322.091569][T23540] input: syz0 as /devices/virtual/input/input1028 [ 3322.101672][T23543] binder: 23542:23543 transaction failed 29189/-3, size 24-8 line 3147 [ 3322.113875][T23541] kvm: apic: phys broadcast and lowest prio [ 3322.154218][T23560] input:  as /devices/virtual/input/input1029 04:41:03 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0xc0ffffff00000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:03 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$SIOCGETNODEID(r0, 0x89e1, &(0x7f0000000000)={0x1}) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) signalfd4(r0, &(0x7f0000000080)={0x3f}, 0x8, 0x800) 04:41:03 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f00000002c0)={{{@in, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@initdev}, 0x0, @in=@multicast2}}, &(0x7f00000003c0)=0xe8) stat(&(0x7f0000000400)='./file0\x00', &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000004c0)={0x0, 0x0}, &(0x7f0000000500)=0xc) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000000540)={{{@in6=@local, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6}}, &(0x7f0000000640)=0xe8) r5 = shmget$private(0x0, 0x4000, 0x4, &(0x7f0000ffb000/0x4000)=nil) shmctl$SHM_LOCK(r5, 0xb) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000680)={0x0, 0x0, 0x0}, &(0x7f00000006c0)=0xc) r7 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000780)='/dev/hwrng\x00', 0x4000, 0x0) getsockopt$inet_udp_int(r7, 0x11, 0x67, &(0x7f00000007c0), &(0x7f0000000800)=0x4) lsetxattr$system_posix_acl(&(0x7f0000000240)='./file0\x00', &(0x7f0000000280)='system.posix_acl_access\x00', &(0x7f0000000700)={{}, {}, [{0x2, 0x1, r1}, {0x2, 0x5, r2}, {0x2, 0x2, r3}, {0x2, 0x6, r4}], {0x4, 0x5}, [{0x8, 0x4, r6}], {0x10, 0x7}, {0x20, 0x7}}, 0x4c, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r8 = openat$vicodec1(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video37\x00', 0x2, 0x0) ioctl$VIDIOC_QUERY_EXT_CTRL(r8, 0xc0e85667, &(0x7f00000000c0)={0x80000000, 0x8, "863730729c7e2e41234e62b7eca5c82b5d72945f72099e1e87745f4f1794898a", 0x8, 0x1874, 0xde, 0x8, 0x401, 0x100, 0x7, 0xfffffffffffffffd, [0x2, 0x6, 0xfffffffffffffff8, 0x4]}) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3322.406772][T23757] kvm: apic: phys broadcast and lowest prio 04:41:03 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x4, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:03 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3322.457287][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3322.494695][T23765] input: syz0 as /devices/virtual/input/input1030 [ 3322.549759][T23766] input:  as /devices/virtual/input/input1031 [ 3322.563097][T23772] binder_alloc: 23768: binder_alloc_buf, no vma 04:41:03 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0xfdfdffff00000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3322.599261][T23772] binder: 23768:23772 transaction failed 29189/-3, size 24-8 line 3147 [ 3322.640522][T23766] input:  as /devices/virtual/input/input1032 [ 3322.700157][T23824] kvm: apic: phys broadcast and lowest prio [ 3322.892408][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:04 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) ioctl$PPPIOCSMRU1(r3, 0x40047452, &(0x7f0000000000)=0x7) 04:41:04 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0xff00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:04 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:04 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x5, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:04 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0x5) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:04 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-control\x00', 0x80, 0x0) ioctl$RTC_RD_TIME(r1, 0x80247009, &(0x7f0000000140)) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000000c0)={{}, 'syz0\x00'}) ioctl$VIDIOC_S_JPEGCOMP(r1, 0x408c563e, &(0x7f0000000180)={0x101, 0x0, 0x5, "25588579f69356690532320643589e381476b7d620a66def38722564948d21a9000f5ed6b404ef9e7139d47a9e65a59e7b50d9cc185327b0451f2134", 0x32, "792214873c07516d519bbff6081cfce540f23a7dd168fbf08110c099f0363b020c0da0d34a6b2591b366f0a1cc9514531c6bf073e68e736d893faad7", 0x90}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3323.031109][T23993] input: syz0 as /devices/virtual/input/input1033 [ 3323.049208][T23995] input:  as /devices/virtual/input/input1034 [ 3323.056432][T24003] binder_alloc: 24000: binder_alloc_buf, no vma [ 3323.090394][T24007] input:  as /devices/virtual/input/input1035 [ 3323.119564][T24003] binder: 24000:24003 transaction failed 29189/-3, size 24-8 line 3147 04:41:04 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x2]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3323.332524][T24182] kvm: apic: phys broadcast and lowest prio 04:41:04 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:04 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x6, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3323.379372][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:04 executing program 2: ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(0xffffffffffffffff, 0x5502) [ 3323.427793][T24218] binder_alloc: 24217: binder_alloc_buf, no vma [ 3323.440327][T24218] binder: 24217:24218 transaction failed 29189/-3, size 24-8 line 3147 [ 3323.451536][T24218] binder: 24217:24218 Release 1 refcount change on invalid ref 1 ret -22 04:41:04 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0xd) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) readahead(r0, 0x0, 0x1a7) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) ioctl$sock_SIOCGPGRP(0xffffffffffffff9c, 0x8904, &(0x7f0000000000)=0x0) syz_open_procfs(r1, &(0x7f0000000080)='net/ip_vs_stats\x00') [ 3323.474615][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:04 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x3]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3323.570185][T24255] input:  as /devices/virtual/input/input1036 [ 3323.648885][T24255] input:  as /devices/virtual/input/input1037 [ 3323.665678][T24279] kvm: apic: phys broadcast and lowest prio 04:41:05 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) fstatfs(r0, &(0x7f0000000080)=""/155) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) r1 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x9, 0x0) ioctl$sock_kcm_SIOCKCMUNATTACH(r1, 0x89e1, &(0x7f0000000040)={r0}) listen(r0, 0xffffffffffffff03) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:05 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x4]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:05 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x7, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:05 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vsock\x00', 0x2002c0, 0x0) ioctl$VIDIOC_ENUMINPUT(r1, 0xc050561a, &(0x7f00000000c0)={0x5, "6422689cd27e47b2eace9e9a3ac5520145e793c2576608d2b87c840438f74b72", 0x1, 0x6, 0x2, 0xff0008, 0x4000000, 0xe}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x3) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:05 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) r1 = open(&(0x7f0000000000)='./file0\x00', 0x0, 0x150) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000000c0)='IPVS\x00') sendmsg$IPVS_CMD_DEL_DEST(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x8002000}, 0xc, &(0x7f0000000180)={&(0x7f0000000100)={0x54, r2, 0x200, 0x70bd2b, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x40, 0x1, [@IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@mcast2}, @IPVS_SVC_ATTR_AF={0x8, 0x1, 0xa}, @IPVS_SVC_ATTR_PORT={0x8, 0x4, 0x4e24}, @IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0x400}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'sh\x00'}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'fo\x00'}]}]}, 0x54}, 0x1, 0x0, 0x0, 0x4000}, 0x10) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3323.985966][T24354] input: syz0 as /devices/virtual/input/input1038 [ 3323.988318][T24357] binder_alloc: 24348: binder_alloc_buf, no vma [ 3324.036450][T24357] binder: 24348:24357 transaction failed 29189/-3, size 24-8 line 3147 [ 3324.044795][T24358] input:  as /devices/virtual/input/input1039 [ 3324.044985][T24353] kvm: apic: phys broadcast and lowest prio 04:41:05 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x5]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3324.170185][T24358] input:  as /devices/virtual/input/input1040 04:41:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3324.302837][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3324.310032][T24570] kvm: apic: phys broadcast and lowest prio 04:41:05 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) r1 = syz_open_dev$mice(&(0x7f00000000c0)='/dev/input/mice\x00', 0x0, 0x800) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000140)='TIPCv2\x00') sendmsg$TIPC_NL_MEDIA_GET(r1, &(0x7f00000001c0)={&(0x7f0000000100), 0xc, &(0x7f0000000180)={&(0x7f0000000440)=ANY=[@ANYBLOB="80010000", @ANYRES16=r2, @ANYBLOB="100029bd7000fedbdf250b0000006c010100140001006574683a69703665727370616e3000000c00020008000300f9730000540002000800010012000000080001000b0000000800020004000000080004000300000008000100110000000800040000000000080001000100000008000300ff03000008000100060000000800030000000000380004001400010002004e23ac1414bb0000000000000000200002000a004e23000000e8a9755dbc3969b942dde0a515de7df9a13f000000100001007564703a73797a3000000000380004001400010002004e20ac1e00010000000000000000200002000a004e2100000005ff01000000000000000000000000000102000000380004001400010002004e21ffffffff0000000000000000200002000a004e2200000003fe800000000000000000000000000024010900003c000200080003000300000008000300010400000800040000800000080001001500000008000400090000000800030000020000080001000e000000bb5d0e189c9aab68134ae3b911d45bbe8605c11d462d120072c1a08b52b683d02c99b6e3a0b1a868f3b0609d1f228611e7d9f2ae360a789c135a9a8919a6eee13c2dec877a8d378b47aa"], 0x180}, 0x1, 0x0, 0x0, 0xc000}, 0xc000) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r3 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x20000, 0x0) ioctl$RNDGETENTCNT(r3, 0x80045200, &(0x7f0000000080)) 04:41:05 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x8, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:05 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = dup3(r0, r0, 0x80000) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO(r1, 0xc02c5341, &(0x7f00000000c0)) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.net/syz1\x00', 0x200002, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3324.387362][T24573] binder: 24572:24573 transaction failed 29189/-22, size 24-8 line 2994 04:41:05 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3324.482368][T24584] input:  as /devices/virtual/input/input1041 [ 3324.516151][T24592] input: syz0 as /devices/virtual/input/input1042 [ 3324.553385][T24598] input:  as /devices/virtual/input/input1043 [ 3324.591234][T24608] kvm: apic: phys broadcast and lowest prio [ 3324.778763][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:06 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000040)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f0000000100)={&(0x7f0000000000), 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x24, r3, 0x200, 0x70bd2c, 0x25dfdbfe, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0xb7}}, ["", "", "", ""]}, 0x24}}, 0x800) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x43, 0x80002) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:06 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x7]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:06 executing program 2: r0 = socket$can_bcm(0x1d, 0x2, 0x2) ioctl$sock_SIOCBRADDBR(r0, 0x89a0, &(0x7f0000000040)='gre0\x00') r1 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r1, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r1, 0x5502) 04:41:06 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:06 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0xa, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3324.933132][T24806] input: syz0 as /devices/virtual/input/input1044 [ 3324.960997][T24809] binder: 24803:24809 transaction failed 29189/-22, size 24-8 line 2994 04:41:06 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x16) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) r1 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x100, 0x0) ioctl$DRM_IOCTL_GET_MAGIC(r1, 0x80046402, &(0x7f0000000080)=0x3) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) getuid() [ 3325.044914][T24810] kvm: apic: phys broadcast and lowest prio [ 3325.131702][T24949] input:  as /devices/virtual/input/input1045 04:41:06 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x48]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:06 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = syz_open_dev$vcsn(&(0x7f0000000180)='/dev/vcs#\x00', 0x3, 0x400000) setsockopt$TIPC_CONN_TIMEOUT(r1, 0x10f, 0x82, &(0x7f0000000380)=0x7, 0x4) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$TIOCGPGRP(0xffffffffffffff9c, 0x540f, &(0x7f0000000040)=0x0) r3 = socket$inet(0x10, 0x2, 0xc) sendmsg(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)="24000000010807031dfffd946fa2830020200a0009000100001d85680c1baba20400ff7e", 0x24}], 0x1}, 0x0) ptrace$getenv(0x4201, r2, 0x2c, &(0x7f00000000c0)) ioctl$UI_DEV_DESTROY(r0, 0x5502) r4 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x2, 0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_ADD(r4, 0xc1105517, &(0x7f0000000240)={{0x5, 0x7, 0x1, 0x2, 'syz1\x00', 0x10001}, 0x4, 0x0, 0x7e, r2, 0x3, 0x8, 'syz1\x00', &(0x7f0000000140)=['vboxnet0cpusetem1ppp0,ppp0\x00', '/dev/input/event#\x00', '!\'\'em1.\x00'], 0x35, [], [0x5, 0x8, 0x1, 0x3]}) [ 3325.193497][T24980] input:  as /devices/virtual/input/input1046 04:41:06 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3325.301867][T25030] input: syz0 as /devices/virtual/input/input1047 [ 3325.314635][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3325.358254][T25032] kvm: apic: phys broadcast and lowest prio [ 3325.368396][T25036] binder: 25035:25036 transaction failed 29189/-22, size 24-8 line 2994 04:41:06 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0xb, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:06 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x4c]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:06 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) fstat(r0, &(0x7f0000000080)) ioctl$EXT4_IOC_GROUP_EXTEND(r0, 0x40086607, &(0x7f0000000000)=0x2b8f) [ 3325.611822][T25208] kvm: apic: phys broadcast and lowest prio [ 3325.620237][T25222] input:  as /devices/virtual/input/input1048 [ 3325.681025][T25251] input input1049: cannot allocate more than FF_MAX_EFFECTS effects [ 3325.714586][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:07 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) getsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r2, 0x84, 0x22, &(0x7f0000000000)={0x8, 0x200, 0x112d, 0x0, 0x0}, &(0x7f0000000040)=0x10) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f0000000080)={r3, 0x100}, &(0x7f00000000c0)=0x8) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:07 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000040)='/dev/swradio#\x00', 0x1, 0x2) getpeername$inet(r1, &(0x7f00000001c0)={0x2, 0x0, @local}, &(0x7f0000000200)=0x10) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f0000000140)={{0x100000000, 0xf79, 0x7, 0x4}, 'syz0\x00', 0x49}) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000000c0)={{0x0, 0x3}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:07 executing program 0: syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:07 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x60]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:07 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ubi_ctrl\x00', 0x40, 0x0) ioctl$KDSKBLED(r1, 0x4b65, 0xfff) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0xc, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3325.947091][T25264] input: syz0 as /devices/virtual/input/input1051 [ 3325.957107][T25268] binder: 25266:25268 Release 1 refcount change on invalid ref 1 ret -22 [ 3325.968271][T25265] kvm: apic: phys broadcast and lowest prio [ 3325.990269][T25260] input:  as /devices/virtual/input/input1052 04:41:07 executing program 0: syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:07 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x68]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3326.061326][T25297] input:  as /devices/virtual/input/input1053 [ 3326.185285][T25385] binder: 25382:25385 Release 1 refcount change on invalid ref 1 ret -22 04:41:07 executing program 0: syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:07 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = dup2(r0, r0) write$cgroup_type(r1, &(0x7f0000000100)='threaded\x00', 0x9) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r2 = syz_open_dev$amidi(&(0x7f0000000040)='/dev/amidi#\x00', 0x2, 0x8001) write$P9_RXATTRWALK(r2, &(0x7f00000000c0)={0xf, 0x1f, 0x1, 0xb08}, 0xf) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3326.249190][T25384] kvm: apic: phys broadcast and lowest prio [ 3326.319415][T25390] input: syz0 as /devices/virtual/input/input1054 [ 3326.333493][T25392] binder: 25388:25392 Release 1 refcount change on invalid ref 1 ret -22 04:41:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0xd, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:07 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6c]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3326.497478][T25466] kvm: apic: phys broadcast and lowest prio 04:41:08 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = dup(r0) ioctl$RTC_AIE_ON(r1, 0x7001) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) ioctl$DRM_IOCTL_SET_UNIQUE(r1, 0x40106410, &(0x7f0000000100)={0xc0, &(0x7f0000000040)="cda4eec2bd50675a52631564a0ddd6af31e3e98e461eeee758246f438447e768e48e666dc821ff2e4220a7a7752bb835b13fa63d80ee1bb26baf15767fe469996f8025974ed4e294114fe2a1215590522455639f497c8a9c61118add045b0b09c4c30f0eac706ed0e0e8a135a180cf4b196b1675afb85ebe92134c551e9ecaca5382ebaa9eb90c80e8a2f4fdc26ebecd4ff58d33c0b614f09c3faf894dc390cf57fc5cca8d1863d6bf8ae238b4f43f4797c29470a2dcb7d29b6e84c1492bdf51"}) r3 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) setsockopt$packet_fanout(r3, 0x107, 0x12, &(0x7f0000000000)={0x8, 0x3}, 0xffffffffffffff55) 04:41:08 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000000c0)={{0x5, 0x5822, 0xfffffffffffffffe, 0x2}, 'syz0\x00', 0x6}) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/expire_quiescent_template\x00', 0x2, 0x0) ioctl$KVM_S390_INTERRUPT_CPU(r1, 0x4010ae94, &(0x7f0000000080)={0x40, 0x5, 0xec94}) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:08 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x74]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:08 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:08 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_SET_SNDBIT(r0, 0x4004556a, 0x4) r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio\x00', 0x200000, 0x0) ioctl$SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT(r1, 0xc0bc5351, &(0x7f00000000c0)={0x2, 0x1, 'client0\x00', 0x3, "69c0e1f03a5f1e20", "b3a182db1b552033c66e31a7094ca565b5bbf2997dc08433f397492b38a16e64", 0x6, 0x5}) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x10, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3326.897630][T25513] input: syz0 as /devices/virtual/input/input1055 [ 3326.920760][T25520] binder: 25514:25520 ioctl c0306201 0 returned -14 [ 3326.932051][T25522] input:  as /devices/virtual/input/input1056 [ 3326.941493][T25516] kvm: apic: phys broadcast and lowest prio [ 3326.959036][T25520] binder: 25514:25520 Release 1 refcount change on invalid ref 1 ret -22 04:41:08 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x7a]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3327.015519][T25564] input:  as /devices/virtual/input/input1057 04:41:08 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3327.154011][T25637] binder: 25636:25637 ioctl c0306201 0 returned -14 [ 3327.174011][T25635] kvm: apic: phys broadcast and lowest prio [ 3327.174733][T25637] binder: 25636:25637 Release 1 refcount change on invalid ref 1 ret -22 04:41:08 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:08 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) r1 = pkey_alloc(0x0, 0x3) openat$uinput(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uinput\x00', 0x802, 0x0) pkey_free(r1) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:08 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x300]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x11, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3327.285477][T25641] binder: 25640:25641 ioctl c0306201 0 returned -14 [ 3327.305890][T25641] binder: 25640:25641 Release 1 refcount change on invalid ref 1 ret -22 [ 3327.380227][T25646] input:  as /devices/virtual/input/input1058 [ 3327.436499][T25646] input:  as /devices/virtual/input/input1059 [ 3327.465407][T25652] kvm: apic: phys broadcast and lowest prio 04:41:08 executing program 3: r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x400400, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000000040)={@mcast1, 0x1, 0x0, 0x3, 0x1, 0x2, 0x1}, 0x20) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:08 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000000c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r1 = open(&(0x7f0000000080)='./file0\x00', 0x0, 0x10) ioctl$sock_bt_bnep_BNEPGETCONNINFO(r1, 0x800442d3, &(0x7f0000000140)={0x5, 0x1, 0x40, @broadcast, 'nlmon0\x00'}) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x10) ioctl$KVM_SET_CPUID2(r1, 0x4008ae90, &(0x7f0000000180)={0x2, 0x0, [{0x80000001, 0x30, 0x6, 0x6, 0x1, 0x401, 0x5}, {0x0, 0x4, 0x2, 0x4, 0xacee, 0x40, 0x1}]}) 04:41:08 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:08 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x500]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:08 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) r1 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0xfffffffffffffff8, 0x1) recvfrom$inet6(r1, &(0x7f0000000080)=""/84, 0x54, 0x102, &(0x7f0000000100)={0xa, 0x4e21, 0x35c, @ipv4={[], [], @local}, 0xff}, 0x1c) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x12, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3327.754915][T25670] input: syz0 as /devices/virtual/input/input1061 [ 3327.767418][T25672] binder: 25671:25672 Release 1 refcount change on invalid ref 1 ret -22 [ 3327.777760][T25669] input:  as /devices/virtual/input/input1060 [ 3327.804891][T25664] kvm: apic: phys broadcast and lowest prio 04:41:09 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3327.885185][T25693] input:  as /devices/virtual/input/input1062 04:41:09 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x600]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3327.984121][T25774] binder: 25769:25774 Release 1 refcount change on invalid ref 1 ret -22 [ 3328.050264][T25788] kvm: apic: phys broadcast and lowest prio 04:41:09 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x13, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:09 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f00000000c0)='/dev/input/event#\x00', 0x80000001, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:09 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) r1 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x7fffffff, 0x8000) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(0xffffffffffffff9c, 0x84, 0x73, &(0x7f0000000080)={0x0, 0xdb, 0x20, 0x7, 0x3}, &(0x7f00000000c0)=0x18) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r1, 0x84, 0x7b, &(0x7f0000000100)={r2, 0x2484}, &(0x7f0000000140)=0x8) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) getsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(r1, 0x84, 0x76, &(0x7f0000000180)={r3, 0x2}, &(0x7f00000001c0)=0x8) 04:41:09 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3328.233756][T25799] input: syz0 as /devices/virtual/input/input1063 [ 3328.252235][T25801] binder: 25795:25801 Release 1 refcount change on invalid ref 1 ret -22 [ 3328.292350][T25803] input:  as /devices/virtual/input/input1064 [ 3328.355912][T25803] input:  as /devices/virtual/input/input1065 04:41:09 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0xff, 0x4000) ioctl$KVM_GET_CPUID2(r3, 0xc008ae91, &(0x7f0000000040)={0x6, 0x0, [{}, {}, {}, {}, {}, {}]}) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) openat$ion(0xffffffffffffff9c, &(0x7f0000000140)='/dev/ion\x00', 0x101000, 0x0) 04:41:09 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x700]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:09 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:09 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x14, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:09 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x800000000000003, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:09 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) setsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7, &(0x7f0000000040)={0xfffffffffffffffa}, 0x4) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r1, 0x5502) setsockopt$sock_int(r1, 0x1, 0x6, &(0x7f00000000c0)=0x2, 0x4) [ 3328.746106][T25918] input: syz0 as /devices/virtual/input/input1066 [ 3328.755025][T25920] input:  as /devices/virtual/input/input1067 [ 3328.797450][T25928] binder: 25916:25928 Release 1 refcount change on invalid ref 1 ret -22 [ 3328.836347][T25924] kvm: apic: phys broadcast and lowest prio [ 3328.848761][T25942] input:  as /devices/virtual/input/input1069 [ 3328.887299][T25942] input: failed to attach handler leds to device input1069, error: -6 04:41:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:10 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x2000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3328.993717][T26036] binder: 26035:26036 Release 1 refcount change on invalid ref 1 ret -22 04:41:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:10 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) openat$mixer(0xffffffffffffff9c, &(0x7f0000000240)='/dev/mixer\x00', 0x1000000400000, 0x0) [ 3329.071889][T26039] kvm: apic: phys broadcast and lowest prio [ 3329.128416][T26047] input: syz0 as /devices/virtual/input/input1070 04:41:10 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ubi_ctrl\x00', 0x2, 0x0) getsockopt$inet6_tcp_buf(r1, 0x6, 0x3b, &(0x7f0000000080)=""/236, &(0x7f0000000180)=0xec) 04:41:10 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x15, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3329.183397][T26046] binder: 26044:26046 Release 1 refcount change on invalid ref 1 ret -22 [ 3329.325455][T26155] input:  as /devices/virtual/input/input1071 [ 3329.371007][T26158] input:  as /devices/virtual/input/input1072 [ 3329.377310][T26158] input: failed to attach handler leds to device input1072, error: -6 04:41:10 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) setsockopt$IP_VS_SO_SET_STARTDAEMON(r3, 0x0, 0x48b, &(0x7f0000000000)={0x1, 'vxcan1\x00', 0x1}, 0x18) 04:41:10 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x4800]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:10 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:10 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x16, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:10 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$EXT4_IOC_MIGRATE(r0, 0x6609) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) sendfile(r0, r0, &(0x7f0000000000), 0x40) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3329.708914][T26180] binder: 26172:26180 got transaction with invalid offset (0, min 0 max 0) or object. [ 3329.730409][T26175] input:  as /devices/virtual/input/input1074 [ 3329.741954][T26180] binder: 26172:26180 transaction failed 29201/-22, size 0-8 line 3241 [ 3329.750106][T26178] kvm: apic: phys broadcast and lowest prio [ 3329.823292][T26232] input:  as /devices/virtual/input/input1075 04:41:11 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x4c00]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:11 executing program 2: r0 = syz_open_dev$sndpcmp(&(0x7f0000000040)='/dev/snd/pcmC#D#p\x00', 0x6, 0x8000) ioctl$KVM_S390_INTERRUPT_CPU(r0, 0x4010ae94, &(0x7f00000000c0)={0xc43, 0x5f, 0x3}) r1 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r1, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r1, 0x5502) 04:41:11 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x17, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:11 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x480, 0x0) ioctl$TIOCGLCKTRMIOS(r1, 0x5456, &(0x7f0000000080)={0x4e, 0x65, 0x9, 0x1, 0xd, 0x1, 0xfffffffffffffe01, 0x1f, 0x6911, 0x0, 0x1, 0x20}) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3330.000068][T26365] input: syz0 as /devices/virtual/input/input1076 [ 3330.036960][T26359] kvm: apic: phys broadcast and lowest prio 04:41:11 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3330.121558][T11475] binder: undelivered TRANSACTION_ERROR: 29201 04:41:11 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3330.196486][T26499] input:  as /devices/virtual/input/input1077 [ 3330.265485][T26515] binder: 26502:26515 got transaction with invalid offset (0, min 0 max 0) or object. [ 3330.278183][T26514] kvm: apic: phys broadcast and lowest prio [ 3330.287368][T26516] input:  as /devices/virtual/input/input1078 [ 3330.324413][T26516] input: failed to attach handler leds to device input1078, error: -6 [ 3330.344565][T26515] binder: 26502:26515 transaction failed 29201/-22, size 0-8 line 3241 04:41:11 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in={0x2, 0x4e20, @empty}], 0xa) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:11 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000002c0)={{0x4, 0x0, 0x2, 0x1000}, 'syz0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x7f\x18\x00', 0x50}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0x6) ioctl$UI_DEV_DESTROY(r0, 0x5502) r1 = accept$inet(0xffffffffffffffff, 0x0, &(0x7f0000000140)) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(0xffffffffffffff9c, 0x84, 0x1f, &(0x7f0000000180)={0x0, @in6={{0xa, 0x4e21, 0x2, @dev={0xfe, 0x80, [], 0x27}, 0x3}}, 0x10000, 0x3}, &(0x7f0000000240)=0x90) setsockopt$inet_sctp_SCTP_MAXSEG(r1, 0x84, 0xd, &(0x7f0000000280)=@assoc_value={r2, 0x1000}, 0x8) 04:41:11 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6800]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:11 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x18, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:11 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000100)='/dev/null\x00', 0x202100, 0x0) ioctl$VIDIOC_REQBUFS(r1, 0xc0145608, &(0x7f0000000140)={0x7c, 0x7, 0x4}) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x44000, 0x0) r3 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-monitor\x00', 0x400002, 0x0) ioctl$sock_bt_cmtp_CMTPCONNADD(r2, 0x400443c8, &(0x7f00000000c0)={r3, 0x5}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:11 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3330.546554][T14003] binder: undelivered TRANSACTION_ERROR: 29201 [ 3330.634955][T26632] kvm: apic: phys broadcast and lowest prio [ 3330.647157][T26636] input:  as /devices/virtual/input/input1079 [ 3330.658291][T26638] binder: 26635:26638 got transaction with invalid offset (0, min 0 max 0) or object. [ 3330.683399][T26630] input: syz0 as /devices/virtual/input/input1080 [ 3330.720007][T26638] binder: 26635:26638 transaction failed 29201/-22, size 0-8 line 3241 [ 3330.751433][T26636] input:  as /devices/virtual/input/input1081 04:41:12 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6c00]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:12 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x20400, 0x0) ioctl$TIOCLINUX3(r1, 0x541c, &(0x7f0000000080)) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:12 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = socket$inet_sctp(0x2, 0x1, 0x84) getsockopt$inet_sctp6_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000100)=@sack_info={0x0, 0x1f, 0x6}, &(0x7f0000000140)=0xc) getsockopt$inet_sctp_SCTP_ASSOCINFO(r1, 0x84, 0x1, &(0x7f0000000180)={r2, 0x1f, 0x81, 0x4, 0xffb}, &(0x7f0000000240)=0x14) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r3 = dup3(r0, r0, 0x80000) r4 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-control\x00', 0x220200, 0x0) bpf$BPF_PROG_ATTACH(0x8, &(0x7f00000000c0)={r3, r4, 0xf, 0x2}, 0x10) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3330.983831][T11475] binder: undelivered TRANSACTION_ERROR: 29201 [ 3331.002548][T26849] kvm: apic: phys broadcast and lowest prio 04:41:12 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x19, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3331.083634][T26859] input: syz0 as /devices/virtual/input/input1082 [ 3331.100540][T26858] binder: 26857:26858 got transaction with invalid offset (0, min 0 max 0) or object. [ 3331.118777][T26862] input:  as /devices/virtual/input/input1083 [ 3331.188969][T26906] input:  as /devices/virtual/input/input1084 [ 3331.197134][T26858] binder: 26857:26858 transaction failed 29201/-22, size 0-8 line 3241 04:41:12 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x7400]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3331.328560][T27001] kvm: apic: phys broadcast and lowest prio [ 3331.459220][T11475] binder: undelivered TRANSACTION_ERROR: 29201 04:41:12 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x7a00]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:12 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', 0xfffffffffffffffe, 0x0) r1 = open(&(0x7f0000000000)='./file0\x00', 0x561081, 0x0) getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(0xffffffffffffffff, 0x84, 0x18, &(0x7f00000000c0)={0x0, 0x1}, &(0x7f0000000140)=0x8) setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r1, 0x84, 0x72, &(0x7f0000000180)={r2, 0x5, 0x30}, 0xc) r3 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x7b4481e009ccefc1, 0x0) ioctl$PIO_FONTRESET(r3, 0x4b6d, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:12 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) r2 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x20000, 0x0) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r3, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r3, 0x5) r4 = socket$inet6_sctp(0xa, 0x5, 0x84) r5 = accept4(r3, 0x0, 0x0, 0x0) setsockopt$RDS_GET_MR_FOR_DEST(r5, 0x114, 0x7, &(0x7f00000000c0)={@pppol2tp={0x18, 0x1, {0x0, r5, {0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x1c}}, 0x1, 0x2, 0x1}}, {&(0x7f0000000040)=""/31, 0x1f}, &(0x7f0000000080), 0x10}, 0xa0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r6 = syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) ioctl$sock_kcm_SIOCKCMUNATTACH(r6, 0x89e1, &(0x7f0000000180)={r1}) 04:41:12 executing program 4: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffff9c}) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_NET_GET(r0, &(0x7f0000000200)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x100}, 0xffffffffffffff48, &(0x7f0000000240)={&(0x7f0000000140)={0x50, r1, 0x202, 0x70bd27, 0x25dfdbfb, {}, [@TIPC_NLA_MON={0x1c, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3f}]}, @TIPC_NLA_BEARER={0x20, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz1\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x22ab}]}]}]}, 0x50}}, 0x44) r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000340)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_SET_EVBIT(r2, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r2, 0x405c5503, &(0x7f0000000040)={0x1, 0x0, 0x2, 0x0, 0x4}) ioctl$UI_SET_LEDBIT(r2, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r2, 0x5501, 0x0) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/dsp\x00', 0xfffffffffffffffc, 0x0) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) fcntl$setpipe(r2, 0x407, 0xfffffffffffffff8) ioctl$KVM_SIGNAL_MSI(r3, 0x4020aea5, &(0x7f0000000300)={0xf000, 0x3000, 0x9, 0x70, 0x4}) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/snapshot\x00', 0x100, 0x0) 04:41:12 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x1e, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3331.608854][T27090] input: syz0 as /devices/virtual/input/input1085 [ 3331.618072][T27087] binder: 27085:27087 got transaction with invalid offset (0, min 0 max 0) or object. [ 3331.658223][T27096] input:  as /devices/virtual/input/input1086 [ 3331.735121][T27087] binder: 27085:27087 transaction failed 29201/-22, size 0-8 line 3241 04:41:13 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xff00]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:13 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:13 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) vmsplice(r1, &(0x7f00000000c0)=[{&(0x7f0000000040)="9f3d2276871685908f5fa5a7a132ea25dba6e14817ee2895e308b2ab3bad59ad40b245335828eb232a28ad176c011094f4d0f2c48a12f60862", 0x39}], 0x1, 0x4) r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer2\x00', 0x0, 0x0) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000180)='TIPC\x00') sendmsg$TIPC_CMD_SET_LINK_PRI(r2, &(0x7f0000000300)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000240)={0x68, r3, 0xa01, 0x70bd26, 0x25dfdbfd, {{}, 0x0, 0x4108, 0x0, {0x4c, 0x18, {0x3519, @link='broadcast-link\x00'}}}, ["", ""]}, 0x68}, 0x1, 0x0, 0x0, 0x10}, 0x20000000) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3331.936985][T27297] kvm: apic: phys broadcast and lowest prio [ 3331.954235][T27313] input:  as /devices/virtual/input/input1088 04:41:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000200), &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:13 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x21, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3332.014088][T27318] input: syz0 as /devices/virtual/input/input1089 [ 3332.024602][T14003] binder: undelivered TRANSACTION_ERROR: 29201 [ 3332.045937][T27320] input:  as /devices/virtual/input/input1090 04:41:13 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x40000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3332.216929][T27378] binder: 27365:27378 got transaction with invalid offset (0, min 0 max 0) or object. [ 3332.225483][T27399] kvm: apic: phys broadcast and lowest prio [ 3332.230649][T27378] binder: 27365:27378 transaction failed 29201/-22, size 0-8 line 3241 [ 3332.251918][T27378] binder: 27365:27378 Release 1 refcount change on invalid ref 1 ret -22 04:41:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3332.267154][T11475] binder: undelivered TRANSACTION_ERROR: 29201 04:41:13 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x15) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) r1 = semget(0x2, 0x0, 0x204) semctl$IPC_INFO(r1, 0x4, 0x3, &(0x7f0000000080)=""/8) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:13 executing program 2: ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f00000001c0)={{0x5, 0xfffffffffffffffe, 0x0, 0x8}, 'syz0\x00', 0x17}) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(0xffffffffffffffff, 0x5502) r0 = syz_open_dev$media(&(0x7f0000000040)='/dev/media#\x00', 0xfffffffffffff918, 0x640) ioctl$VIDIOC_S_DV_TIMINGS(r0, 0xc0845657, &(0x7f0000000080)={0x0, @bt={0x21, 0xf2, 0x1, 0x1, 0x100000000, 0x10000, 0x0, 0xbb, 0x0, 0x5, 0x704, 0x1901, 0x240, 0x4, 0x1e, 0x2}}) [ 3332.363799][T27435] binder: 27434:27435 got transaction with invalid offset (0, min 0 max 24) or object. [ 3332.389494][T27435] binder: 27434:27435 transaction failed 29201/-22, size 24-8 line 3241 [ 3332.456765][T27435] binder: 27434:27435 Release 1 refcount change on invalid ref 1 ret -22 [ 3332.476773][T27445] input input1092: cannot allocate more than FF_MAX_EFFECTS effects 04:41:13 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_NODELAY(r0, 0x84, 0x3, &(0x7f0000000040), &(0x7f0000000080)=0x4) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:13 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x80ffff]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:13 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x22, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3332.520959][T11475] binder: undelivered TRANSACTION_ERROR: 29201 04:41:13 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x12) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3332.627961][T27542] kvm: apic: phys broadcast and lowest prio 04:41:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:13 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r2 = dup3(r1, r1, 0x80000) getsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(0xffffffffffffff9c, 0x84, 0x22, &(0x7f0000000040)={0x9, 0x8207, 0x80000001, 0xccf, 0x0}, &(0x7f00000000c0)=0x10) getsockopt$inet_sctp6_SCTP_DELAYED_SACK(r2, 0x84, 0x10, &(0x7f0000000100)=@sack_info={r3, 0x8, 0x9}, &(0x7f0000000140)=0xc) [ 3332.741134][T27561] input:  as /devices/virtual/input/input1093 [ 3332.779392][T27563] binder: 27562:27563 got transaction with invalid offset (0, min 0 max 24) or object. 04:41:14 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x1000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3332.793884][T27567] input: syz0 as /devices/virtual/input/input1094 [ 3332.808078][T27570] input:  as /devices/virtual/input/input1095 [ 3332.877530][T27563] binder: 27562:27563 transaction failed 29201/-22, size 24-8 line 3241 [ 3332.943867][T27654] kvm: apic: phys broadcast and lowest prio 04:41:14 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x2000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x23, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:14 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='memory.stat\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f0000000340)=@sack_info={0x0, 0x3, 0xcf9e}, &(0x7f0000000380)=0xc) getsockopt$inet_sctp_SCTP_ASSOCINFO(0xffffffffffffff9c, 0x84, 0x1, &(0x7f0000000140)={r1, 0x1ff, 0x80000000, 0x0, 0x3, 0x800}, &(0x7f0000000180)=0x14) r3 = semget$private(0x0, 0x4, 0x0) semtimedop(r3, &(0x7f00000003c0)=[{0x4, 0x2, 0x1000}, {0x3, 0x5, 0x800}, {0x3, 0x0, 0x1000}, {0x2, 0xffff, 0x800}, {0x4, 0x401, 0x800}, {0x4, 0xfffffffffffffffc, 0x1000}, {0x3, 0x7, 0x1000}, {0x3, 0x100, 0x1800}, {0x1, 0x7, 0x800}, {0x0, 0x8, 0x1000}], 0xa, &(0x7f0000000400)={0x77359400}) getsockopt$inet_sctp6_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f0000000240)=@assoc_value={r2, 0xc297}, &(0x7f0000000280)=0x8) r4 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r4, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r5 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x105401, 0x0) ioctl$KDGKBTYPE(r5, 0x4b33, &(0x7f00000000c0)) ioctl$BLKPBSZGET(r0, 0x127b, &(0x7f0000000300)) ioctl$UI_DEV_SETUP(r4, 0x5501, 0x0) read(r4, &(0x7f0000000040), 0x0) ioctl$SG_GET_LOW_DMA(r0, 0x227a, &(0x7f00000002c0)) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r4, 0x5502) 04:41:14 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) r1 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0x3044, 0x6c2359da09931360) write$RDMA_USER_CM_CMD_JOIN_MCAST(0xffffffffffffff9c, &(0x7f0000000100)={0x16, 0x98, 0xfa00, {&(0x7f00000000c0)={0xffffffffffffffff}, 0x3, 0xffffffffffffffff, 0x10, 0x0, @in6={0xa, 0x4e24, 0x5, @dev={0xfe, 0x80, [], 0x1d}}}}, 0xa0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r1, &(0x7f00000001c0)={0x11, 0x10, 0xfa00, {&(0x7f0000000080), r2}}, 0x18) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000240)='./cgroup/syz0\x00', 0x200002, 0x0) [ 3333.175476][T27785] input: syz0 as /devices/virtual/input/input1096 [ 3333.214227][T27787] kvm: apic: phys broadcast and lowest prio 04:41:14 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3333.221627][T15669] binder: undelivered TRANSACTION_ERROR: 29201 [ 3333.318882][T27841] binder: 27836:27841 got transaction with invalid offset (0, min 0 max 24) or object. [ 3333.331118][T27841] binder: 27836:27841 transaction failed 29201/-22, size 24-8 line 3241 [ 3333.340664][T27814] input:  as /devices/virtual/input/input1097 [ 3333.409392][T27814] input:  as /devices/virtual/input/input1098 04:41:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x24, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:14 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x3000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:14 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:14 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) ioctl$PERF_EVENT_IOC_SET_OUTPUT(r0, 0x2405, r0) syz_open_dev$dspn(0x0, 0x0, 0x200002) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3333.603183][T27997] input: syz0 as /devices/virtual/input/input1099 [ 3333.638008][T27996] kvm: apic: phys broadcast and lowest prio 04:41:14 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = add_key(&(0x7f0000000000)='.request_key_auth\x00', &(0x7f0000000080)={'syz', 0x1}, &(0x7f00000000c0)="c07c010aebf23a9c16e6beb5270b8fa85d803e7697b70ebe749b0b3a72f6116a58600f166256b28f9ffd0f8ee26ae0fb269aadf6d8e79ea25e88a0a554df58b6ad68fc1a1845adcb3e959d91ba7149078a227605f1dfec5ceed516f306a493ab9bce718857a560b44c66cee5a3abe1973f97462e586a06003306d09b7102305c707bcac4a73e9c41a2a321f3ccc9ee85086420963f8c200e0025b8199f54e0477246ce50dd48e64523eb5bfedbb4d5c506", 0xb1, 0xfffffffffffffffc) keyctl$assume_authority(0x10, r1) 04:41:15 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x4000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3333.757926][T11475] binder: undelivered TRANSACTION_ERROR: 29201 [ 3333.799326][T28103] input:  as /devices/virtual/input/input1100 [ 3333.867161][T28126] input:  as /devices/virtual/input/input1101 [ 3333.887163][T28128] binder: 28127:28128 Release 1 refcount change on invalid ref 1 ret -22 04:41:15 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x64, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:15 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{0x0, 0x0, 0xfffffffffffffffa, 0x4001}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) ioctl$SG_GET_PACK_ID(r0, 0x227c, &(0x7f0000000040)) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3333.934969][T28132] kvm: apic: phys broadcast and lowest prio [ 3333.952154][T11475] binder: release 28127:28128 transaction 96 out, still active [ 3333.982043][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:15 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x5000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3334.039745][T28140] input: syz0 as /devices/virtual/input/input1102 [ 3334.046998][T15669] binder: send failed reply for transaction 96, target dead 04:41:15 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) write$P9_RAUTH(r1, &(0x7f0000000000)={0x14, 0x67, 0x1, {0x14, 0x4}}, 0x14) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2000000000012) ioctl$UI_SET_KEYBIT(r0, 0x40045565, 0x55) ioctl$UI_SET_EVBIT(r1, 0x40045564, 0xd) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$VHOST_SET_VRING_ERR(r1, 0x4008af22, &(0x7f0000000080)={0x2, r1}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$DRM_IOCTL_MODE_GETCRTC(r1, 0xc06864a1, &(0x7f0000000100)={&(0x7f00000000c0)=[0x5, 0x7f, 0x7b, 0x2], 0x4, 0x800, 0x1f, 0x2, 0xfff, 0xfffffffffffffffc, {0x530e3120, 0x3, 0x4, 0x6, 0xc748, 0x4, 0xffffffff00000000, 0x3, 0x2000000, 0x6, 0x5, 0x7, 0xab7b, 0x80, "a7979e32e9cbc7831126859553c3e1b2c1f995e574f2e9076e3f09236b19ea66"}}) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f0000000240)={0x0, @in6={{0xa, 0x4e23, 0x9, @mcast1, 0xfffffffffffffffb}}, 0x1, 0x3, 0x9, 0x8, 0x10}, &(0x7f0000000180)=0x98) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r1, 0x84, 0x72, &(0x7f00000001c0)={r2, 0x2, 0x10}, &(0x7f0000000300)=0xc) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3334.157167][T28153] binder: 28148:28153 Release 1 refcount change on invalid ref 1 ret -22 [ 3334.251275][T28252] input:  as /devices/virtual/input/input1103 [ 3334.268042][T11475] binder: release 28148:28153 transaction 98 out, still active 04:41:15 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x65, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:15 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = syz_open_dev$mice(&(0x7f0000000040)='/dev/input/mice\x00', 0x0, 0x80c2) getsockopt$inet_sctp6_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f00000000c0)={0x0, 0x81}, &(0x7f0000000100)=0x8) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r1, 0x84, 0x6c, &(0x7f0000000140)={r2}, &(0x7f0000000180)=0x8) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) splice(r1, &(0x7f0000000240)=0x2, r0, &(0x7f0000000280), 0xc154, 0xe) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3334.304140][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:15 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3334.348524][T28255] input:  as /devices/virtual/input/input1104 [ 3334.355915][T11475] binder: send failed reply for transaction 98, target dead [ 3334.387099][T28262] input: syz0 as /devices/virtual/input/input1105 [ 3334.458620][T28266] binder: 28265:28266 Release 1 refcount change on invalid ref 1 ret -22 04:41:15 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x80002, 0x0) r1 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x4000, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(r1, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) ioctl$LOOP_GET_STATUS64(r0, 0x4c05, &(0x7f0000000080)) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:15 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) fremovexattr(r0, &(0x7f0000000000)=@known='com.apple.system.Security\x00') r1 = accept4(0xffffffffffffff9c, &(0x7f0000000100)=@in6={0xa, 0x0, 0x0, @empty}, &(0x7f0000000080)=0x80, 0x80000) setsockopt$IP_VS_SO_SET_ZERO(r1, 0x0, 0x48f, &(0x7f0000000180)={0x0, @dev={0xac, 0x14, 0x14, 0x26}, 0x4e20, 0x2, 'rr\x00', 0x20, 0xffff, 0x34}, 0x2c) [ 3334.517917][T11475] binder: release 28265:28266 transaction 100 out, still active [ 3334.543189][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3334.603792][T11475] binder: send failed reply for transaction 100, target dead 04:41:15 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3334.662212][T28349] kvm: apic: phys broadcast and lowest prio [ 3334.678432][T28376] input:  as /devices/virtual/input/input1106 [ 3334.737180][T28382] input:  as /devices/virtual/input/input1107 04:41:16 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) pipe(&(0x7f0000000040)={0xffffffffffffffff}) getsockopt$ARPT_SO_GET_INFO(r2, 0x0, 0x60, &(0x7f00000000c0)={'filter\x00'}, &(0x7f0000000140)=0x44) flock(r1, 0x8) ioctl$UI_SET_PROPBIT(r0, 0x4004556e, 0x5) [ 3334.784175][T28386] binder: 28384:28386 Release 1 refcount change on invalid ref 1 ret -22 04:41:16 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x7000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:16 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x6b, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3334.847602][T11475] binder: release 28384:28386 transaction 102 out, still active [ 3334.873370][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:16 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3334.928691][T11475] binder: send failed reply for transaction 102, target dead [ 3334.956603][T28395] input: syz0 as /devices/virtual/input/input1108 [ 3334.976474][T28396] kvm: apic: phys broadcast and lowest prio 04:41:16 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xf) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3335.062152][T28432] binder: 28413:28432 Release 1 refcount change on invalid ref 1 ret -22 [ 3335.092099][T15669] binder: release 28413:28432 transaction 104 out, still active 04:41:16 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x20000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3335.118374][T15669] binder: undelivered TRANSACTION_COMPLETE 04:41:16 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3335.182331][T15669] binder: send failed reply for transaction 104, target dead [ 3335.222251][T28512] binder: 28507:28512 Release 1 refcount change on invalid ref 1 ret -22 04:41:16 executing program 2: mount(&(0x7f0000000140)=@loop={'/dev/loop', 0x0}, &(0x7f0000000180)='./file0\x00', &(0x7f0000000240)='hfsplus\x00', 0x801000, &(0x7f0000000280)='eth1bdevsystem][\x00') r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio\x00', 0x0, 0x0) inotify_add_watch(r1, &(0x7f00000000c0)='./file0\x00', 0x100) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) ioctl$SIOCGIFMTU(r1, 0x8921, &(0x7f0000000100)) ioctl$UI_DEV_CREATE(r1, 0x5501) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3335.242182][T28509] input:  as /devices/virtual/input/input1109 [ 3335.270672][T28511] kvm: apic: phys broadcast and lowest prio [ 3335.287629][T28509] input: failed to attach handler leds to device input1109, error: -6 [ 3335.299343][T15669] binder: release 28507:28512 transaction 106 out, still active [ 3335.309698][T15669] binder: undelivered TRANSACTION_COMPLETE [ 3335.346972][T28518] input: syz0 as /devices/virtual/input/input1110 [ 3335.407500][T28520] input:  as /devices/virtual/input/input1111 04:41:16 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$usbmon(&(0x7f00000000c0)='/dev/usbmon#\x00', 0x9, 0x200100) ioctl$sock_inet_tcp_SIOCOUTQNSD(r0, 0x894b, &(0x7f0000000100)) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r0, 0xc00c642e, &(0x7f0000000140)={0x0, 0x0, r0}) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r0, 0xc00c642e, &(0x7f0000000180)={r2, 0x80000, r0}) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r1, 0x0, 0x0, 0x0) setxattr$trusted_overlay_redirect(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.redirect\x00', &(0x7f0000000080)='./file0\x00', 0x8, 0x1) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:16 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x6e, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:16 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:16 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x48000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3335.449601][T15669] binder: send failed reply for transaction 106, target dead [ 3335.481065][T28520] input: failed to attach handler leds to device input1111, error: -6 [ 3335.545811][T15669] binder: release 28594:28595 transaction 108 out, still active [ 3335.580506][T15669] binder: unexpected work type, 4, not freed 04:41:16 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3335.600882][T15669] binder: undelivered TRANSACTION_COMPLETE 04:41:16 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:16 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x4c000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3335.683440][T15669] binder: send failed reply for transaction 108, target dead [ 3335.704352][T28639] input:  as /devices/virtual/input/input1112 04:41:17 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r1 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/net/pfkey\x00', 0x2, 0x0) getsockopt$bt_BT_RCVMTU(r1, 0x112, 0xd, &(0x7f0000000180)=0x3ff, &(0x7f0000000240)=0x2) ioctl$SNDRV_TIMER_IOCTL_START(r1, 0x54a0) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000140)={{&(0x7f0000001000/0x1000)=nil, 0x1000}}) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000000c0)={{0x0, 0x6, 0x1, 0xfff000000000000}, 'syz1\x00', 0x12}) [ 3335.782664][T15669] binder: release 28642:28644 transaction 112 out, still active [ 3335.797121][T28649] input:  as /devices/virtual/input/input1113 [ 3335.832914][T28649] input: failed to attach handler leds to device input1113, error: -6 [ 3335.848269][T15669] binder: unexpected work type, 4, not freed [ 3335.856613][T28646] kvm: apic: phys broadcast and lowest prio [ 3335.874050][T15669] binder: undelivered TRANSACTION_COMPLETE 04:41:17 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3335.890996][T15669] binder: send failed reply for transaction 112, target dead 04:41:17 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x71, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:17 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) clock_nanosleep(0x3, 0x1, &(0x7f0000000040)={0x0, 0x1c9c380}, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) 04:41:17 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x60000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3336.031253][T15669] binder: release 28757:28759 transaction 116 out, still active [ 3336.051859][T15669] binder: unexpected work type, 4, not freed [ 3336.088142][T28764] input: syz0 as /devices/virtual/input/input1114 [ 3336.110482][T15669] binder: undelivered TRANSACTION_COMPLETE [ 3336.148794][T15669] binder: send failed reply for transaction 116, target dead [ 3336.150188][T28768] kvm: apic: phys broadcast and lowest prio 04:41:17 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x6, 0x40000000200003) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:17 executing program 4: mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x0) mq_getsetattr(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x3}, 0x0) r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000240)='/dev/vga_arbiter\x00', 0x400200, 0x0) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0)='TIPCv2\x00') sendmsg$TIPC_NL_PUBL_GET(r1, &(0x7f0000000640)={&(0x7f0000000280), 0xc, &(0x7f0000000300)={&(0x7f0000000480)={0x1c0, r2, 0x4, 0x70bd26, 0x25dfdbfe, {}, [@TIPC_NLA_LINK={0x84, 0x4, [@TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x100}]}, @TIPC_NLA_LINK_PROP={0x3c, 0x7, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x14}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x100}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xa000000000000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffffffffffff8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x11}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}]}, @TIPC_NLA_MEDIA={0xd8, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_PROP={0xc, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100000000}]}, @TIPC_NLA_MEDIA_PROP={0x34, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x10001}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x6}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x4}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x14, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1d}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x2}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x3c, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x6}, @TIPC_NLA_PROP_MTU={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xf5f4}]}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3ff}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}]}, @TIPC_NLA_NET={0x2c, 0x7, [@TIPC_NLA_NET_ADDR={0x8, 0x2, 0x1}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x2}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x8000}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x3}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x5}]}, @TIPC_NLA_NET={0x24, 0x7, [@TIPC_NLA_NET_NODEID={0xc, 0x3, 0x200}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x200}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x20}]}]}, 0x1c0}, 0x1, 0x0, 0x0, 0x10}, 0x20004000) r3 = syz_open_dev$sndseq(&(0x7f0000000000)='/dev/snd/seq\x00', 0x0, 0x400000) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r3, 0x40bc5311, &(0x7f0000000080)={0x0, 0x0, 'client1\x00', 0x6, "b608198aa62b934f", "1e4dfe1446ca4ee186d7734961d0ac5f5c4779f5d77613132e1f1022d0126798", 0x4, 0x1}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) r4 = syz_open_dev$vbi(&(0x7f0000000140)='/dev/vbi#\x00', 0x3, 0x2) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000180)={0x0, 0x6, 0x9, 0x9}, &(0x7f00000001c0)=0x10) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r4, 0x84, 0x70, &(0x7f0000000380)={r5, @in6={{0xa, 0x4e23, 0xffff, @remote, 0x1}}, [0x4, 0x1ff, 0x10001, 0x0, 0x7, 0x66c12230, 0x0, 0x20, 0x4, 0x800, 0x1ff, 0x1, 0x3, 0x1, 0x4]}, &(0x7f0000000340)=0x100) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:17 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x1, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r1 = syz_open_dev$vcsa(&(0x7f0000000040)='/dev/vcsa#\x00', 0x6, 0x200000) setsockopt$inet_mreqsrc(r1, 0x0, 0x25, &(0x7f00000000c0)={@empty, @dev={0xac, 0x14, 0x14, 0x24}, @loopback}, 0xc) ioctl$sock_FIOGETOWN(r1, 0x8903, &(0x7f0000000180)=0x0) write$USERIO_CMD_SET_PORT_TYPE(r1, &(0x7f0000000240)={0x1, 0x7}, 0x2) perf_event_open(&(0x7f0000000100)={0x7, 0x70, 0x0, 0x8000, 0x40, 0x3, 0x0, 0x0, 0x24820, 0x1, 0x588d, 0x4, 0x800, 0x2, 0xbb, 0x1ff, 0x4, 0x5, 0x2, 0x9, 0x7fffffff, 0x7, 0x100000000, 0xfff, 0xe96d, 0x2, 0x4c, 0x401, 0x378cc000, 0x95, 0xbe5, 0x500000000000, 0x6, 0x80000000, 0x1, 0xffffffffffffff00, 0x401, 0x1, 0x0, 0x3, 0x0, @perf_config_ext={0xffffffffffffffbf, 0x5}, 0x800, 0x7ff, 0x0, 0x6c787260e7b930d9, 0xfffffffffffffffc, 0x20, 0x1}, r2, 0x1, r1, 0x2) 04:41:17 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x68000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:17 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 04:41:17 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x72, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3336.564090][T28886] binder: 28877:28886 ioctl c0306201 0 returned -14 [ 3336.571926][T28884] input: syz0 as /devices/virtual/input/input1115 [ 3336.625312][T11475] binder: release 28877:28886 transaction 120 out, still active [ 3336.639303][T11475] binder: unexpected work type, 4, not freed 04:41:17 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) [ 3336.684694][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3336.698237][T11475] binder: send failed reply for transaction 120, target dead 04:41:18 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6c000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3336.749438][T28978] binder: 28950:28978 ioctl c0306201 0 returned -14 [ 3336.764365][T11475] binder: unexpected work type, 4, not freed 04:41:18 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) 04:41:18 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) r1 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0x2, 0x1c0) ioctl$KVM_SET_NESTED_STATE(r1, 0x4080aebf, &(0x7f0000000240)={0x2, 0x0, 0x2080, {0x3000, 0xd000, 0x3}, [], "9426711c0044fece4eea753ff30f0be0836367630d39ec3419db4b6e097866933420963727ffd25313b90adb5e6a00945a050630dad5d2b8c385ecf8cec35fde7a38c5f5cea2cffa9a029be8a47ce42bed5e3600a98d7abc120d23ec67533e4d8cdf99e4bbe7cab4216c65052346893dbf343cd39dca4d69c92c6747f6b4a3306bca6e6c060b327a62a747c9ca3e37b96962840b4da12fcc8c77d56537e8d503df0b489846dabdedaf281755fbafefc6f0f86e6148368bce4b26d370ea69147a171abe5d8f2b7ca1fe7858cce395f9832175a1716f57b5371b40b23890ff825a2457ee0e6fc7d0052ac0019781b3ab7876729c56534d3b98af7bb0323b2748c515c0c902a6e2585399833e5d746b147007e1da8e93e3427f5d704112ac6e63099b417d3fff872341f957c93db81b2efc76cec07f7120082ccdbd3faba1fe7af9fb8efb7f8985f577b9994f1b334a2cf201947747d54ff2a5290fa7c96dad8cfe307fbf1090962d60300a028923db783c13b1a0019035f7cc26b352e411b9b491722e0224eb21808d39ad03576775f54f367aaea7dac51a9657054bd7000a839a514a0cecb9b85d959701cfb4b885d151484b0ef382da0a6e1e9470a7f9d5c6368d63e2104735033d38f41cb8f85a8eb7066fbc66a758318b2a573576c98c999a50d3af169f2732ed48d8464531ac928f45f71af2bdcfa105221dfe7ee4ad390570571a0a10a0cea425d49225693fe747ec6d17308976aecb51a52356e3b20c982d0c3c0b6756fe7168d24988a08a85b4d5deaa1bdace9f7d33e83c48896b73b45388f7dfb2d67c1d2ae93ef0c56290729f07a529421df03bd24e252164f96cc11972b1778bd31d41909e4f9bd8788e106297e2cc497dca463b7b790c02896eac5caae9c70163880a85308eb14e114e0f97795fdcfabed9441326a6d11ac7546f87fb707c4aaac0b598f3eeef53e53570f9884ab579347470a3baed3708f6d25e30e230cadb4c8f2bdb849994ed8313856ac9367fdb959fcd699f3c136d9b8af98174dbc372d9d39432722000b4014602fdd5defcb8cef4be651e3e7e2e07af719b8d8f61cc7abc512d3973f92dd4732afedeb862419c6e19caf8447d8f7ebaff61aacaa65c0517ad44a97206ebdc352e0ece7dac631d8d19b11b0ad98722e5a90cc3ed1ae2aad3ca3e3580bdfc35e4e927f0df4b2ced6f2b98da1b79170d27a53369094b0b9a7089bf11ac9a8d786974a2f301455bce537bb2d1b0fb093c812952dfd6e2546dbfc49e05b931283086e57a1c295ae8098f55c7c5db30afc90b499d92f9e961f03593de6242d91c46ba5504ff4346cb3c50e9c53fbc5b9cdfe465efb898db4ba694a57ba64410128032e610d0e3c0ffd218b5de2d68ab4da21486b46dee21a05b22d97a6df6a38862ebc0742f1bb6888d702a9a7d49210b389c984c09c298b416648bbf34d3f6030058f8bca981123bd7e9dbe59ee16ccff40a018de1ef009845d9a60ee7b13dd71d35c06e1e1071ff8d90420479203c9384778601bde41cd3960bd6f2f8613c851ab22aa027b5aae984b0f6e73db3656a363b544141fbefecfa9294ff2b0085b9ff5514134a9a93c1ba66c12fe2688f4c9a119780dfff699b593fbc4dfb5a51858ef15607fcfbb1b0f4ebf3acda4d439d9be4d96d72fcdc316427ba3f05b5a193403caa5043bb3b07522c08e20484a6d28808d3c8b577ce19e97ee08814db94d32af046fdd285e25816ecd021f5b2469a812c8f90fa98e42488dc9ee56ddfb7bc9bb1ab001349e9df7a9f3500213f116bdcd273bce5ac65604842081d886d9c0640a9952096bf3bcc29860846ad6cdbedd55e88daec745c5fca02c45f7f32cfefe37975cbc460ca95381242464afa1ed96117b6344ae1834bd221c2b4247ad53dd987745ce0b99cebc85470f430768f43358b4db830888225a6d6de305a36e139de603933f9a43c8b5b145c8c44a88f0373ffb6beddf0f698d967aa6ba1e9546c82c91f66fe8b62872973f1d757d5e1736a38fd1af517de5b84be29282d98497882850bc94dbe28caa190bf955b7fcdafbbe570145a8fc7d678dceb1a8e9e111f3cfcabc6c9fbd29d6d6430b2390fe4d155544225d3b4d95018da8bd5da26db772066a7abba5481eeb4dea363c19e8e81c8e54f3ef9fdabd9150e7d9743fa5b582532d672002b77a2b1320848dae3097ceaa6994eb8720be261ce01af8abd7f5b20bc6f59bead742e787fe1f2c82a7f7104692de2bae60126b7128db03dee8381c4228ce650006910bcfcbb40fe45850dda71d37e1e786eb2505314a5c72779909b2d48f73a43c3590e81bc7c11c706d544e0ed1a22fa3d81640222433e827fad38336ed5cf4ff084281b6b248bdd7dd9e408cbdd4b1a5ff892ff66e938935bfb2595d924d09f00620c7aa566dc92037fb3d6c64dc43cab235c358feb95e038cc04cff8baaeed51823c390bce821eebac31d47d8ac533972cdc29b12c0c8a9573c2ab5c3f208564cd3b0b8765231ec4765bf9d419a79786e6156e1da9196232cebe733692f93504fe061ef0811beacde460f8fa8ce9ce45612192bb1c236fb7346c30a36bd39bcb21cf31eff662d1570088af4d69f2a3d2fc0b17654ed17fe71b23b069412ca3c67cc6ed13aeef4f595f5337df7192b661b253c41a44ad9b4cc6b670916a3e5a449839589ac211a3154fef2407356b96a38e5cd3e13bafe0b7e94fb9abb27bec907694a7496d3e5c5be1c4ef68b8b6529bc2a6ebd0909f601b57605965ab97e806274d03f4975fc8d69087724e0aac53c4a739eaaa009dbdcbe2e0ed09c0f101c80637b9c2d49325e4abcbbb8ed6aba5862ae9e7a5adb8d68b6d75503a7b1628bac0a0cd000801eefeffacbfc65156fee0e98b6533b4fe6d9646fb67c321d8d0622776d5037828e611edb42e879021c10b7ddaf2387f202d0909e00bbfc487bc6cb2c55244f42c08400c89af56771fadebe3fb5a07ca1d3d4878662f5b07be739186daae7b26ed6001af0072ee633fd77ddc8a448556a94ba77f9229a9df9d0a5913e55b0df427b717366d4fbe4adc493ca5663b08257f90fe350b5e7ec6e3dfc51b0d3dc6a9652f52bc537d9c65987d1347882257875cc1de1f0450d5b9b9206357bf622cced6246ef6c933d78323059a567b62a8bcbed85872bed06a884d70add329f566bcc8a4930fc2ce072cba2e832d095afd005613d21ddf39905d259c29ae46550b308b36af6f75402e859675214dc006b7399c5ce9239585e497f05761ed6331cc0f4601ed4a1dc1b4885e83f4be5d06c0985960b316bdade9367e724348b7e5c0bb9d0bd93ade5e9684f81fe848dc777e517ec17b02b8e5ee76fc847a26ee83c02ae8e2b3a4713a49039f4459a7f4f75894891f2fbf223604e89844d683fa7bc6a141762f07778db693aee36b7aa5a0783164dfec846711bb92e5a76a0bd756326af6d79087e558c77069b5dbd032738c98294d4a756cbcbfc8095ff9d9359cd047d6b5213157e3c2676f1ad3b71cd9a6d96922eb25665b9d15de689ed4af1624ba5fd4284896c606d51ff0fe09a70a31169d808ee3c96d8083194aa417d453c83b5db1f4960c47f246b0c15ed09a16e5aa91a78d0fc8dbebc56d9c9d6f50b49d160173ed7196e38f90eab5fe9bd70e326acd11e4cd372681a689268a2b7820da53bd3e0c7fd14b8495dc049d2d305c93799129784f8b18d9acadb2e08816dd80803f7cc027c17e364575dd6d068c2137be987f28af0b355c22d4016ccf7cf770807b9b0de4edaac726a9a4c1b07533fae6ce4b80101336513d4f1a9631ccea94a439a4eb7534bd88da3fd18a6666de2050a73f4ff7b6416085e3fa3bb67fad997af92afc4ae75a20ffa0863b841dbaf27a927d34b35b01c35f72c82eb81229cece918159587525a5795f1b0e040fb73ba44a5e0a33a6148ce9b4e40c0c476eb49745ef3ce16165d319002c922d392cda24fc3bd1f9e7e100ab6714181d32c7e4bccf009d5643a05e0fcb08f318d1f9705cef5ae5ac41006cdd01988928913ecbfb0e6121a69c3f523cd40c54948675213067905bebb961a9aa3105b3e3833b8d1eaf4198ee8fb99e7022ceffa08fcd161cdd29a056ada615279cd7cad13858317dc085c94670c0bdbaa5c8c0cad53d90cae12eb1ca92d6e04599eded789536ef98f2a8865e6eaabb4a5d386372a84b3b1365b5a6a45a2234855ebaf879e9260909325ae4c1320044ffca3ca230aed742239928e91e81ec42b943760a36ffe35c34f0c185ac4011957243dd43d3598b5b32ad7d06c06930b78b21ca26e55b4221327cdbe5ef8b6e84f59f90b53e7fd406dde48f64a89e202edc78fa06c8c90a73b1da1e6d29dda94970c63acb34f7d8a14edfbb2604b1e0b63d7869dda32ef6b3d03017a27b7248d68ccd00a13132c254687b9d44eb141cc26b87792329e74eb17ee25c266733aba85a6b8fd54ef969e61fc63d5161c97a7f0b0dbf3d50552de4188fca9a373a3c3700dd9b72a2df6ac3fe8fa453016cf26646e130f338eab0904e08edae8216166cbc49361b1dd529b080c16af71176475768fc3dc17a4f28cb7a9026dd68229167a962ccc0849b21e4a1885b09eff78e221800370c1e271e58bdbea60cd7c84813ec5d0526806af9ca2a7f70d199e2924fe58dd90f10bdee2f95d799f23a7df20bf65cac308dc47c92c972ccd39c30ecf468f0da4634ec194e0008e0da4c03be1fce63b47e2382bc84062f0fd1c92aa009bb39f4f3de5ec6a632d038139b29575a1558866dec5b6a9bfe2e3b4b4990fe318b70d90ce99fe75a9957b77ea551e736c2981aa75d55c272aebab4550e493357106e83ad0815de25b61f63939402288a4a1400d80f49c689d3737477dc38a619389866c303e0aa66d160b14bef40bf2f3b5336c47aae0be1f8de63d967e4bfc09dc2fd199e59624860c25a5986cb14b77937fcde50476645a8a3317c8b0e38b804802d9df9ddcc9ea52752a17ab0b449c8e0c002e25bb8e839ec70719faea98eacda4b7dbcb75991bcd305ce3f449edcad1df14bb75bf901944a7d3d4d5db1776ab055251ab3ce85c524568d069d75ebbfa4920af50c2e3ce728f2ff5b39457763456dea7e07def074c7b5bb12dbbf134c997cc84c69b9f954b0d6f87dcce1e27bdf7f6cc92f7d9c17da142ad7b715f4d01c26188cbda6c53e29bc601cc67fc3afbc9ee27168c9734dcc28dd32b893a31d4a39b8a5e0b62d047145684575b86602b3f1a40706fc96baeb15f0e9240e32e7383a98f6c53512e16fa49c5f0c022bb6b5775facc85f8ac35405cb0c138d192c2d984b13073f810e9d14bc23014a20c538744c337e2b7fd4733e68b6c84539959ff2cf7d63a0cb2d497a530e6d16fb2bf9d4f9ec92ec06f0279af287b51a66d8e2f56852e667da5327cb1645879b06d9eadf6b9be0267492bb28e660dec45ada3671d9c03b986f0e202e458495c08eecf6b1b1321364ecfa8e35cac7a44c32d5686cee5578d2096fe5994e9ea52ba5a025a88c863a984ed0eea2117570d7d73f28100c3045c1460ee3adb15bc3ab7de5ab635a04a50ba6cd1f030963dbe64e27643bc2642deccfa25c9ef108d3c14fdd123e18166b87e9fd3d84e1929ccfcdbe8821de0071a1fac5f6365e81e85699a3c1452338dd1fce6a99ed4aed4742c5c3d05cd4b46e3b0d4478a91314406a9d88b0dba061f12cf5a17230a8be4c8c9435c6118495fa08fff249ea1ba05de27ed2fc63f5b028c9722bdf946993ce9c52", "4ea7f874e4e5530102d74776b828d5fc93c2b52ec89cad8052e25a3f143dd6c930b20225cf17c337b3f59996c9db07d46ab68dda3d9660c2a8f639de886eadf8930debfc9ed86bffd4787033f90c21e629a5ae098edd74b3d9923c81d8c2927160e87f3c2d994e2bf06e27e74188944d2abffecb876a6471b34ed1af6a2277b6586633e2f2cfc01e5f42a9534993944fb9c9431e61965817b0cdc8e60ee85adb8a81cf64dc99d43502ad737f4bac3df5ea0d7d0eb8d5d9200e1696dc27b5c9dad1e1dea25ef827f90a116d0bf28261b3cd3d7ee288da6d55dccba8e488e8c2688081171e3166e7da751e76b28e48276a188b9290c3eb073ad43faf8fc9b70c9459bbe53aabe1cf7bf47596f95307c5c06a1706833839ea1f0d156561a2e5c1210f9b02373c65b169a4542d7b044db222fcaede81fa43562bee7b3ad22c68ced651ce5758088611b4d1150c340a8243a6e526f9f1ecc6735d878a93d70bdc018a390f0d885db6a88bf8612e425bc3a2fd0c410ef3cfe8c1348bce3382c178fa6e0e66586ed9a898aaf5480e5f9b61d329e96bcb1fdd81058ae6048fdb29b10083a4329c4d8e4730a7b555f86d873491e661c51a1e35ca3ce5ab72854bbf73bc4a2530cfc41c9b828a7cd1c113c2d31924df77ec85707dfb305de6f7bb3256bd2318fb2a4d85e4785f5daf8df7c19a26da7eec09011c6eebc86c12ed43701769056b892c8d56b92266bbbc9648338bfc30cc37dbb4a544cf1a693bb85cbd24649a75d95314c8b0e3fe334e8002e952c0628201c8f7d8ae965927f0e0c1b0ca5e37b8f6b6de73442d71cc4b5db9a428ccc4867998ca83e71b7a489fb25e836c40924ede9bded640c77635ce004bffe1d9954cee3dd5250a36fb6e52a14280318cd2b00e66dd0b922075292565fc5dc94c64259b4095053a6a41a12f2797cd495a6736d4676af84880da02573789e84b972928523b2a2a02fa0939f2d7d0301aa5f2cee10247b783f52c53d25ac6d454c1e70a24fb562f810c36d94d812c353989718a1259df55309b5b73073a414fc7a677ed5b198ce4ddfc282c26969ce01b75b15b4e51e59af0a4ee76e09139f0ae0d5313e897e56230d9307c5199bdfefc65ce11abd939accc3ed92cd646abde1fd732d7f3bbdbee3506bfc9db3208ebabbb41e49a20f95ebf890c779ea26f09d73576c24b8779c97b7e02b17bdb2770b1bd267f6cb443ab53630ff0df980566482caba95561d318c15fd58b9a2fa330c102e9314e25793bd674db4f9bcda590325489808e90612062be0ef064f791652c9f9d327df3481c16ef3b57ad63321911f0408e30c654306ba60764952e4365ead5d13836db99e0d38ef36a68343294d217b233ddd4d13079b881fb87551c3fcec2d04d6293d5fec82c027fe7ac1c8e096273dc563137605abb815f03e363f24f4a4aa989a9a7d31484b27d24931ed07202d777756d86afd7d54f61fc2b50adacf83284e3adb481e5bb56023e655b9018204445fe314ab7a7fd9cc0239178029c42ef2d014141c06694636f57d3f3a212853a2ded9b3c684a88f61e65e1138773dda000efd8dd32ebe13abe47c40eb26ce18a5d5b2059887a6dcc4ba93b562acae3a284fc692983fbbf93230c9d19f6f12484eaf946fe28d1309ccb305c7e70ef690d80376c04a54ed38a5a4e1d9cba31f02617cb477630379137db090ce79e5aa33e1e290f9d95f8e1dbd664e02e243f8021bf750c01a417cefc460baab56420a4c7c19abbe06350eee1a66083b3e58b32e86c8ef798106909cd32a77f7a66e970994744c02a7fe134bdd9978ccbae8a78729de5b4d4aace1ebea455f5c3387664d1b879bd250aa5042922bbc2ffa56e9402577f3adc358e1c94a3836b9b951a89ab569fdd877b530371a4fa64e03fa813304b478d251ebc8ec08905f3b30f18c4e1887ed2362c0c39ffd6b09ed2c294c6f18997d43b0d0c1b5e8c5805c30b173af3363795cc26c75499a29154197501fcba9640d8575e89ba896f561488c5b132081f0bf3a5bdb2dea83a6e9f6656a6652c5807b0367f2450850635758d4d77576f92cb0ff2ca93478116740f732fcb054c937ffc275ef5ce6d76060811ef2628b170e5ef47d718f21e9714b13be7b8a9255551fbdc42225fdf459ef1e9df8529656560d714afffa5607b95d9988b5629fec90e99f19526e9995307daf2b6845bb0a9787e95a839c18826d98789954f2897ae8d4aed9ec227ffb078d802cd673fe264eb5538a462909c7c50a0faa4f88d660288d73ee136d56274875e57308af2bdbaf5ef603aa36f0ce51d24c42511ef3b57f605820e025c9afb01014b7fbac74ad4364b5521c8621e9df1b495db2b5c80f167814c74246414bd340a56b5b8f12abcd78198bef3ed29e14249b79b4beb60f5ba485cf046a8fc0d1c8227d93447661b31e5e321615e0fcdca4428fa2f02b5cbb325976d375f922a51ca393e136d8a49fda880221e88f2791320fe0313ab13aab7e3181908b5be4ef493222a51c52a5cc255a12b16acba2e633bab1acfab4031acd6074c4037806a887d77f22e954727d8ab2fe97701bffd3435fe3136a61b26b57922ac77350894d18eebaa3a17ea326a6dae3e8da3ce5f342bbd8d004fab705c8365a2ad30c243fbca06e31491d5abc2b2561f16f3aefa01530de2a8fd90a26ec99a2f58611362dbe05d3a8ae2a7b5141b0f28122b7f56be01a6ba13bc1fca0e1281e43d5d06a1088c4ab064d7b220ceeefca07795080e22154affc9e83c724afca0554db3772fd5f558cf5f2c74dec8f1756829467eadacee44bca025d0fdf06df3f03dc0ea68d28d4f3f352238ec607f4c5fc1d102247f6b3f3b3bcd03ca21540709dda8f8488d9ce5b0351bcb1e9e5ca1caf7b0ef2cee5be9c8907d1e310df9d5c57c9bb2f0a3f18823723f3e0c409ea19b94c24df47afbac42f87b28c624ff0a24b8e478c6064624255ae7160015fc513b9f95cd1c460c76a454606d3b2d46b0d09e6ce96d511d0b42b766b50b48713365470eab581d94565d0c135ae344b3487c09af47b5d4f409913e58a608210372d3f1e188ece96576ac632191340002b9d14f11dcf72ec0cf0ef9f5210a1f47b7e474d9d956410230423dcad93bf70dd03275da0a906c7a45d4f286a23261ab3743c45a999453991b6abf9a836be34aff77c5c34280aef86dfe83ebfa0749468ebb525b5ddb1d68687b9cb613a06dadf470c3d68f372fd621f72c658adb4cba13faf706893a924537309c96118666fa4ce772f4be0caf15341d0ff6994f17f11a37238c687d34ccebb826270af131d70cd8fb26ec9fbeb339bfb082c4266fa42228adaa5d8ce6054938d16d92cee32d1659f05ee3c1af6837c76a7ebd2f91ce72c67d599b4da8fd38daeef79761e250bd739cc87934d5948684f2533b338e749dbf7ec9ad7cead3264037597e5b8244b0e908f975597bd510b1c44d54fca2ae4147741d711023eb4ed05ea5667e8e85ea6514371dd42148e545d313759cee4e2ce72623d40ce37a5ceed1822811fbfbda8fa5d8bc7575b0d4a54d674f9786f27211a34419008155b381bba3b50919cb2acb1859fd65686718cd524ed6e28f6a4d6c06cce4b14d79d5eadf69d8d4d8ed0f60ae6e355e30ea15965c1175d977db63762ef0a16afbf3d1d543e0f389bc0ae158f70df53b0a840c21db5e146b717d37cdaafd4b6c0afeee758db44de57b77aeffd0a5f3eb29ccb57f549c8b302a84f70d09e08bd11c9931c74588b0ca286794ee6230493e3e3121aa1a2d03d70083eb5136eabdf32f82d77e001b1a5f33999856a4f78fb3c20ff980274e5a9458d47f507ed616bb66f17a641131898243527fdfb45e8ac22d2e2e063613b0aeefc1ea3273c0903a6877a5f2592ef7ba4f37cb35966ed9a900ed0b9b47778b4a146dcecb702dc5a6daec5d37c7df9c509a40c4c2237f3c47c15164ac76ddadd551d1af9fa5f2b03f6898a956982c8aceef609dc246115c512b924ec770829b397f0f31d4ba480389f84c55d431e07c5824775328397071506368f155c03ee73dcf4bc634b454e912a373ffa8d7efff811966eefba339357a422cf51bda178f99a08e71a5065ae0853061fc51156522f22b776c6901c8ed3ae751b740bddfd8c8bb439eb77acbad7e0b2ae947d2251f35af0c5ce67822897ca669428801c4418a0455c14601028376b80b48caedba1c3dc16e2d70ae6198c6239db9e4e3ce611b50b519fd384fab33bf65081dfdce7493fead3587faecf466cfeffc97469461862eedf64afe44eac37c262d43f4c6d30d8ec556d7c4e687407cea9d21851bdb3efedb8739e094905f331021c252dc5c3b5a3b36c4d7c2c7d1874ede7d690dc8791c1c47c4e61b1d3fcb88811f4a99939735599ed6ad76bd793accf1a23c8178024b9789f66d5370f3a616e9adf876470108fa16df8db1b95179bb4052f7aed18eec66d2f5c788eb82f31816d584b3ec6887afee20143cb8117045f759628a3f9acd8eed9a5aa333e82db826fa21b16895d29d9c95c56f06b703174bc4a5e69091b3e6da07e4c38f947a95ded03c4eaabc01b25592ecf4edad426e8a9c6779eb47c2b97c37503933b55f5565fe6d94998a82e5a47b2d828eea64e110234b01a67516eaff6b71b7df24e9a76efcb360f4951fc7439b418ef7acd376a755914f5a2ce10d15d5aedba1ee31f64faf520f9d1e917eba3b976b57be8d621658d5038b4cfd456daa8468fd2f482c4037ab60c818b0e752de32bfc51d2dd723c897d5e4a80404240f04721d98659704b981d8d112421059ac76aa9b32440ac3608ba64b98d2b899bcd13df022ea2312d87f817cc1ee8929180623da171542e087581fec6b77b884a96818c6b05dc51a2939dee3631120b7270bcbf396511f0ee73808ee38e098d150e9af82aa2b03bf23b3a568a9f7a2e17d40193ed1c06fb0b9e8cce84a4a73585ceccc791e0e3ec09f028a6b16bf2f237dff3d731a06169622dd465c55cd209c1e47da0199144d28e3486a37558173d1778efb34868e2c2f6fc0f4ebf8eae00d449dc504b0b71b419510ae8d1c9b0f7dc43746a1c58ceadb337eb42aeed4aa7bf38a439e1724968014264a968af932cd689679cfcc1f45c486cb0de6f706a73251221d8341445b1a188e6be3726e5bdbe9f58cb2998302b989d55d17d0edca493a410609ce4266cc153de7e1a6d4087c707e980f7870c8a07be647fb98de364d0f342363a6a096612a21ebb621c5168e31202691007d4f6857aab1e12ffb9a17257a7cbe99ac3bcd075d800af732f7785e02a300fc666c56b6d185335410c997a9062c9c31e9d745356cd4346ffa39936c98a5deea640698232a422538a5adca7d203225a1d32d11b7d446db2ef26ab5628e4d9204b06012cec9d9fbea3c5b7ab53b1d90ae1c6cfc6bbe6ab0ecab4072fa398b72461f42b8a80efbf64fd51746cefe6afb011af1e948c7183eacd37826a876182d02f835b9cb15ccbfad74f89d3e20769db8738e4177e7bfa205be4a4273df1ac957b8ecb0ac67e997c47f843189c4977ae48fd2b20c98727ba94ea805e0a598c4963158bea219c833deec42b201d87cc858a5b1ff4cdcaf60ab80301480cff941907ec35ff9ff0594bb26ea2593a33dbef6978108ea2f7bc4243f54478dcf16ae03a4709b58ada918dcafccb3499cf3c5ea1f7845d5384d4722de39e29dcce144b174c95f9d55593fab277ee3fc845e563bb07f2fd2020da537595dd5d54914c877c1e2144ac0c37f"}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3336.840922][T28998] kvm: apic: phys broadcast and lowest prio 04:41:18 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$media(&(0x7f0000000300)='/dev/media#\x00', 0x0, 0x2000) openat$uinput(0xffffffffffffff9c, &(0x7f0000000280)='/dev/uinput\x00', 0x2, 0x0) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000240)={r1, &(0x7f00000000c0)="02173131a2816678b99dd8cf7d6794f27cc0129c0003b01f75fea8efa2eddbba18be4ba55aa3996921f461c3708ca01015ad0cde6871fbf94bba5990b25138d985847a4f083e5a948f7eb2d833899befdc7853e7325920b08485306cab63471bf870c0992e4d46921a77f80c7b0577f2a34bccbe13040efc7a3eafbf3d63f4b13fd2da15319aa67383979eebfb037b2b096c86e6715bd8253d71e08bcac2930bd4f7f878d8ae1350fd3a7a", &(0x7f0000000180)=""/47}, 0x18) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) 04:41:18 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x75, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3336.928658][T29009] binder: 29005:29009 ioctl c0306201 0 returned -14 [ 3336.948266][T29008] input:  as /devices/virtual/input/input1116 [ 3336.968041][T15669] binder: unexpected work type, 4, not freed 04:41:18 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x74000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3337.011809][T29014] input: syz0 as /devices/virtual/input/input1117 [ 3337.054420][T29017] input:  as /devices/virtual/input/input1118 [ 3337.118221][T29047] kvm: apic: phys broadcast and lowest prio 04:41:18 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x5, 0x9) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000000)='bond_slave_0\x00', 0x10) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x7fffffff, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:18 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) 04:41:18 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x7a000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:18 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) syz_open_dev$radio(&(0x7f0000000000)='/dev/radio#\x00', 0x2, 0x2) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:18 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000040)='/dev/input/mice\x00', 0x0, 0x20100) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffff9c, 0x84, 0xa, &(0x7f00000000c0)={0x1, 0x7bd, 0x203, 0x2252, 0xa9b, 0x1, 0x80000000, 0x401, 0x0}, &(0x7f0000000100)=0x20) setsockopt$inet_sctp6_SCTP_RESET_ASSOC(r1, 0x84, 0x78, &(0x7f0000000140)=r2, 0x4) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:18 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x76, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3337.467562][T29136] input:  as /devices/virtual/input/input1119 [ 3337.500796][T11475] binder: unexpected work type, 4, not freed [ 3337.511562][T29137] input: syz0 as /devices/virtual/input/input1120 [ 3337.526754][T29141] kvm: apic: phys broadcast and lowest prio 04:41:18 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 3337.599907][T29179] input:  as /devices/virtual/input/input1121 04:41:18 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xc0ffffff]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3337.710985][T15669] binder: unexpected work type, 4, not freed 04:41:19 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x77, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:19 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:19 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 3337.815872][T29261] kvm: apic: phys broadcast and lowest prio 04:41:19 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000380)='/dev/mixer\x00', 0x0, 0x0) ioctl$VIDIOC_QUERYCAP(r1, 0x80684d00, &(0x7f0000000500)) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) 04:41:19 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) read(r2, &(0x7f0000000000)=""/51, 0x33) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:19 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xfdfdffff]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3338.020169][T11475] binder: unexpected work type, 4, not freed [ 3338.043510][T29343] input:  as /devices/virtual/input/input1123 04:41:19 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, 0x0}) 04:41:19 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) openat$apparmor_thread_current(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/attr/current\x00', 0x2, 0x0) [ 3338.137156][T29388] input:  as /devices/virtual/input/input1124 [ 3338.152865][T29387] kvm: apic: phys broadcast and lowest prio [ 3338.219540][T29394] input: syz0 as /devices/virtual/input/input1125 [ 3338.275274][T11475] binder: unexpected work type, 4, not freed 04:41:19 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xff000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:19 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) r2 = syz_open_dev$vbi(&(0x7f00000001c0)='/dev/vbi#\x00', 0x0, 0x2) ioctl$sock_kcm_SIOCKCMCLONE(r2, 0x89e2, &(0x7f0000000240)={r1}) sendto$isdn(r3, &(0x7f0000000080)={0xdf, 0x6, "78b14250201801364c22412145702c3a54fd2be5a3fe016cd2b88de6cc8fdf39e3cb8172f981c05af40532d4fd4868d0665c06cf6a0630c0c3614f54ca9c902343afe92db26ce4edaf522c11b9ab497aa748e89d6937ca5ac3a76653b381369d523b86ec98dced64e277021701d31b1f56d641f9510add47474cb1ee888e8894d9e4f1"}, 0x8b, 0x20004080, &(0x7f0000000140)={0x22, 0xaa1, 0x3, 0xfff, 0x5}, 0x6) 04:41:19 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, 0x0}) 04:41:19 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x78, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3338.426397][T29506] input:  as /devices/virtual/input/input1126 04:41:19 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$EVIOCGBITSW(r1, 0x80404525, &(0x7f00000000c0)=""/232) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000280)='/dev/null\x00', 0x1, 0x0) setsockopt$inet6_MCAST_LEAVE_GROUP(r2, 0x29, 0x2d, &(0x7f00000002c0)={0x9, {{0xa, 0x4e20, 0xff, @empty, 0x8}}}, 0x88) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) write$input_event(r0, &(0x7f0000000240)={{r3, r4/1000+10000}, 0x14, 0x0, 0x1}, 0x18) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3338.482768][T29514] input input1127: cannot allocate more than FF_MAX_EFFECTS effects [ 3338.496115][T15669] binder: unexpected work type, 4, not freed [ 3338.518416][T29510] kvm: apic: phys broadcast and lowest prio 04:41:19 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, 0x0}) 04:41:19 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xffff8000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3338.625057][T29521] input: syz0 as /devices/virtual/input/input1128 [ 3338.657784][T11475] binder: unexpected work type, 4, not freed 04:41:19 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release], 0x0, 0x0, 0x0}) [ 3338.717866][T29542] kvm: apic: phys broadcast and lowest prio [ 3338.795733][T29632] binder: 29631:29632 Release 1 refcount change on invalid ref 0 ret -22 [ 3338.805142][T15669] binder: unexpected work type, 4, not freed 04:41:20 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000)='/dev/nullb0\x00', 0x0, 0x0) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)={0x0, 0x4004400}) mmap(&(0x7f0000919000/0x400000)=nil, 0x400000, 0xffffffffffffffff, 0x10, 0xffffffffffffffff, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffff9c, &(0x7f0000000480)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000440)}}, 0x20) ioctl$HDIO_GETGEO(r2, 0x301, &(0x7f0000000200)) r3 = open(&(0x7f0000001580)='./file0\x00', 0x240000, 0x82) r4 = syz_genetlink_get_family_id$tipc(&(0x7f0000000280)='TIPC\x00') sendmsg$TIPC_CMD_SET_LINK_WINDOW(r3, &(0x7f0000000380)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2002204}, 0xc, &(0x7f0000000300)={&(0x7f0000000640)=ANY=[@ANYBLOB="0200000053b0749f5f26949291b4efe6c1536c586a11acf4561820fff15067e35c1b5a5e0afbe372f95ac0f10d073f295a8edb42de6c4583edc8e23748e8d7635cfd4beae416be6e29ae3686b86a3e33eceeec69d3e365fc94b5623a69e2838660992898073496406bc2d36665908dcb8003ba8f8ef2001e8086a3315f005bfd2f29f377bb0d40da31257045563ba5e471219c2d3c66e43d525141ab2b03b2c88e0b2935c9cad8c0484821", @ANYRES16=r4, @ANYBLOB="00022abd7000fcdbdf2501000000000000000941000000100018e000000069623a6e72300000"], 0x2c}, 0x1, 0x0, 0x0, 0x10}, 0x4000000) lsetxattr$security_smack_transmute(&(0x7f00000004c0)='./file0\x00', &(0x7f0000000500)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000540)='TRUE', 0x4, 0x0) ioctl$sock_inet_sctp_SIOCINQ(0xffffffffffffffff, 0x541b, &(0x7f00000001c0)) fcntl$lock(0xffffffffffffffff, 0x7, &(0x7f0000000340)={0x2, 0x4, 0x0, 0x2}) sync_file_range(r2, 0x6, 0x8, 0x1) setsockopt$inet6_MCAST_JOIN_GROUP(r1, 0x29, 0x2a, &(0x7f0000000580)={0x8, {{0xa, 0x4e23, 0x9, @mcast1}}}, 0x88) openat$ipvs(0xffffffffffffff9c, 0x0, 0x2, 0x0) syz_open_dev$loop(&(0x7f0000000880)='/dev/loop#\x00', 0x0, 0x82) clock_gettime(0x0, &(0x7f0000000400)) write$evdev(r3, 0x0, 0x0) r5 = memfd_create(&(0x7f0000000180)='/proc/sys/net/ipv4/vs/sync_qlen_max\x00', 0x0) pwritev(r5, &(0x7f0000000340)=[{&(0x7f0000000040)='\'', 0x1}], 0x1, 0x81806) r6 = shmget(0x2, 0x1000, 0x100, &(0x7f0000b13000/0x1000)=nil) shmctl$SHM_LOCK(r6, 0xb) 04:41:20 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uinput\x00', 0x8000000004802, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000280)='/dev/dlm-control\x00', 0x40801, 0x0) ioctl$TIOCGLCKTRMIOS(r1, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2, 0x0, 0x1a, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x100000000}) r2 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000100)='/dev/snapshot\x00', 0xa00, 0x0) getsockname$packet(0xffffffffffffffff, &(0x7f0000000140)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000180)=0x14) ioctl$TUNSETIFINDEX(r2, 0x400454da, &(0x7f00000001c0)=r3) ioctl$KVM_GET_PIT(r2, 0xc048ae65, &(0x7f0000000200)) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r1, 0x5501, 0x0) r4 = syz_genetlink_get_family_id$tipc(&(0x7f0000000300)='TIPC\x00') sendmsg$TIPC_CMD_ENABLE_BEARER(r1, &(0x7f00000003c0)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x2000}, 0xc, &(0x7f0000000380)={&(0x7f0000000340)={0x38, r4, 0x2, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4101, 0x0, {0x1c, 0x17, {0x1, 0xfff, @l2={'ib', 0x3a, 'syzkaller0\x00'}}}}, ["", "", ""]}, 0x38}, 0x1, 0x0, 0x0, 0x8010}, 0x4) ioctl$UI_END_FF_UPLOAD(r0, 0x406855c9, &(0x7f0000000080)={0xd, 0x0, {0x54, 0xff, 0x3, {0x1895, 0xffffffffffffff29}, {0xffffffffffffffff, 0x5}, @cond=[{0x1ff, 0x9, 0x1, 0x7fffffff, 0x8000, 0x960d}, {0x6, 0x4, 0x81, 0x7, 0x8, 0x5fa}]}, {0x57, 0x7fff, 0xe69a, {0x2bd7, 0x3}, {0x0, 0x2}, @rumble={0x1, 0x7ff}}}) 04:41:20 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000300)='/dev/uinput\x00', 0x802, 0x0) r1 = perf_event_open(&(0x7f000025c000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$vbi(&(0x7f00000000c0)='/dev/vbi#\x00', 0x0, 0x2) ioctl$KVM_SET_GSI_ROUTING(r2, 0x4008ae6a, &(0x7f0000000100)=ANY=[@ANYBLOB="0200000000000000fdffffff0200000000000000000000001b000000000000007f00000000000000ff00000000000000ffffff7f080000000000000003000000000000000000000000000100000000001f0000fb748daa0000000000000000000000000000000000"]) r3 = perf_event_open(&(0x7f000001d000)={0x200001, 0x413, 0x100000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, r1, 0x0) r4 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r4, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000004, 0x8031, 0xffffffffffffffff, 0x0) dup2(r3, r3) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) getdents(r2, &(0x7f0000000180)=""/62, 0x3e) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:20 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xfffffdfd]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:20 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release], 0x0, 0x0, 0x0}) 04:41:20 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x79, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3338.999885][T29643] kvm: apic: phys broadcast and lowest prio [ 3339.012648][T29647] binder: 29645:29647 Release 1 refcount change on invalid ref 0 ret -22 04:41:20 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0xfffffffffffffffe}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20, 0x6436, @ipv4={[], [], @multicast2}}, 0x1c) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3339.077104][T15669] binder_thread_release: 9 callbacks suppressed [ 3339.077115][T15669] binder: release 29645:29647 transaction 160 out, still active [ 3339.092271][T15669] binder: unexpected work type, 4, not freed [ 3339.124385][T15669] binder_release_work: 9 callbacks suppressed [ 3339.124390][T15669] binder: undelivered TRANSACTION_COMPLETE 04:41:20 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xffffffc0]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:20 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release], 0x0, 0x0, 0x0}) [ 3339.216955][T15669] binder_send_failed_reply: 9 callbacks suppressed [ 3339.216963][T15669] binder: send failed reply for transaction 160, target dead 04:41:20 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x79800000000, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3339.282212][T29665] binder: 29663:29665 Release 1 refcount change on invalid ref 0 ret -22 [ 3339.292386][T29662] input:  as /devices/virtual/input/input1129 [ 3339.348282][T29662] input:  as /devices/virtual/input/input1130 [ 3339.377927][T29668] kvm: apic: phys broadcast and lowest prio [ 3339.387631][T15669] binder: release 29663:29665 transaction 164 out, still active 04:41:20 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x6, 0x40000000200003) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3339.433063][T15669] binder: unexpected work type, 4, not freed [ 3339.455579][T15669] binder: undelivered TRANSACTION_COMPLETE 04:41:20 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x7b, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3339.481462][T15669] binder: send failed reply for transaction 164, target dead 04:41:20 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x40000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:20 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x0) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) [ 3339.721421][T29739] kvm: apic: phys broadcast and lowest prio [ 3339.736964][T29746] input:  as /devices/virtual/input/input1131 [ 3339.821876][T29794] input:  as /devices/virtual/input/input1132 04:41:21 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$sock_FIOGETOWN(r1, 0x8903, &(0x7f0000000040)=0x0) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwrng\x00', 0x80001, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r3, &(0x7f0000000180)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000140), 0x117, 0x2}}, 0x20) prctl$PR_SET_MM_AUXV(0x23, 0xc, &(0x7f0000000240)="ceaab7eae12c6c022360b0", 0xb) fcntl$getownex(r1, 0x10, &(0x7f00000000c0)={0x0, 0x0}) kcmp(r2, r4, 0x3, r1, r1) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:21 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$usbmon(&(0x7f00000000c0)='/dev/usbmon#\x00', 0x9, 0x200100) ioctl$sock_inet_tcp_SIOCOUTQNSD(r0, 0x894b, &(0x7f0000000100)) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r0, 0xc00c642e, &(0x7f0000000140)={0x0, 0x0, r0}) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r0, 0xc00c642e, &(0x7f0000000180)={r2, 0x80000, r0}) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r1, 0x0, 0x0, 0x0) setxattr$trusted_overlay_redirect(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.redirect\x00', &(0x7f0000000080)='./file0\x00', 0x8, 0x1) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:21 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x80ffff00000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:21 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000200)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) pipe2(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800) accept4$tipc(r1, 0x0, &(0x7f00000000c0), 0x80000) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x3) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x3) vmsplice(r0, &(0x7f0000001440)=[{&(0x7f0000000100)="64f596098a6368fdd9f3de1c110bf32f", 0x10}, {&(0x7f0000000140)="9174e85844617d97876fc879b65b6224b53df26640db5a47ef64f64311fce3f77b72099bf0e2e645563f35cf124485e9527eb278d14e12d8a0be331922b4cecdb3e42ebc86690c4b96d809ccb1fca890f58fad441780c07984a30b07bc36f8b618c2e7", 0x63}, {&(0x7f0000000240)="1a084025fd23d8dd266f304c6bb1a75809f907e00c6f06ac488f8319f17db87995c1168427658798c385e8251cd6e7dac0d8082cdebe7860834738beaeacbbc42deea6a2c11cb4087f5c3e07645de893c74037f4b1163efb49e4c76c2f7df6a7282f5bb602e57e36b1a603c10d3f3d54e96eb9c3eb9b613a9cd609c89892a80024c4cf49166f2e2461f99c", 0x8b}, {&(0x7f0000000300)="ef0d8f3f2fc4868550b80cc48a8fa82b09edc13c335df218ea8400696ae7bdf0d5397b7be9ed6fd4cb9ba949bbd02099d0be43e406a16cf270e86a16541d05d201be80a8d9186b51eeb5cc86413e77cab5ff6602ce34191467b06bbfd2cd87bec89aa12a0c6119b2a1ec3f1cb8a11d", 0x6f}, {&(0x7f00000001c0)="b1e25dba56de8c8d5c20182d200dc9b00171d2645e1844bf9cecb5936e84d00fc3c28783f43920d0522f658de7f7408d59f699d0dcf4e4afa543c8d9", 0x3c}, {&(0x7f0000000380)="8e39a8cf9386715540966bfb07919c2ac8590821c7600662147d60aa304aee0d1bd23ca17c0f9a332befa78400495ef8ec76d98a59c5a2f050518ec46a742084a24a6dfc31942e392af1a9d758bc37119edb066d8c41a910a943dd6130f8b0a109e433899b100f33ef3ca1f8608ec90aacb0c5a4de75141e32e471b4b889b7e5dabe1e0e153860498f06d06ee03cf1256779de5071bfa9a15cb30567e5a6bcf593d4362b9e617cb6e44bd611a5a775a4a8de8214d9284980cd14fc34ba26cb2046322999d5dacf0e0411f55aaa085db0b983a14653fe68da7084d79321c811efaff558b00734705dcaa9ee6b680c40d2e3e76480ba9c17eeee9d0513944a6d604cd9efcea39d8ef08d3f9bd2751ef3a7d407bd4bdb9b43a74df6af2de30dc42845d19a2d1eea38e38883aeac15e1f2471614da1cadeb16467bba72c0757d01d88ead8d5db2be4d3bb3d53ab3e0415cfb457b5399daf00c8ebc712a67850478fb3e8d82a92fa8f6b2900582e5c58ee143684a1c273bb14e0a7dd3040d27dd847032db0b7ba7c4f44bd0d9e733c1f7c60bcf4977e1fab09a9be66510980673e4f24a2c492866e1edce0256507b345595c985d204fab124b234c2a8d665bad0b06266e512e007f212cd81377ee3f1aafb059cc11b1609a9a66ab74dcdc57b44d91cf49d8a42b3466e514587d9f598f4c9cf7058cf701c5923252a51ea2de333c24038e6b5999ace03c859ae6fd39b5312080276e550e7563e7b30aaf73def4b7c2f59b76578a2b927d0046e0fdc4ef0d77429b6a3ff8c372ff77f7539421b99b2010bd89b5d11e70be699ab2000a86dbe8f3184465d39a6a3fce1f79d14900655ea34ed4be6204c454c25286d32f9222f405547ae4a0a350a0a2ff0afb230b49cfc16a5ec9837d5e47af92458045686d570e70b6664414ab4449d5e9d52a7e27c69563c45a97528e9c48d903c68553e8583cd5199d56910f29712e0b78073e4f79fadb95ca00bc057a17064a036f483db5d122b8af0551b1045b1f3eb366ca890d6c4bacf314f6af3357188bcae016c694095d3edfb025ce7cb044aeebf9b54ea5da3a6836dd298100771006290d458d76b1fbbfa8fc1e34fd1dc56e22af96773593a2b10ba2ab664438d2604a2454dfc36b3fafeb8760b949855db0130a55fe0876a8267ab34fc94faa06de1a24e5c6b95e96f5955fa29d5fa839fbfb44a16cd0b682053eafac897313b7dca123284ae2af1f139268163f49342d556503fbe4a7412f075cd354218938edd9dc59422fbb210f1c299844e1c60356ce4cd82585f641e756918238e856719d7127d9304ddc1e4a9d5209a82b7a635b7f7c16dcd3ac31050fac87e60c2839d94c67d0f542860eac9e197515acbd4747471c81379f40e381da731b44a67e01e9926ad2d33b4601f3c9ccae2e906da9a8121c321e65eb46cdffb54ddf02bea2255c52214301e6f2fa8a1359284ccd3af47661d6084ba3d50319b0181d4b0d0085b3ad3d5f46d101a56411a63d1211c905aeb7fe61f69f0d33d3db1fee55cd91f2ed099256f2e51df39f284055722bf4b8b9bc4d5109ca47c9f09f324fdf12fa9f3725a075d1fd0824d713a403943c8db33bab95eaeb407e25769dce0a934f80152b2a4411633742bb5ef0104653a9809c81fb95e4724078bac4ed4809034b50b556c8d3a41e790e865d3a3bfc78b675eb6eba284e9ee11af2f90f66ce0ceddcea3e9f1e49c0e900bbf9a04fe896bf1734c47f631ab513f05d662196d36d4c4f8cc79c74fe9eadc1a9f82e87b688e043fbbebce90aa9c0a9c65e612f2cbad936ad7ea7601a7692c0506b46564cf873dcbd9d539070cd0cc288b48acf6e9253d37507d5aa13ce2cd68da21f01d921a61c4f491a67c66ca31caea879184570692a44d08edec5060ffc3c1393f0ee6b061230dee6bed0fccd1f863a7c41c165f93bfae1b6f1cad7bbb5f772fcad674cece858b1e6cc17bb65afb93079cf1a57cd0eee0d600075ae56701e010e0e7744289d403825703229e9df6926123fd995fdb05ea6b6e15c9dd0e77e40249fd568bb854ca09b7a3084c4fb13b4fcd6b56f8c7e428c91d263214e003e8561259607311b225f429b02e102080808cd047161df9cf1111dc182d5e6130c870e76789970a31dd9afc1fae4d085183b8a67701d0a8db52397fd26d6b81b472858094aa72e34a629957433c6a797dffcf33c5275224d29156e58e306cbb9609239906c1be9ab1a81891d4954a1beb100cd63b847339fbeba2bfda31c6ea6d66b4697a8b31a114c6102ad44b04cddebf16162f39d1d3b6e930039c0b7efc7999983948e9e90fdb26cb7cf4d7eaccedfa78b19f8645d729bf5ff3612e8bd1b03dad6b6d12c10d2bda60bd1f714ab8a53f920ec6444d61b8a49ca8c731737dd6e817667b2059aa67a1af417eb26e59ae80d82647ef8634abc7251114c2d8ce9c22768f07af1ed4fb9fe227ccda39f6376cc536bc8d58756364c93540e3a23cd66f81913581af26c2efcb70233d34ea0e7f9cf1779b3fa35f9d6ad43d063f366d2426776d02682f5fc7f4bd68c17f1ab14468f1606287418733547df352cc76391804cdbc3018c6711a878891df6f7292f82290d0db85b7662b70677bbe7164ba6ef8873fca89b2f5e6b93369763c62505378a735281e9b79ff3c12d13d7809d393247be6b7779cad8c23380f6dd7a788c1468e226d26215f59816cb8d6a553a60feb9643b9e809ccbb66dc5a2c6056bb38ce32c373a5665a33c84d0d80700e7ade7ea0f576a5716fa6108ab794026be07dac337cdab319588211cceefa6ecdd0dd4bae9a16be0bc0ca33e78ccb1cd462a4be6735837f0db5d19fea82b1423bd7474dadaafe172c78e6bccc58de8099ce37937f2b945db4112d5de13a014babce10c89a480253946d69550edd8a56f172bdf291cd66ca4d5829e41bf07da182030756c252d47439667b5d04ac04724cf6c6e84be4d92ae8d883f7a0b5ef419f3a03df891a67e5b79401279016c9c6c3e7721470890f7264042e658ca0d5f7f0d5d5d40d51a80b68fe1256804e3cb7f509a3c6eaa238db4a2e0371b1687b296eb1ab5b4d4fe108d8ca77ea550203f19163b3e5261bb6f2e3f46f7a400d2016cebd70a248bdf415b92c6b5d9c99124d4fce90f5aedac74a5c5b9fa9ad9636917c0579b7f51c66e98e3f24ff05a4d9c65bc7498fea35dfede7cb20be9516179ccd110f0f2c7af691aae7158fbf5bcd6ae77a695613f1f85fcfd1158e84fdcc5b5781e69e0e9f843ec456c06edc93a85afa2ca6360f8ace37ff5c937a69d1b659f214e94df940ec3bc5ec3a51b1f62973d8efc93d124faa4ad79e2fb19de74e4049bc78571dcd9300edd7a3f31bdde9da4f1fd7f457255a0a4555ffd6649755ff34e70dea8273f23ed22cf9ecce4e20f0a8343dc7346fd9ea929c52904ad21ab2f00e0d70831bbbfe4c64b58c0391d8edbb66d43c2c28d5986e033adf65137467acff5c3b24f0a469e7caada2e4b74a8367223618d871db908eb8697d2ed9111b20e2f20cdb655163f7e87ed8b91b6ede193e4c07d963438749e7c090b8dc492d6d6bb2dfd2a31ee9baa232fc18c1766d5806df41d2a01f5decdeaf629c3fcbdbe4c6f90a4c8a9769ce75e29f461900383cd52e191ae9539d9747678c5dd602752bd77755d12548daf7ca907a0635ee8abb96d351827dc0f9f0968c25d36339654b203d76e81166d7c3bd5bfc097b68e70f8050f883b12a48121a34842d1c2995a85fe7713c5a79ef78aeaa0eb3eeed4772f2d99fb8e93d3f96fb1015dc4befa2f4af8bff1908e313500ef9563c4f4567a9b6f659555c45a3d7d05b5641f2d27828be465e57940e8c2d702acbf62eda374f1f14cdc43463096e16303a43b9ae3a583cf6436a817c448ea10fe9cc6b900725c4a9ddae13419b92fb5a30413444dc8fc59a9957ba6b1b51c0d21693bbceda912050d8fb899602dd291d730a39d8442ac8a928ffc7b5d98a573b4bfbae8c1baa75bba7e413d4f3c46e1f90357caa7d3db58c233680d2e2ddbb466c30369c5d3c7466628ab1132fa5178825901ed1bb9bcaa6ffcb790e6be106264b80a0cd20dfb5765067e07035a9d84cdffad5d7c069f51e5f9807f0ee9ed2891118d57723c24f96f7fc0a91794b0c2914df6a47e05b5c3fd2e0a424022cd14dc20c06bfc892bded9e4fc452bbb180bf973e8b8f8e24210e1427e85d327a7ac377342bcc2297ffb39d83b29e53e22d468f634b2e0f1e5d099640b67235356702fe8863a9576f96032ab3436b0fe1e1325abbe71d811533342cf869128e0048875dc11a2200426402c7c22d53da1e8ca0372907237adaee5b75c99ff27ecc8bcc012a54bd3f6661e18299db584492f4d56a240dcaadfe9d81970d3677cbdb4247d8aba35ac4bc8abc668779071cc99d4cfe497a640ac9ee543906a99acdd2d814a0e7078c29c27b0c799febd7fb499068c28b4c7cb2e7d8bfc3dbff4a3fab8b7792f8fa0d1396970f3948eba58736055fe7e71a4aa2fb3aa5681c44e48943dc863049cdf403772eadc250a09e1599b9f62025456b0ae8cf33d6afb69c15790d7dc812a6739f0e741a91c551316f4daffff0935dc175827f71f0f7fda217028c3bfa7d5193a101f8fcc1807ef60931467ddf4a78069d07fa961d339656bc1ddb376fa9014ec6370c8c89893e0ce95e5c9ec85094924abf88c25a5bd1ba804a49579666043f7299eebb20a92ca86094fcc50fbbd98f157c5ca44b04161fe6e6a1dda1d5b514ef71a77a2faa4ed209c63672880def7fea8956241421f29559dc9cb3dfb91755f52b19c74fc29cab77f7ef4c1fdabf4bb7f26ca40c4055c4625385db647118672627a280a4d6aff20eaecb1bad0fa3784bc822bb45b91bcd82427c72901d84788716629c301a30748aa0cb01174e1a8990cd1d2d783b5e0b7f1bbf0476c1f2664bbf5f209bb61fec45eec5ec779eea66dd952dd3b299b640cf42d7c018c60a8183c518766dfa8976ee232ca01b64c531eefd41cbdc66a58023da7e0889e50941995bf598e5e28652083ddd7275fb398f72e84520b372e770876421d3d2f31cb62a4a7226460dfa259cad90d8bbe295135ed0a285fcd71c61ddc897fb4e736430feac8087578f6f2601c819fb9988f3362a22a6d47299bdddd3514e9334a22ff0c24e8c1de64174ccb3e57dd3dde7dc922fe3878f90eeb51a7702c3f1767397ffb218d3ee3ee7999a565628ef00723cc565c3a8398eda4d7bce51f5a3c7516a6734d6858942bfc13797208f7abc0b828e41766a9ca2d9b5fe4763b56ce81eda444b0cda97cd63135a5510848290c33da44d247f22fb9a015f97d16658e572acfdfc74a4661c9e3e3e76d5a2bea83211ac7dbd6b8193b2df12bacaaa5ceae958c8a81cab031b7d04ba1adcd19e2dcf511429688ecb479b7e9ccb15bba6851c6ed89ee702d7e605a356be3764126630b49238a9bb621e43af112828e98a550c75361556cd64057ace259223467645c77a0237f8429dbbeee62c43ddff88a59ad7b96e37af305eb0a6a73b2ff016e3c8347aaf4b11e678b8fbf517fc3d143ae2264f2c1d9ea738bc9716af74c8d3ac5002ad7b0fbc1ff255077f80f833cac5b6872b370d3ed8e4ddad574204c47db0b6d054f08bfa99aa35541a1433d46e34d46077b95b3eba5e3e842df537afd446a86a9136b8b0e6d8222875addaebe8f4a82a64cbf0a423f9ab8c100d63ed136788eaf8c51f30ea1f376bc181f34833dc2dab99c3df", 0x1000}, {&(0x7f0000001380)="c3266ab385cbc2ab0572e996c64a233f7a8984d5dae1485f20369cd489882a826787c48a910232446f834b6ecbbbb5709d46739995f87cd871b238585120295da7ba9d3554c905ef1b3d64345621a9caaafbf100102cd05c4f08135e2c91287f4240ee6a20507584de2a4aa2b35763a245212d0c5d03c30a007f5fc4217157f372dd97a3a8d4f8f6cff5841fcfa39b7f551e75de466f1746118001", 0x9b}], 0x7, 0x8) r3 = shmat(0x0, &(0x7f0000ffd000/0x1000)=nil, 0x7000) r4 = syz_open_dev$amidi(&(0x7f0000001540)='/dev/amidi#\x00', 0xef0a, 0x109041) write$P9_RLERRORu(r4, &(0x7f0000001580)={0x19, 0x7, 0x1, {{0xc, '/dev/uinput\x00'}, 0x5}}, 0x19) shmdt(r3) setsockopt$SO_ATTACH_FILTER(r2, 0x1, 0x1a, &(0x7f0000001500)={0x3, &(0x7f00000014c0)=[{0x80000001, 0xa000000, 0x73, 0x8}, {0xfffffffffffffffb, 0x5, 0x915, 0x4}, {0x3f, 0x36e, 0x8, 0xffffffffd368333d}]}, 0x10) 04:41:21 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x7c, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3340.059267][T29900] input:  as /devices/virtual/input/input1133 [ 3340.111586][T29910] input: syz0 as /devices/virtual/input/input1135 [ 3340.129491][T29909] kvm: apic: phys broadcast and lowest prio [ 3340.162171][T29900] input:  as /devices/virtual/input/input1134 04:41:21 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000001640)='/dev/snapshot\x00', 0x1050c2, 0x0) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) accept4(r1, 0x0, 0x0, 0x800) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$dspn(0x0, 0x0, 0x0) accept4(r0, &(0x7f0000000000)=@in6={0xa, 0x0, 0x0, @mcast1}, &(0x7f0000000080)=0x80, 0x800) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0xdffffff, 0x0, 0xa}, 0x98) 04:41:21 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x100000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:21 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x80002, 0x0) r1 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x4000, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(r1, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) ioctl$LOOP_GET_STATUS64(r0, 0x4c05, &(0x7f0000000080)) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3340.419513][T30132] kvm: apic: phys broadcast and lowest prio 04:41:21 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vsock\x00', 0x8002, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x2, &(0x7f00000000c0)={0xffffffffffffffff}, 0x13f, 0x1}}, 0x20) write$RDMA_USER_CM_CMD_CONNECT(r1, &(0x7f0000000240)={0x6, 0x118, 0xfa00, {{0x5, 0x1ff, "55188c28b2054076ddcaa9ea8560b1f73c46384d84dfd0ee129e9dc1ea3d6c0458da61a28b54b6827eaa4a65e12c2c9138d82d9f1898574577a7018ed33e731c66809b18c7b5d09eea50c5c22b196aeaf302a2627359eaabb68bace95f2b8cb70656e0dad481c74344082a0ea06ffadc04a0ee669499c99bd474914a9909b508a35b3ccb0f1dcfcb12f94c3626e4c8ef81c61672d60f2158123aa7ac3deb6bb6c3e29426340fb4b7a368cb1f2ed8e5eed010dd9c8e1ecea52831b705c0085e68d1d9751e81591f43e612c3bfbbe28e652300061fcabd355451ce8e753ccd29d53b1f1d17138c2a4f47a11116e1e6f0df36565bf42c4998b44f15b7f598404e71", 0xe8, 0x7, 0x10001, 0x8, 0x9, 0x1, 0x401}, r2}}, 0x120) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:21 executing program 4: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x2, 0x0) r1 = dup3(r0, r0, 0x7fffd) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(0xffffffffffffffff, 0x84, 0x7c, &(0x7f0000000100)={0x0, 0x8, 0x1f}, &(0x7f0000000140)=0x8) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f0000000180)={r2, @in={{0x2, 0x4e21, @broadcast}}, 0x1, 0x1, 0x8, 0x6, 0x20}, 0x98) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x11) ioctl$TUNSETSTEERINGEBPF(r1, 0x800454e0, &(0x7f0000000000)=r1) ioctl$TIOCGLCKTRMIOS(r0, 0x405c5503, &(0x7f0000000040)={0x0, 0x0, 0x2}) semget(0x0, 0x2, 0x40) ioctl$UI_SET_LEDBIT(r0, 0x40045569, 0x9) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f00000000c0)='IPVS\x00') ioctl$SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE(r1, 0x40045542, &(0x7f0000000240)=0x2) 04:41:21 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x200000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:21 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x7d, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3340.558455][T30142] input: syz0 as /devices/virtual/input/input1136 [ 3340.610609][T30164] input:  as /devices/virtual/input/input1137 [ 3340.726825][T30164] input:  as /devices/virtual/input/input1138 04:41:22 executing program 0: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffff9c}) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_NET_GET(r0, &(0x7f0000000200)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x100}, 0xffffffffffffff48, &(0x7f0000000240)={&(0x7f0000000140)={0x50, r1, 0x202, 0x70bd27, 0x25dfdbfb, {}, [@TIPC_NLA_MON={0x1c, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3f}]}, @TIPC_NLA_BEARER={0x20, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz1\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x22ab}]}]}]}, 0x50}}, 0x44) r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000340)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_SET_EVBIT(r2, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r2, 0x405c5503, &(0x7f0000000040)={0x1, 0x0, 0x2, 0x0, 0x4}) ioctl$UI_SET_LEDBIT(r2, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r2, 0x5501, 0x0) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/dsp\x00', 0xfffffffffffffffc, 0x0) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) fcntl$setpipe(r2, 0x407, 0xfffffffffffffff8) ioctl$KVM_SIGNAL_MSI(r3, 0x4020aea5, &(0x7f0000000300)={0xf000, 0x3000, 0x9, 0x70, 0x4}) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/snapshot\x00', 0x100, 0x0) 04:41:22 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x300000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3340.880313][T30358] input:  as /devices/virtual/input/input1139 04:41:22 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x802, 0x0) r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000380)='/dev/mixer\x00', 0x204240, 0x0) ioctl$BLKBSZGET(r1, 0x80081270, &(0x7f00000000c0)) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{0xfffffffe, 0x8, 0x100000200000000}, 'syz0\x00', 0x1}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) setsockopt$XDP_UMEM_COMPLETION_RING(r1, 0x11b, 0x6, &(0x7f0000000040)=0x20000, 0x4) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) setsockopt$XDP_TX_RING(r1, 0x11b, 0x3, &(0x7f0000000300)=0x800, 0x4) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r1, 0x84, 0x6, &(0x7f0000000240)={0x0, @in6={{0xa, 0x4e24, 0x4, @mcast2, 0xfffffffffffffeff}}}, &(0x7f0000000140)=0x84) setsockopt$inet_sctp_SCTP_RESET_ASSOC(r1, 0x84, 0x78, &(0x7f0000000180)=r2, 0x4) write$selinux_attr(r1, &(0x7f0000000100)='system_u:object_r:system_cron_spool_t:s0\x00', 0x29) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:22 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x16, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3341.022744][T30398] input: syz0 as /devices/virtual/input/input1140 04:41:22 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x3, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:22 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) fstatfs(r2, &(0x7f0000000000)=""/61) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$bt_BT_RCVMTU(r3, 0x112, 0xd, &(0x7f0000000040)=0x6, 0x2) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:22 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x400000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:22 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) openat$cuse(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cuse\x00', 0x2, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci\x00', 0x20000, 0x0) ioctl$SG_GET_SCSI_ID(r1, 0x2276, &(0x7f00000000c0)) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3341.315539][T30583] kvm: apic: phys broadcast and lowest prio [ 3341.348507][T30589] input: syz0 as /devices/virtual/input/input1141 04:41:22 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x4, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:22 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x500000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:22 executing program 0: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffff9c}) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_NET_GET(r0, &(0x7f0000000200)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x100}, 0xffffffffffffff48, &(0x7f0000000240)={&(0x7f0000000140)={0x50, r1, 0x202, 0x70bd27, 0x25dfdbfb, {}, [@TIPC_NLA_MON={0x1c, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3f}]}, @TIPC_NLA_BEARER={0x20, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz1\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x22ab}]}]}]}, 0x50}}, 0x44) r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000340)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_SET_EVBIT(r2, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r2, 0x405c5503, &(0x7f0000000040)={0x1, 0x0, 0x2, 0x0, 0x4}) ioctl$UI_SET_LEDBIT(r2, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r2, 0x5501, 0x0) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/dsp\x00', 0xfffffffffffffffc, 0x0) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) fcntl$setpipe(r2, 0x407, 0xfffffffffffffff8) ioctl$KVM_SIGNAL_MSI(r3, 0x4020aea5, &(0x7f0000000300)={0xf000, 0x3000, 0x9, 0x70, 0x4}) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/snapshot\x00', 0x100, 0x0) 04:41:22 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = syz_open_dev$audion(&(0x7f0000000040)='/dev/audio#\x00', 0x287ab37a, 0x100) sendmsg$alg(r1, &(0x7f0000001300)={0x0, 0x0, &(0x7f0000000280)=[{&(0x7f00000000c0)="cf742d5e65ac52cfa4f14e0f75c1b392091e53d064f9a105aaf9fe42beca8da4fd109072f9ad374386d0e07c1348c26d91f7886ff09522028e8af6d46c8b258e49ee32b774292f5b8b2d0a70262fc85356eb2200d190d19f2eba49112f15d8cb6eb7b974b74116b8f96ff6745fa865265f69a5f480ce11e0fa3dd28027849c847b2c8bc11023a679e9e126d3b519a8d72d7a226c32b9d2a8bba9893a24fffdfff77f3aa9002b7fd3b701ccb79225dac8b275634b1195a6340c3e7106747b8e9c3852c8d704a8ac0dfc9dca0980a95713c3d5d83336", 0xd5}, {&(0x7f0000000240)="d5505dbd4aa2", 0x6}], 0x2, &(0x7f00000002c0)=[@iv={0x1018, 0x117, 0x2, 0x1000, "4aa1c6c3d0de79d3a7334ffa9733c5687bde1a769db73978856b0cc8b638851d95987d0ed3b5ce4d6c39949368cf8f7f3baf934315d039feff3b3cc27270b5c802220c4c74e506d0d3353509602a6aeb16bed1c3f0681f6960e1a17e680135154647068a9e1a9957c7cb7ece12bdcd7d594c90db724c1eec53ca2748096566dd36d2e2f03cceedbfe851943e117bcf3a7f688f0e6bd66aa6de87c2b5ad4187fba266f61b3bb6e2a9d517e339f06f769b8681bbd2e1f794fbb15db9084d44eb87b119e13611f1041d4cac29ac8d5d960cc5dc1f4ddbc5ccdb531db0cfdd5c5d28a7e8ec87cac056d8d32de4c2dbc33b07b68e10c71d5d7cd490ffc4978e83caa59a280766fae9404d0692f69b6582d0a0fc2f88b7b2ebe27fe0cbbd93a5dd8451b046197f7286aa5be7debd4cccce824b3a3d711ad2bc6cba6f2bab9bdc26c8d1f46c49c583bb074f57a6ec98fdbed9709fe6bc946a5361f087197d5316d30c08b81a5ad3c652a93984702d7915a75b9854f5ddcd0ac6ce5abcfca14e433f1b322aab1b35cdc05c93ad065d30675d35cad6d8d78ce93b11ac8a76f6924ea2eec8e7b7ab15de4b537deea1f453ad36b17890c46985a5328a4f34faa52d272327eac4b6dc4600ec67bb2b7ab10ff47045bd1883b810f15b0334322477986447d24d4edb9518bcd2392b84b9430f398250def6b8c9e7c49d407d5c70b15fee67844b2a5d08f9a8433132ed38d6f112b1effd5e6cd1c20f8424654c0491ee1a9f2cd0cb7b023fb97fa375a5ba947009092995e6577a25bde48c1ed7767af69e94a686f4e74b6db79cc5ec63c63e6e71b45afee193721e15e17852f1dc9de4964a21231265a98d72e3270923d6131486db3c87e6d391f88bffcb2fa59138e3b29bc5f030d104b183d9143a94518f091dd2be56e2bdef310506be5bcfeac8d0a11d2638ede3244c71ef0be5e1c07f57bcb98e0487b97b9c7efdb5b35e901f5c54e34bf7c0974f079f3f8a521bb3c9b8eaf5a0803755914e931ed9ba8652c2bb755a4e7c8ffa73f5dede1bec86c7638913338152b6dde900ef267918b2466ff150c07ef244edd3049ea746169440aaa2cf65030bcce52feaf03d3fe38fa7412436fd39a11740a2e3b414a2701276b11f4cb0abf1adebc9de04855bf692558a71cd6631d07ed3df45e613bc604bbc3856b9da9b5c1504ae68cb337055ec275ecdf13c5af527e9f96d07562e7fe4e877026767eb1d529a1d5c79556307d4e16ab9f10b2dedceff52037e365bb20d62de05b234e7002da2ebd66def9383663fec6c2fe6a3b3c32c8273ed0d551601bc82c68e7a8dc51eaa788f9fd3df92fe5f13962bc8c2461fe18d41ee28373a248c093504af7ca0ed9d655ace6e9a474fbc020cf70628ca2c528a5f0fefb287c1e4832919aa25255467865c30f08aa5637c59b22c01fc690a62f3c84c43a468baa7991c2701390fb7ad72793728f67b10396ed2c5f650c7c1a92c30d658f96a5d41b735947cbb5124cf50943fb748d5958a0e15661efef9cd430486b13eb0dfb0d665c3f41d44288947bba3e2279019d1fd1b27be3d26c6ba1dfe57abfd655e8ec219707ee139b961f9ab09f22bbc7b8475d792a29338b79955d9d6db1ccb08c2685273c21ba01444492510e80b55332988587c9958bbdbe77810a37233dcf64aa4ae5e218ae58546364a9854666047f39fa01911af9ea02bc737ea72c7dc036912749a726750a919b0d91941ba57ddcc5d70bcd0ca9fad71f14fe833e3a82e98dec51fdeb65d0b881b849065ce4a82718ab424463fe2120878b3f84c3cd66c65e2d3166bba05832285fe71c602f603f8d904ee0073f8f9a706b512b8c17b112ed9f158c76677871c53f8bf4faf127fbd20fd2c8fe3f84a4b97c52f725aa4cf9cf8132249e771b5d7b744f4ad2a5763251fc7b584721089155c4c594b283d25597b9feb8dc148f3abe908ef94eae0f505d0e7506eb78250f904dd601e949ccef2359423434e85e6a26233de5b37135d5e4cd91fdaf4eb1fe7238e0c24a46ba1ef62de125735b5d0df95e1dbd6e389c81ea8729f9a7b7f0d6e40a452ee83e544306ba20881fccdf03a4824b140d6ceb0e5d4cc66a69f551ea86cb4584f9c6d643faa6222f0b7cacd4f5dc7bcd8c6660e6e854af506826920370b8f719ebbe54c3ef450439fd40501bc800852cb2ccfd5cc7979ffdf2e002564afc7ed9afe3c1b8f020e099d7c13e5970c6084805209cacd30e6e95ff031a3d9a7b208af0236d363414916d7b5084cb1d2f4f51ffdff074bf6aa3f2445507c17cb8091375193110abf3cefb7bd81c73787d5848241a34e5ec74d65e2dd88099cd81ade478e553e37bd057ccc2909a62049981c18676a3158004bfa4241485329a7e8e41d0c17c333c310cd3d1f1c7466a2c77134b5be3c9e0b8a9d507dfb6feedeed8cd93c41188b3818f180d434e1061a4a977eaaff69ba07fd449bb9b46645141f00cd0bdf901938478e8146b39967ce7d9c63a4d096ed9827fc7bab93b1465f0039f0b4bdb1b31ce36b80eb08b05781a3e4d7fe03d9ebdf0d62f23d7430c9f46b7a1aa83039e74114eb662fd71ad53ec808a7f1db0979ffbedfd33d2985d7e6f593672881a1a99350c5a0bcfbb9bf5d3718d7fa84a85d18659055b9c711c564ca4032f56a65ea1f0d16fa2ac87301163c46932e548beb0ead3c62b0b629ceec998d46fd53d228502015cb5964a55d9598698e5a0d135e34e9955fc474543ee6790b76bc3606296b2394e2b3f71f0a6d9b960f746f3de2fa7994404da831d1b3fc139a71da17b83ef6175e9870a759f6cd8277ba3247e8728887a902252ee5e47a682b1a78f19f4f2a4192209f56c979f37b37e0693dddf25722836c669bbdf6dba141cf46bff9ccaa7e32317c7347273bd71c797ddc5926bc7ee7fff876f1fbd39268bd4333448de78e5fc02daf79eda5ac51e858150db3a7ba8abb4d8087899618a514561ab3db22af979d0b79e39ea3cd5ace37ef26f38956470add32c44ecfd6d4bc46c39cae5b05655bbb8492cdb7966d01cb37df631eec44fa4f2d23c804d744d049e48efa174bb976964e352f7019e04fc821030e398005fcfd3e4c0f9d476bc52e7154a84ac04a6710262632db980976c481fdd4ab47da332f0eea8bfed3e7a2857afc1eea3052c215dfb9a6377e543ec038df05a3d9f4e7a20d8073d51510ccf86904eeee55b0b2a946787e0092cf964bd1f2eb4a6c83db73c8feb25e10884ea39c01edc094419fe1cc3e85670f56ff0ce4ca8369fafb2da06b5134b414145e92081472173d521be0ff913b92523d6727fd3b42d28348132673c399ed72b83079714d554228013e55b54f0426f9bd75ab43b3dad89e5b2a4e51d8e4d89382187fea0c095f09424fba34b46833a6d4d79531a3a9114e42da8c8478fe48d13e9d3ab278f44e851b1c15246bebd1acc81fd9c3e44dd9eb88e2fc6d342ac3d84261f071b454d4da3c00b6bc9c84277442ef6d8b89ba39a07a1279d68af1730e8e74dcaea10aeaa571a3a6312427d191013c2e7089aa5b4de009ebe3cc53347d7ca710e889001b6e33598dffa218dd636f1de0569eee844d1a2507e72cf18a774f059c753c15802c207afb7e3699486e84f88b86977a8201e2e9d1b2803a9802813017c422c19bc8936cd5fa611fb62ccf46a67a7a9dfac140784ac6e40ba3be6cb659c64d658365a3e76aefedb6142553216e5664a577c59567d913ab2aa567c80334a50f5e590acfd79d967914bcf40dfff4d811c88746093bc6ab3088fa9b63170bdabf8a38710e708a06711eaa99ba97b348661faed940699c9cae010476c11e3a8d9f06fc7088945be00bd7f81da6795116653eab1be419337b0b6b5afb3188b3093ae4bf9efc35960ba34288e00f59abbc12bff62fa0c0d0c9f929fe15624b20bd6aa1f514c3765720123c6d14cc44c814f7c380206b3097da0f406048289d8f34ffe9aeceb52a4b2e1a088a93ee13879a49e85d5a5f4f88e509346d2f110a7288a581abd4c3f7c98a59b7b8ed404169f7cac69a90af367a556d3634c6f9c7b0aa6968f3aa74e9bec245e49e7354b7874cb197d2064017b068a14bc79d74f7bd6f44253ab865773417981339fc66d5e8ff29795955386f42eeca2e28d1539f07094b2806da62e93b57e6c2da38038a15461c910e818435e34d9f5f9162c93409009da848b017961feba0d5fbc1ec6c62ed6777a4579bd7e534c5e36a7a3525645d20c447ed6b9f4ee7e33f122fd3c7ba56b34c33017988b90e09eb14c77e4a0c24b06044124bb5e53bb5cbd5c7353c0e040a448c7ef7c0e38b4bd515af76bcb57d68cb9dbd2121ed335e37b5a238962918ee388a28e12e01d6208e161908cbc229a4338ecefd0681ad0ddbc66e6c407bfc3200cf8bddafdb95de8d3434955129f3f7e535cde93c361c6d4b9aa4e4d91e4f98edb60dd07bd1eab3cf5ced78f12cc46232c4f2803b96e702eab94c95007d55e9c6261ca23629b4513015ba2d7d990ac0c441ecc10e6aa40e815af818f91982a745ea4653acb01f638a8146ee5d5162ab9ff6b168ee25d004b484e483378b6da6146ede18f0a9ca15463cc4c52111724bc182732f386d5e4881d8777a2afe7626a70a5029324a7e70deda7647dea179e1ecbd4171038e2b2cb485cf5e319272435f3a857ce752943db94296e66fc9ad0b07b4141253a1ef6243f3bb29c7d31bbb13e781d7559df99eb932e62beb9f64fdaed7865e773aa418a86f2672b487d4e89b632f8fcdcf7ad60cf129b98cfde59d2815920234d0eed24ba201785d6521b67806a0fe8016455dce93c241730d1d3847bc6b381baaecf33d634b00008b75adbf8c23420921a01b6f19ca56088823d7949bea136cc1826b091e56fc977463d15a54f0233b63d7da424753bfc8a482eb9af05e30116ef50401fdd6fe76a903fa7ea636c91957c71ccc52f8db41a7cf93e0cdd3554c0841de4f43a399ad203aeba416bae37127378c71522c1682334a9f2d826c3a648931414a17de015c24be0bef6d417755512e8bbd174e036832301b8c0f511b9bd2f269387b2e02485c3125af5e50ebf88766d2cdbe29e08e25f3df03015220253d8138b1e906ade54253b031af500e188644902d70ed707fd837352dadaee575098446abd42665c891082929a60c53e6bf1bc3e7fb19bd2edbcdec543528c2ebb4757c1270cc596b8cfc56c2709d9a39f1ca7a09566b16c22930a93b8e8a29c3b62f7be2de860ad104bb23a6207899ef029f10a03eb3a7258a6c4906283e2d5958d12375e72c2cde183d70a1a7c0da01fc21c560ee76c72b3a0c35be7026725f005ab1d618e7f859979196bafc700a7f015a72f409702132b8e0ff2c91d8c84d1535b8e7696a253004da8f8973d518eb84ecbbc291053b52bfd05e01a1d6309c2656e30fa29a868ed6d844896a2742c566e839a6fd414f14bba8f2a7238d885857d0e7ab443853df044c9be9542a856ba3ad60132730e44f5f233f6d7221549d43b3f815fdcf1f03f21c966fb32996370a473e8841ba952e769d0fde3eb95ff4d5225fb7a324e0914997e1d3d60c7d5fe4532faff89bb8f8cf8aaa2d49ce14d4dd0a73ea2fc91f9d9612cb0c6b1d58f93e8d3b6c0b981208b7a1e3393923ac6addd4eab3a1b7110d4641e550a626be449fb69fb638289f39fb50842c0de0dc84eeef5e28abee7653a0e7cbc2e2b33093001cc9cba16fef817c6e2531a410dccb016d63904a05079696893b541db5142c25f0"}], 0x1018, 0x20000000}, 0x10) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) sendmsg$alg(r1, &(0x7f0000001540)={0x0, 0x0, &(0x7f0000001440)=[{&(0x7f0000001340)="56b94f04386af08863422235087edc2e5e69b8125dc0744b0744377c4996ee704fa64d086207ffaf90e34139d75bba8629a3791e568f8e0e9de4f877f1288d090e6a12acafea76a6ccce710f64003751330da8a6c1cfc4692a737fbab64402f15f9b4c6d2e29b1e75aa8ef1de184b30684299ae226f731bae01d0418b5a681fa4b7fbb5a7e58e69b186d37e3d8a048f7d5cc4079bb5093617e843910927060a410e1cb8a458d096c86a1bce5cc5fe6ecdb33951a78691273b91bc8108391932c365213f4c9a719cd4f69f9b594c2b1a0834a23594c0c77e7c27bffa851ac40f43ca01546a9", 0xe5}], 0x1, &(0x7f0000001480)=[@assoc={0x18, 0x117, 0x4, 0xffff}, @assoc={0x18, 0x117, 0x4, 0x2c4}, @op={0x18, 0x117, 0x3, 0x1}, @op={0x18, 0x117, 0x3, 0x12d89e23344aa41b}, @op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x6}], 0x90, 0x880}, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3341.576550][T30702] kvm: apic: phys broadcast and lowest prio [ 3341.582778][T30699] input:  as /devices/virtual/input/input1142 04:41:22 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x4, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3341.712138][T30742] input: syz0 as /devices/virtual/input/input1143 04:41:23 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x600000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:23 executing program 4 (fault-call:5 fault-nth:0): r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3341.873045][T30836] kvm: apic: phys broadcast and lowest prio 04:41:23 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x700000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:23 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uinput\x00', 0x4, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r1 = socket$pppoe(0x18, 0x1, 0x0) ioctl$sock_SIOCBRDELBR(r1, 0x89a1, &(0x7f0000000040)='nr0\x00') [ 3342.009197][T15669] binder: release 30922:30923 transaction 168 out, still active [ 3342.027664][T15669] binder: undelivered TRANSACTION_COMPLETE [ 3342.062004][T15669] binder: send failed reply for transaction 168, target dead [ 3342.109673][T30930] input: syz0 as /devices/virtual/input/input1145 [ 3342.126051][T30926] kvm: apic: phys broadcast and lowest prio 04:41:23 executing program 3: setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) ioctl$ION_IOC_ALLOC(0xffffffffffffff9c, 0xc0184900, &(0x7f0000000340)={0x3, 0x6, 0x0, 0xffffffffffffff9c}) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, r0, 0x0) syz_open_dev$dri(&(0x7f0000000240)='/dev/dri/card#\x00', 0x20, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer2\x00', 0x604041, 0x0) r4 = syz_genetlink_get_family_id$tipc(&(0x7f0000000100)='TIPC\x00') sendmsg$TIPC_CMD_SET_LINK_WINDOW(r3, &(0x7f0000000200)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f00000001c0)={&(0x7f0000000140)={0x68, r4, 0x701, 0x70bd2c, 0x25dfdbfb, {{}, 0x0, 0x4109, 0x0, {0x4c, 0x18, {0x13d9, @media='ib\x00'}}}, ["", "", "", "", "", "", "", "", "", ""]}, 0x68}, 0x1, 0x0, 0x0, 0x4000}, 0x10) r5 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) fsetxattr$security_smack_transmute(0xffffffffffffffff, &(0x7f0000000000)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000040)='TRUE', 0x4, 0x2) 04:41:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:23 executing program 0: ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={0xffffffffffffff9c}) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100)='TIPCv2\x00') sendmsg$TIPC_NL_NET_GET(r0, &(0x7f0000000200)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x100}, 0xffffffffffffff48, &(0x7f0000000240)={&(0x7f0000000140)={0x50, r1, 0x202, 0x70bd27, 0x25dfdbfb, {}, [@TIPC_NLA_MON={0x1c, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3f}]}, @TIPC_NLA_BEARER={0x20, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz1\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x22ab}]}]}]}, 0x50}}, 0x44) r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000340)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_SET_EVBIT(r2, 0x40045564, 0x11) ioctl$TIOCGLCKTRMIOS(r2, 0x405c5503, &(0x7f0000000040)={0x1, 0x0, 0x2, 0x0, 0x4}) ioctl$UI_SET_LEDBIT(r2, 0x40045569, 0xa) ioctl$UI_DEV_SETUP(r2, 0x5501, 0x0) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/dsp\x00', 0xfffffffffffffffc, 0x0) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) fcntl$setpipe(r2, 0x407, 0xfffffffffffffff8) ioctl$KVM_SIGNAL_MSI(r3, 0x4020aea5, &(0x7f0000000300)={0xf000, 0x3000, 0x9, 0x70, 0x4}) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/snapshot\x00', 0x100, 0x0) 04:41:23 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x5, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:23 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x2000000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3342.272031][T11475] binder: release 31022:31025 transaction 172 out, still active [ 3342.306228][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3342.343735][T31043] input:  as /devices/virtual/input/input1146 04:41:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x2, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:23 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x2, 0x0) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000280)='/proc/sys/net/ipv4/vs/sync_refresh_period\x00', 0x2, 0x0) setsockopt$inet_sctp6_SCTP_NODELAY(r1, 0x84, 0x3, &(0x7f0000000100), 0x4) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) fcntl$setflags(r0, 0x2, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) symlink(&(0x7f0000000140)='./file0\x00', &(0x7f0000000240)='./file0\x00') syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r2 = openat$full(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full\x00', 0x10000, 0x0) prctl$PR_TASK_PERF_EVENTS_ENABLE(0x20) ioctl$KVM_SMI(r2, 0xaeb7) socket$inet_dccp(0x2, 0x6, 0x0) [ 3342.388552][T31046] kvm: apic: phys broadcast and lowest prio [ 3342.413176][T11475] binder: send failed reply for transaction 172, target dead 04:41:23 executing program 0: r0 = socket$inet6_udp(0xa, 0x2, 0x0) r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/cachefiles\x00', 0x44401, 0x0) setsockopt$IP_VS_SO_SET_EDIT(r1, 0x0, 0x483, &(0x7f0000000200)={0x0, @initdev={0xac, 0x1e, 0x0, 0x0}, 0x4e22, 0x2, 'wrr\x00', 0x25, 0x40, 0x15}, 0x2c) getsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(r1, 0x84, 0x12, &(0x7f00000003c0), &(0x7f0000000400)=0x4) r2 = perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000001f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @dev, 0x3}, 0x1c) r3 = dup3(r0, r2, 0x80000) r4 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r4, &(0x7f0000000180)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x0, @multicast2}, 0x4}}, 0x26) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@local, @in, 0x0, 0x0, 0x0, 0x0, 0x800000000000000a}, {}, {}, 0x0, 0x0, 0x1}, {{@in6=@remote, 0x0, 0x2b}, 0x2, @in, 0x0, 0x4}}, 0xe8) sendmmsg(r4, &(0x7f0000005fc0), 0x800000000000059, 0x0) r5 = msgget$private(0x0, 0x100) msgrcv(r5, &(0x7f0000000240)={0x0, ""/60}, 0x44, 0x2, 0x800) r6 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-monitor\x00', 0x0, 0x0) bind$netlink(r3, &(0x7f0000000140)={0x10, 0x0, 0x25dfdbfe, 0x20000}, 0xc) getsockopt$netlink(r6, 0x10e, 0x1, &(0x7f00000000c0)=""/26, &(0x7f0000000100)=0x1a) 04:41:23 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x4800000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3342.524203][T31059] binder_alloc: binder_alloc_mmap_handler: 31055 20001000-20004000 already mapped failed -16 [ 3342.597547][T31059] binder_alloc: 31055: binder_alloc_buf, no vma [ 3342.606360][T31058] binder: BINDER_SET_CONTEXT_MGR already set [ 3342.607086][T31059] binder: 31055:31059 transaction failed 29189/-3, size 24-8 line 3147 [ 3342.628628][T11475] binder: release 31055:31058 transaction 176 out, still active [ 3342.637112][T31058] binder: 31055:31058 ioctl 40046207 0 returned -16 [ 3342.644121][T11475] binder: unexpected work type, 4, not freed [ 3342.655040][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3342.682717][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:23 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x9, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:23 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = getpgid(0x0) fcntl$setownex(r0, 0xf, &(0x7f0000000000)={0x0, r1}) r2 = syz_open_dev$mouse(&(0x7f0000000040)='/dev/input/mouse#\x00', 0x5, 0x48802) getsockopt$inet_udp_int(r2, 0x11, 0xb, &(0x7f0000000100), &(0x7f0000000140)=0x4) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f00000000c0)='/dev/input/event#\x00', 0x3, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3342.695690][T31117] kvm: apic: phys broadcast and lowest prio 04:41:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x5421, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3342.737990][T11475] binder: send failed reply for transaction 176, target dead [ 3342.847290][T31258] input: syz0 as /devices/virtual/input/input1148 [ 3342.863179][T31275] binder_alloc: binder_alloc_mmap_handler: 31246 20001000-20004000 already mapped failed -16 [ 3342.914153][T31256] binder_alloc: 31246: binder_alloc_buf, no vma [ 3342.929699][T31279] binder: BINDER_SET_CONTEXT_MGR already set [ 3342.935941][T31256] binder: 31246:31256 transaction failed 29189/-3, size 24-8 line 3147 [ 3342.952640][T31279] binder: 31246:31279 ioctl 40046207 0 returned -16 [ 3342.965010][T11475] binder: release 31246:31256 transaction 181 out, still active [ 3342.976433][T11475] binder: unexpected work type, 4, not freed [ 3342.993696][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3343.000909][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3343.007299][T11475] binder: send failed reply for transaction 181, target dead 04:41:24 executing program 0: r0 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x7, 0x8000) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, r0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x3, &(0x7f0000001fd8)=@framed={{0xffffffb7, 0x4000, 0x0, 0x0, 0x0, 0x4e}, [], {0x95, 0x0, 0x0, 0x600000000000000}}, 0x0, 0x1, 0xc3, &(0x7f000000cf3d)=""/195, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000]}, 0x48) 04:41:24 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x4c00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x5450, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:24 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0xa, 0x0, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:24 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000180)='/dev/swradio#\x00', 0x0, 0x2) recvmmsg(r1, &(0x7f00000003c0)=[{{&(0x7f00000001c0)=@pptp, 0x80, &(0x7f0000000240)=[{&(0x7f0000000340)=""/116, 0x74}], 0x1}, 0x7}], 0x1, 0x1, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000100)={&(0x7f0000ff6000/0x8000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff9000/0x3000)=nil, &(0x7f0000ff8000/0x2000)=nil, &(0x7f0000ffc000/0x1000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ff6000/0x1000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ff6000/0x3000)=nil, &(0x7f0000ff7000/0x1000)=nil, &(0x7f0000000000)="212049964d9f83ce073c51ee766b5345e8d6fcb3cf8bafede3698116f8fa1865889fe6e3728de646d8fed5331b2be26062fbb0ee24003b7a3505c89be02ae14c63f5f69b0c0081ba94de5e549488d8a549f7c6191bafa66c2cb491eac1181192663a2b7feacf0c847e151c6660e80a03cf3da19ba18c42e709711868b2b9b60971337593b5fa0c83da0b5f7fabe76bf8b029271e52f03728b15313dfdde087c6e61d1b9b44ce3779679b443a251dbe11b2dac2c3695f8741f3dcdc268f53918e1ea83de65d9056cf38a991c0372029426b735185787aa269678fafe50bde1f3e9f5c7de32dcda0c884c9652c", 0xec, r0}, 0x68) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:24 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor\x00', 0x24c042, 0x0) setsockopt$inet6_int(r1, 0x29, 0x0, &(0x7f0000000180)=0x3, 0x4) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r2 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$EVIOCGKEYCODE_V2(r2, 0x80284504, &(0x7f00000000c0)=""/135) [ 3343.243617][T31394] input: syz0 as /devices/virtual/input/input1149 04:41:24 executing program 0: syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x8000000000a, 0x1) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$FS_IOC_FSGETXATTR(r0, 0xc0185500, &(0x7f0000000040)={0x7fff, 0x2000000000, 0xdf4c, 0x100000000000002, 0x4}) [ 3343.302869][T31393] kvm: apic: phys broadcast and lowest prio [ 3343.321554][T31401] binder_alloc: binder_alloc_mmap_handler: 31395 20001000-20004000 already mapped failed -16 [ 3343.365412][T31399] binder: BINDER_SET_CONTEXT_MGR already set [ 3343.386895][T31399] binder: 31395:31399 ioctl 40046207 0 returned -16 04:41:24 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6000000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3343.473552][T31499] binder_alloc: 31395: binder_alloc_buf, no vma [ 3343.502415][T31499] binder: 31395:31499 transaction failed 29189/-3, size 24-8 line 3147 [ 3343.519793][T11475] binder: send failed reply for transaction 186 to 31395:31399 04:41:24 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r2 = dup2(r1, r1) ioctl$BLKSECDISCARD(r2, 0x127d, &(0x7f0000000040)=0x200) 04:41:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x5451, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3343.548885][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3343.568583][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3343.589220][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3343.647893][T31552] input: syz0 as /devices/virtual/input/input1150 04:41:24 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6800000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3343.739920][T31616] binder_alloc: binder_alloc_mmap_handler: 31567 20001000-20004000 already mapped failed -16 [ 3343.827938][T31651] kvm: apic: phys broadcast and lowest prio [ 3343.845879][T31585] binder: BINDER_SET_CONTEXT_MGR already set [ 3343.861381][T31585] binder: 31567:31585 ioctl 40046207 0 returned -16 04:41:25 executing program 0: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor\x00', 0x24c042, 0x0) setsockopt$inet6_int(r1, 0x29, 0x0, &(0x7f0000000180)=0x3, 0x4) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r2 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$EVIOCGKEYCODE_V2(r2, 0x80284504, &(0x7f00000000c0)=""/135) [ 3343.921979][T31727] binder_alloc: 31567: binder_alloc_buf, no vma 04:41:25 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x6c00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:25 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:25 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x3, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3343.984636][T11475] binder: release 31567:31585 transaction 191 out, still active [ 3343.986535][T31727] binder: 31567:31727 transaction failed 29189/-3, size 24-8 line 3147 [ 3344.001682][T11475] binder: unexpected work type, 4, not freed [ 3344.036769][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3344.055144][T31730] input: syz0 as /devices/virtual/input/input1151 04:41:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x5452, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3344.080445][T31736] input: syz0 as /devices/virtual/input/input1152 [ 3344.095507][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3344.117851][T31733] kvm: apic: phys broadcast and lowest prio [ 3344.134468][T11475] binder: send failed reply for transaction 191, target dead 04:41:25 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) ioctl$sock_TIOCINQ(r0, 0x541b, &(0x7f0000000000)) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:25 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x7400000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3344.261040][T31831] binder_alloc: binder_alloc_mmap_handler: 31757 20001000-20004000 already mapped failed -16 [ 3344.295314][T31772] binder: BINDER_SET_CONTEXT_MGR already set [ 3344.338915][T31772] binder: 31757:31772 ioctl 40046207 0 returned -16 [ 3344.390446][T11475] binder: release 31757:31772 transaction 196 out, still active [ 3344.398693][T31831] binder_alloc: 31757: binder_alloc_buf, no vma [ 3344.414347][T11475] binder: unexpected work type, 4, not freed [ 3344.432144][T31908] kvm: apic: phys broadcast and lowest prio 04:41:25 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) pipe(&(0x7f0000000040)={0xffffffffffffffff}) fcntl$getownex(r0, 0x10, &(0x7f00000000c0)={0x0, 0x0}) setsockopt$inet6_opts(r1, 0x29, 0x37, &(0x7f0000000180)=@srh={0x8f, 0x2, 0x4, 0x1, 0x8, 0x48, 0x1ff, [@loopback]}, 0x18) ioctl$SNDRV_CTL_IOCTL_ELEM_INFO(r1, 0xc1105511, &(0x7f0000000240)={{0x8, 0x0, 0x8, 0x8, 'syz0\x00', 0x4}, 0x3, 0x20000004, 0x5, r2, 0x1, 0x1, 'syz0\x00', &(0x7f0000000100)=['selinuxppp1loeth0wlan0eth1$+vboxnet1bdevproc]\x00'], 0x2e, [], [0x1, 0x6, 0x80000000]}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) syz_open_procfs(r2, &(0x7f0000000140)='uid_map\x00') [ 3344.450460][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3344.459870][T31831] binder: 31757:31831 transaction failed 29189/-3, size 24-8 line 3147 [ 3344.491432][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3344.530412][T11475] binder: send failed reply for transaction 196, target dead 04:41:25 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x7a00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:25 executing program 0: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor\x00', 0x24c042, 0x0) setsockopt$inet6_int(r1, 0x29, 0x0, &(0x7f0000000180)=0x3, 0x4) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r2 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$EVIOCGKEYCODE_V2(r2, 0x80284504, &(0x7f00000000c0)=""/135) [ 3344.564609][T31961] input: syz0 as /devices/virtual/input/input1153 04:41:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x5460, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3344.742515][T32008] input: syz0 as /devices/virtual/input/input1154 [ 3344.760760][T31997] kvm: apic: phys broadcast and lowest prio [ 3344.770804][T32038] binder_alloc: binder_alloc_mmap_handler: 31991 20001000-20004000 already mapped failed -16 [ 3344.812437][T32022] binder: BINDER_SET_CONTEXT_MGR already set [ 3344.846914][T32022] binder: 31991:32022 ioctl 40046207 0 returned -16 04:41:26 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xc0ffffff00000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:26 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{0x0, 0x8}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r2 = socket$inet_sctp(0x2, 0x1, 0x84) connect$inet(r2, &(0x7f00000000c0)={0x2, 0x0, @initdev}, 0x10) listen(r2, 0x100000000009) r3 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r3, 0x9, &(0x7f0000000140)="0adc1f123c123f3188b070") r4 = syz_open_dev$audion(&(0x7f0000000100)='/dev/audio#\x00', 0x8000, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) accept4$vsock_stream(r4, &(0x7f0000000180)={0x28, 0x0, 0x100002710, @my=0x1}, 0xfffffffffffffe36, 0x7fffe) r5 = accept4$inet(r2, 0x0, 0x0, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$EVIOCGLED(r1, 0x80404519, &(0x7f0000000240)=""/81) getsockopt$sock_cred(r4, 0x1, 0x11, &(0x7f0000000040)={0x0}, &(0x7f00000002c0)=0xc) fcntl$setownex(r5, 0xf, &(0x7f0000000300)={0x0, r6}) [ 3344.938020][T32129] binder_alloc: 31991: binder_alloc_buf, no vma [ 3344.998497][T14003] binder: release 31991:32022 transaction 201 out, still active [ 3345.011039][T32129] binder: 31991:32129 transaction failed 29189/-3, size 24-8 line 3147 [ 3345.043294][T14003] binder: unexpected work type, 4, not freed [ 3345.054167][T32143] input: syz0 as /devices/virtual/input/input1155 04:41:26 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0xfffffffffffffffe) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3345.089348][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x40046205, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3345.139197][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3345.173535][T14003] binder: send failed reply for transaction 201, target dead 04:41:26 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x4, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:26 executing program 0: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor\x00', 0x24c042, 0x0) setsockopt$inet6_int(r1, 0x29, 0x0, &(0x7f0000000180)=0x3, 0x4) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r2 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$EVIOCGKEYCODE_V2(r2, 0x80284504, &(0x7f00000000c0)=""/135) [ 3345.275301][T32298] binder_alloc: binder_alloc_mmap_handler: 32293 20001000-20004000 already mapped failed -16 04:41:26 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xfdfdffff00000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:26 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:26 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x80, 0x3f00, 0xe000000, 0x0, 0x80}, 0x98) [ 3345.327427][T32297] binder: BINDER_SET_CONTEXT_MGR already set [ 3345.391407][T32297] binder: 32293:32297 ioctl 40046207 0 returned -16 [ 3345.405332][T32305] input: syz0 as /devices/virtual/input/input1157 [ 3345.460830][T32302] input: syz0 as /devices/virtual/input/input1156 [ 3345.470266][T32326] binder_alloc: 32293: binder_alloc_buf, no vma [ 3345.509717][T32326] binder: 32293:32326 transaction failed 29189/-3, size 24-8 line 3147 [ 3345.553816][T14003] binder: release 32293:32297 transaction 206 out, still active [ 3345.580099][T14003] binder: unexpected work type, 4, not freed 04:41:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x40046207, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3345.605480][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3345.643493][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:26 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0xff00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3345.668555][T14003] binder: send failed reply for transaction 206, target dead [ 3345.711204][T32486] binder: BINDER_SET_CONTEXT_MGR already set [ 3345.738428][T32486] binder: 32482:32486 ioctl 40046207 200001c0 returned -16 04:41:27 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x8000, 0x0) r2 = getpgid(0x0) ioctl$sock_SIOCSPGRP(r1, 0x8902, &(0x7f00000000c0)=r2) [ 3345.782976][T32511] kvm: apic: phys broadcast and lowest prio [ 3345.830565][T32527] binder_alloc: binder_alloc_mmap_handler: 32482 20001000-20004000 already mapped failed -16 [ 3345.897625][T32530] input: syz0 as /devices/virtual/input/input1158 [ 3345.904825][T32486] binder: BINDER_SET_CONTEXT_MGR already set 04:41:27 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0xfffffffffffffffe) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:27 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x2]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3345.939989][T32486] binder: 32482:32486 ioctl 40046207 0 returned -16 [ 3345.952954][T32537] binder_alloc: 32482: binder_alloc_buf, no vma [ 3345.965869][T32537] binder: 32482:32537 transaction failed 29189/-3, size 24-8 line 3147 [ 3346.001610][T32486] binder: BINDER_SET_CONTEXT_MGR already set [ 3346.022030][T14003] binder: release 32482:32486 transaction 211 out, still active [ 3346.038422][T32486] binder: 32482:32486 ioctl 40046207 200001c0 returned -16 [ 3346.059564][T14003] binder: unexpected work type, 4, not freed [ 3346.095629][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x40046208, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3346.114345][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3346.168747][T14003] binder: send failed reply for transaction 211, target dead [ 3346.239331][T32649] binder_alloc: binder_alloc_mmap_handler: 32642 20001000-20004000 already mapped failed -16 04:41:27 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x3]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3346.315614][T32648] binder: BINDER_SET_CONTEXT_MGR already set [ 3346.345753][T32648] binder: 32642:32648 ioctl 40046207 0 returned -16 [ 3346.368776][T32690] binder_alloc: 32642: binder_alloc_buf, no vma [ 3346.395562][T11475] binder: release 32642:32648 transaction 216 out, still active [ 3346.407441][T32690] binder: 32642:32690 transaction failed 29189/-3, size 24-8 line 3147 [ 3346.425582][T11475] binder: unexpected work type, 4, not freed [ 3346.455299][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3346.469820][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:27 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x5, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:27 executing program 2: ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(0xffffffffffffffff, 0x5502) r0 = syz_open_dev$mouse(&(0x7f0000000040)='/dev/input/mouse#\x00', 0x7, 0x403) ioctl$VIDIOC_ENUM_FREQ_BANDS(r0, 0xc0405665, &(0x7f00000000c0)={0x1aec41d4, 0x1, 0x0, 0x200, 0x8001, 0x3}) 04:41:27 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000088) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x40049409, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3346.486329][T11475] binder: send failed reply for transaction 216, target dead [ 3346.593896][T32767] binder_alloc: binder_alloc_mmap_handler: 32760 20001000-20004000 already mapped failed -16 04:41:27 executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_mreq(r0, 0x29, 0x1b, &(0x7f00000000c0)={@remote}, 0x14) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") setsockopt$inet6_mreq(r0, 0x29, 0x1b, &(0x7f0000000000)={@dev}, 0x14) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000080)={'syz_tun\x00', 0x0}) setsockopt$inet6_mreq(r0, 0x29, 0x4000000001c, &(0x7f0000000280)={@remote, r2}, 0x14) 04:41:27 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x4]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3346.682035][T32766] binder: BINDER_SET_CONTEXT_MGR already set [ 3346.682054][T32767] binder_alloc: 32760: binder_alloc_buf, no vma [ 3346.688048][T32766] binder: 32760:32766 ioctl 40046207 0 returned -16 04:41:28 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x8, 0x400000) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, &(0x7f0000000040)=@assoc_value={0x0, 0x17de2a4b}, &(0x7f0000000080)=0x8) getsockopt$inet_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x77, &(0x7f00000000c0)={r1, 0x40, 0x9, [0x1be, 0x5, 0x6bb95294, 0x4, 0x7ff, 0xd6, 0x8, 0x8, 0x5]}, &(0x7f0000000100)=0x1a) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f0000000340), 0xfffffffffffffe0e) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:28 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = syz_open_dev$dspn(&(0x7f0000000040)='/dev/dsp#\x00', 0x80000001, 0x20000) ioctl$BLKALIGNOFF(r1, 0x127a, &(0x7f00000000c0)) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) setsockopt$packet_tx_ring(r1, 0x107, 0xd, &(0x7f0000000100)=@req={0x5, 0x9, 0x6, 0x1ff}, 0x10) syz_open_dev$media(&(0x7f0000000140)='/dev/media#\x00', 0xfff, 0x0) syz_open_dev$evdev(&(0x7f0000000180)='/dev/input/event#\x00', 0x22, 0xfffffffffffffffc) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3346.775011][T14003] binder: release 32760:32766 transaction 221 out, still active [ 3346.790291][T32767] binder: 32760:32767 transaction failed 29189/-3, size 24-8 line 3147 [ 3346.810173][T14003] binder: unexpected work type, 4, not freed [ 3346.855453][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3346.891219][T14003] binder: send failed reply for transaction 221, target dead 04:41:28 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x5]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x4018620d, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3346.951833][ T471] input: syz0 as /devices/virtual/input/input1159 [ 3347.100393][ T546] binder: BINDER_SET_CONTEXT_MGR already set [ 3347.106419][ T546] binder: 543:546 ioctl 4018620d 200001c0 returned -16 04:41:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CHECK_EXTENSION(r0, 0xae03, 0x0) prctl$PR_CAPBSET_DROP(0x18, 0x1000) 04:41:28 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$audion(&(0x7f0000000080)='/dev/audio#\x00', 0x2a, 0x151200) getsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f00000002c0)=@sack_info={0x0, 0x1f, 0x5}, &(0x7f0000000300)=0xc) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f0000000340)={r2, 0x80000001, 0x4, [0x2, 0x3000, 0x20, 0x6]}, &(0x7f0000000380)=0x10) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000400)={{{@in6=@ipv4={[], [], @dev}, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@loopback}, 0x0, @in6=@mcast1}}, &(0x7f0000000500)=0xe8) setsockopt$packet_add_memb(r1, 0x107, 0x1, &(0x7f0000000540)={r3, 0x1, 0x6, @broadcast}, 0x10) getsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffff9c, 0x84, 0x6f, &(0x7f0000000140)={0x0, 0x48, &(0x7f00000000c0)=[@in={0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}, @in6={0xa, 0x4e22, 0x80000001, @empty, 0xffffffffffffff81}, @in6={0xa, 0x4e24, 0xfffffffffffffffe, @local, 0x9}]}, &(0x7f0000000180)=0x10) ioctl$HDIO_GETGEO(r1, 0x301, &(0x7f00000003c0)) getsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(r1, 0x84, 0x76, &(0x7f0000000240)={r4, 0x9}, &(0x7f0000000280)=0x8) prctl$PR_SET_DUMPABLE(0x4, 0x2) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x2000) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3347.222906][ T632] binder: BINDER_SET_CONTEXT_MGR already set [ 3347.249831][ T632] binder: 543:632 ioctl 40046207 0 returned -16 [ 3347.271083][T14003] binder: release 543:546 transaction 226 out, still active [ 3347.278431][T14003] binder: unexpected work type, 4, not freed [ 3347.322568][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3347.337712][ T638] input: syz0 as /devices/virtual/input/input1160 [ 3347.365079][T14003] binder: send failed reply for transaction 226, target dead 04:41:28 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x7, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:28 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) r1 = syz_open_procfs(0x0, &(0x7f0000000000)='personality\x00') r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000080)='TIPC\x00') sendmsg$TIPC_CMD_GET_BEARER_NAMES(r1, &(0x7f0000000140)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x20}, 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x1c, r2, 0x1, 0x70bd29, 0x25dfdbfb, {}, ["", "", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x40}, 0x4000) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:28 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0x4020940d, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:28 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$xdp(0x2c, 0x3, 0x0) getegid() setsockopt$inet6_group_source_req(0xffffffffffffffff, 0x29, 0x0, &(0x7f0000000440)={0x0, {{0xa, 0x4e21, 0x4, @mcast2, 0x7}}, {{0xa, 0x4e20, 0xd0c, @rand_addr="294aea6cb59b6fc0a9cac25bab337e43", 0x8}}}, 0x108) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/sync_persist_mode\x00', 0x2, 0x0) r1 = open(&(0x7f0000000000)='./file0\x00', 0x802, 0x2) setsockopt$ALG_SET_KEY(r1, 0x117, 0x1, &(0x7f0000000700)="118433d14aac1ab8d07e20487e4bca35576c7ccf09209bf795551bab3f2bc45e06dba29d414f41f43c66bb72e7c1b443fb79e14b094477d41d125adad91670b8c7646a5ba8ca1eed1376a33c6b456c7e6389b82715c50bd61708f57b0097a98bbe5e9671bb0bd6b0e4ba403fca1bc333970f4975cb8040974a36da8a8bb1a53fac8766c67d2d03841627ac219eb126bc899a553a6ff35bbf3d2c7866e956a2f675d1ad7986fe2ee7c0c700aa87a2e60cf3a6adbf162fe28cffce54c3a95783b98db677fa0433752cc1f8f806f92d4c94", 0xd0) r2 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x0) write$cgroup_int(r0, &(0x7f0000000140)=0x6, 0x12) ioctl$KDSIGACCEPT(0xffffffffffffffff, 0x4b4e, 0x0) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, 0x0, &(0x7f0000000100)) getegid() getsockopt$sock_buf(r2, 0x1, 0x0, 0x0, &(0x7f0000000040)) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000240), &(0x7f0000000280)=0xc) write$P9_RSTATu(0xffffffffffffffff, 0x0, 0x0) fadvise64(0xffffffffffffffff, 0x0, 0x0, 0x0) unshare(0x40000000) 04:41:28 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(r0, 0x40106614, &(0x7f0000000040)) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3347.737167][ T852] input: syz0 as /devices/virtual/input/input1161 [ 3347.751679][ T856] binder_alloc_mmap_handler: 1 callbacks suppressed [ 3347.751919][ T856] binder_alloc: binder_alloc_mmap_handler: 849 20001000-20004000 already mapped failed -16 [ 3347.818677][ T855] binder: BINDER_SET_CONTEXT_MGR already set [ 3347.838154][ T855] binder: 849:855 ioctl 40046207 0 returned -16 [ 3347.888609][ T944] binder_alloc_new_buf_locked: 1 callbacks suppressed [ 3347.908053][T14003] binder: send failed reply for transaction 231 to 849:855 [ 3347.916299][ T944] binder_alloc: 849: binder_alloc_buf, no vma [ 3347.925737][ T944] binder_transaction: 1 callbacks suppressed 04:41:29 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x7]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3347.926048][ T944] binder: 849:944 transaction failed 29189/-3, size 24-8 line 3147 [ 3347.939167][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3347.946045][T14003] binder_release_work: 2 callbacks suppressed [ 3347.946052][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0045878, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3347.986191][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:29 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = syz_open_dev$midi(&(0x7f0000000040)='/dev/midi#\x00', 0x101, 0x80001) ioctl$TIOCSCTTY(r1, 0x540e, 0x1) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) unlinkat(r1, &(0x7f00000000c0)='./file0\x00', 0x0) getsockopt$sock_linger(r1, 0x1, 0xd, &(0x7f0000000100), &(0x7f0000000140)=0x8) [ 3348.156272][ T1087] kvm: apic: phys broadcast and lowest prio [ 3348.174699][ T1092] binder_alloc: binder_alloc_mmap_handler: 1086 20001000-20004000 already mapped failed -16 [ 3348.199327][ T1089] input: syz0 as /devices/virtual/input/input1162 [ 3348.216052][ T1090] binder: BINDER_SET_CONTEXT_MGR already set [ 3348.227463][ T1090] binder: 1086:1090 ioctl 40046207 0 returned -16 [ 3348.285739][T14003] binder: send failed reply for transaction 236 to 1086:1090 [ 3348.298038][ T1092] binder: 1086:1092 transaction failed 29189/-22, size 24-8 line 2994 [ 3348.325048][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:29 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x48]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3348.349762][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3348.388427][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0045878, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:29 executing program 0: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uinput\x00', 0x100002, 0x0) write$uinput_user_dev(r0, &(0x7f0000000880)={'syz0\x00'}, 0x45c) shmget$private(0x0, 0x4000, 0x0, &(0x7f0000ff9000/0x4000)=nil) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) ioctl$UI_GET_SYSNAME(r0, 0x8040552c, 0x0) [ 3348.600223][ T1220] binder_alloc: binder_alloc_mmap_handler: 1215 20001000-20004000 already mapped failed -16 [ 3348.645266][ T1223] input: syz0 as /devices/virtual/input/input1163 [ 3348.652424][ T1217] binder: BINDER_SET_CONTEXT_MGR already set [ 3348.708142][ T1217] binder: 1215:1217 ioctl 40046207 0 returned -16 [ 3348.708174][ T1227] binder_alloc: 1215: binder_alloc_buf, no vma [ 3348.767788][ T1227] binder: 1215:1227 transaction failed 29189/-3, size 24-8 line 3147 [ 3348.769107][T14003] binder: release 1215:1217 transaction 241 out, still active [ 3348.787467][T14003] binder: unexpected work type, 4, not freed [ 3348.794616][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3348.803498][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:30 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x9, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:30 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$sock_FIOGETOWN(0xffffffffffffffff, 0x8903, &(0x7f0000000040)=0x0) ioprio_set$pid(0x1, r1, 0x101) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:30 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_SET_BPF(r0, 0x40042408, r3) r4 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x400000, 0x0) ioctl$KVM_SET_TSC_KHZ(r4, 0xaea2, 0x80000001) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r5 = syz_open_dev$dspn(0x0, 0x0, 0x0) ioctl$TIOCSTI(r5, 0x5412, 0x2ce) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:30 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x4c]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3348.813964][T14003] binder: send failed reply for transaction 241, target dead 04:41:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0046209, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3348.901545][ T1305] input: syz0 as /devices/virtual/input/input1164 [ 3348.941269][ T1307] kvm: apic: phys broadcast and lowest prio [ 3348.981042][ T1359] binder_alloc: binder_alloc_mmap_handler: 1314 20001000-20004000 already mapped failed -16 [ 3348.996585][ T1315] binder: BINDER_SET_CONTEXT_MGR already set [ 3349.005271][ T1315] binder: 1314:1315 ioctl 40046207 0 returned -16 [ 3349.006542][ T1359] binder_alloc: 1314: binder_alloc_buf, no vma [ 3349.029884][ T1359] binder: 1314:1359 transaction failed 29189/-3, size 24-8 line 3147 [ 3349.062415][T14003] binder: release 1314:1315 transaction 246 out, still active [ 3349.074444][T14003] binder: unexpected work type, 4, not freed 04:41:30 executing program 0: clone(0x2502005ffb, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = dup3(0xffffffffffffff9c, 0xffffffffffffff9c, 0x80000) setsockopt$XDP_UMEM_FILL_RING(r0, 0x11b, 0x5, &(0x7f00000000c0)=0x8000, 0x4) r1 = gettid() exit_group(0x0) ptrace(0x4206, r1) ptrace$setregs(0xffffffffffffffff, r1, 0x0, 0x0) 04:41:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc018620b, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:30 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{0x5}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) restart_syscall() syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vsock\x00', 0x40, 0x0) setsockopt$bt_BT_VOICE(r1, 0x112, 0xb, &(0x7f00000000c0)=0x3, 0x2) [ 3349.112827][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3349.134403][T14003] binder: send failed reply for transaction 246, target dead 04:41:30 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x60]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3349.216030][ T1466] input: syz0 as /devices/virtual/input/input1165 [ 3349.258443][ T1473] binder_alloc: binder_alloc_mmap_handler: 1463 20001000-20004000 already mapped failed -16 04:41:30 executing program 0: r0 = openat$vim2m(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/video35\x00', 0x2, 0x0) ioctl$VIDIOC_G_FMT(r0, 0xc0d05604, &(0x7f0000000280)={0xffffffffffffffff}) pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000040)='veno\x00', 0x5) [ 3349.303516][ T1465] binder: BINDER_SET_CONTEXT_MGR already set [ 3349.314225][ T1465] binder: 1463:1465 ioctl 40046207 0 returned -16 [ 3349.350523][ T1475] kvm: apic: phys broadcast and lowest prio [ 3349.387261][T14003] binder: send failed reply for transaction 251 to 1463:1465 [ 3349.404582][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc018620c, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:30 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x68]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:30 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xa, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:30 executing program 2: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x0, 0x0) ioctl$KVM_SET_GSI_ROUTING(r0, 0x4008ae6a, &(0x7f00000000c0)={0x2, 0x0, [{0x80, 0x0, 0x0, 0x0, @sint={0x7, 0xea25}}, {0x5, 0x3, 0x0, 0x0, @sint={0x788, 0x1}}]}) r1 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f00000001c0)={{0xfff}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r1, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r1, 0x5502) [ 3349.608452][ T1694] binder: 1688 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 3349.608465][ T1694] binder: 1688:1694 ioctl c018620c 200001c0 returned -22 [ 3349.628904][ T1690] kvm: apic: phys broadcast and lowest prio [ 3349.656233][ T1706] input: syz0 as /devices/virtual/input/input1166 [ 3349.728012][ T1721] binder_alloc: binder_alloc_mmap_handler: 1688 20001000-20004000 already mapped failed -16 04:41:31 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x5, 0x40040) setsockopt$RDS_CONG_MONITOR(r0, 0x114, 0x6, &(0x7f0000000040), 0x4) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r0, 0x6, 0x23, &(0x7f0000000080)={&(0x7f0000ffc000/0x3000)=nil, 0x3000}, &(0x7f00000000c0)=0x10) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000480), 0x4) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r1, 0x0, 0x0, 0x0) r3 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') sendmsg$IPVS_CMD_GET_DAEMON(r2, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000180)={&(0x7f0000000340)={0xb4, r3, 0x500, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x1, 0x12}}]}, @IPVS_CMD_ATTR_DEST={0x3c, 0x2, [@IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x7}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x1}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x8001}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e24}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x5}]}, @IPVS_CMD_ATTR_DEST={0x54, 0x2, [@IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x82c}, @IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@mcast2}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x8}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0x2}, @IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@loopback}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x7f}]}]}, 0xb4}}, 0x4000) getrlimit(0xf, &(0x7f0000000240)) r4 = syz_open_dev$dspn(0x0, 0x0, 0x0) getsockopt$inet_sctp_SCTP_RESET_STREAMS(r4, 0x84, 0x77, &(0x7f00000001c0)=ANY=[@ANYRES32=0x0, @ANYBLOB="010005000400ff03fcef3bdf1e005d6588"], &(0x7f0000000400)=0x12) r6 = gettid() mq_notify(r0, &(0x7f0000000440)={0x0, 0x2d, 0x0, @tid=r6}) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={r5, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x8000000000054}, 0x64) 04:41:31 executing program 0: r0 = creat(&(0x7f0000000140)='./file0\x00', 0x34) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = socket$netlink(0x10, 0x3, 0x8000000000010) bind$netlink(r2, &(0x7f0000000040)={0x10, 0x0, 0x0, 0x8000}, 0xc) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r2, 0x10e, 0x2, &(0x7f0000000080)=0xd, 0x4) setsockopt$IP_VS_SO_SET_ZERO(r0, 0x0, 0x48f, &(0x7f0000000000)={0x2f, @initdev={0xac, 0x1e, 0x1, 0x0}, 0x4e22, 0x1, 'wlc\x00', 0x4, 0x600000000, 0x5d}, 0x2c) mount(0x0, &(0x7f0000000200)='./file0\x00', &(0x7f00000001c0)='bdev\x00', 0x0, 0x0) [ 3349.773604][ T1694] binder: BINDER_SET_CONTEXT_MGR already set 04:41:31 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6c]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3349.827996][ T1694] binder: 1688:1694 ioctl 40046207 0 returned -16 [ 3349.849646][ T1779] binder_alloc: 1688: binder_alloc_buf, no vma [ 3349.937389][ T1807] kvm: apic: phys broadcast and lowest prio [ 3349.945202][T11475] binder: send failed reply for transaction 255 to 1688:1694 [ 3349.956096][ T1779] binder: 1688:1779 transaction failed 29189/-3, size 24-8 line 3147 04:41:31 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000100)='/dev/uinput\x00', 0x802, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000040)=0x4) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r1 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x204000, 0x1b) getdents64(r1, &(0x7f0000000240)=""/245, 0x168) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3349.991359][T11475] binder_release_work: 2 callbacks suppressed [ 3349.991365][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3350.061633][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3350.112539][ T1886] input: syz0 as /devices/virtual/input/input1167 [ 3350.113641][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0189436, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:31 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x74]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3350.301894][ T1977] binder_alloc: binder_alloc_mmap_handler: 1971 20001000-20004000 already mapped failed -16 04:41:31 executing program 0: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x5eb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000280)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = dup2(r1, r1) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x23, &(0x7f0000000000)={@broadcast, @local, 0x0}, &(0x7f0000000040)=0xc) getresuid(&(0x7f0000000080), &(0x7f00000000c0), &(0x7f0000000100)=0x0) setsockopt$inet6_IPV6_IPSEC_POLICY(r3, 0x29, 0x22, &(0x7f0000000340)={{{@in=@loopback, @in=@empty, 0x4e20, 0x0, 0x4e20, 0x9, 0x2, 0x80, 0x0, 0xef, r4, r5}, {0x3, 0x7ff, 0x9, 0x100, 0x1, 0x1, 0x5, 0x2}, {0xffffffff, 0x1f, 0x7f, 0x1}, 0x21, 0x6e6bbb, 0x1, 0x1, 0x2}, {{@in6=@dev={0xfe, 0x80, [], 0x21}, 0x4d3, 0x3c}, 0xa, @in=@empty, 0x3503, 0x4, 0x1, 0x9, 0xc65c, 0x2, 0x8}}, 0xe8) ioctl$PERF_EVENT_IOC_SET_FILTER(r0, 0x40082406, &(0x7f00000002c0)='cpu&3\n\x00\n\xc0\xf9\x02\x00\x00\x00\x00\x00\x00\x00\xc8 \xf4\xb3\xca\f\x90|\x1ff\xf0\xd2\x9ba\xdd\xba\x93\xf3\xa2\x97e\xd7\xa37\xc0\xae$\xef\x12\x1feq*\xeb\x00\xb5x\x7fV-W\xeb\x9c\xf5\xe5 d\x99]O\x13\x99uJ\xbd\xefe\x83\xc2\x17~\x9e\\\xac\x1f\x93\x00\x00\x00\x80\x00') [ 3350.358051][ T2018] kvm: apic: phys broadcast and lowest prio [ 3350.407920][ T2046] binder_alloc: 1971: binder_alloc_buf, no vma [ 3350.407954][ T1977] binder: BINDER_SET_CONTEXT_MGR already set 04:41:31 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x7a]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:31 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = shmget$private(0x0, 0x2000, 0x600, &(0x7f0000ffb000/0x2000)=nil) shmctl$IPC_STAT(r1, 0x2, &(0x7f00000000c0)=""/201) r2 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ubi_ctrl\x00', 0x200000, 0x0) ioctl$EVIOCGRAB(r2, 0x40044590, &(0x7f0000000240)=0x10000) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) getsockopt$IP_VS_SO_GET_SERVICES(r2, 0x0, 0x482, &(0x7f0000000280)=""/31, &(0x7f00000002c0)=0x1f) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3350.510311][T11475] binder: release 1971:1977 transaction 260 out, still active [ 3350.517925][T11475] binder: unexpected work type, 4, not freed [ 3350.524235][ T1977] binder: 1971:1977 ioctl 40046207 0 returned -16 [ 3350.539930][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3350.551752][ T2046] binder: 1971:2046 transaction failed 29189/-3, size 24-8 line 3147 [ 3350.581786][T11475] binder: send failed reply for transaction 260, target dead [ 3350.619161][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3350.649899][ T2124] input: syz0 as /devices/virtual/input/input1168 04:41:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc020660b, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3350.720711][ T2133] kvm: apic: phys broadcast and lowest prio [ 3350.806782][ T2232] binder_alloc: binder_alloc_mmap_handler: 2204 20001000-20004000 already mapped failed -16 [ 3350.853279][ T2210] binder: BINDER_SET_CONTEXT_MGR already set [ 3350.868019][ T2210] binder: 2204:2210 ioctl 40046207 0 returned -16 [ 3350.892458][ T2269] binder_alloc: 2204: binder_alloc_buf, no vma 04:41:32 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:32 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x440000, 0x0) bind$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e21, 0x2, @loopback, 0x7}, 0x1c) r1 = socket$inet6(0xa, 0x807, 0x800000003) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x3, 0x0) ioctl$SCSI_IOCTL_GET_IDLUN(r3, 0x5382, &(0x7f0000000040)) r4 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) accept$alg(r4, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:32 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f00000000c0)=[@text16={0x10, &(0x7f0000000040)="ba4300b00bee660f3a172e0010000f32652e0f0866b83c4a00000f23c80f21f866350c0030000f23f83e0b450eb804010f00d00f01f60f3800210f01cf", 0x3d}], 0x1, 0x0, 0x0, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)) r3 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vcs\x00', 0x200, 0x0) bind$rds(r3, &(0x7f0000000140)={0x2, 0x4e22, @dev={0xac, 0x14, 0x14, 0xa}}, 0x10) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) preadv(r1, &(0x7f0000000080)=[{&(0x7f0000000300)=""/199, 0xc7}, {&(0x7f0000000400)=""/4096, 0x1000}], 0x2, 0x0) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x1ff, 0x0, 0x2, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10], 0x1f000}) open(&(0x7f0000000000)='./file0\x00', 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 04:41:32 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x300]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3350.920777][ T2269] binder: 2204:2269 transaction failed 29189/-3, size 24-8 line 3147 04:41:32 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = syz_open_dev$audion(&(0x7f0000000040)='/dev/audio#\x00', 0x7fffffff, 0x80) ioctl$KVM_GET_DEBUGREGS(r1, 0x8080aea1, &(0x7f00000000c0)) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$VIDIOC_G_EDID(r1, 0xc0285628, &(0x7f0000000180)={0x0, 0xf0, 0x20, [], &(0x7f0000000140)=0xff}) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r1, 0x84, 0x7c, &(0x7f0000000240)={0x0, 0x8, 0x7fff}, &(0x7f0000000280)=0x8) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r1, 0x84, 0x6f, &(0x7f0000000300)={r2, 0x38, &(0x7f00000002c0)=[@in6={0xa, 0x4e24, 0x7, @mcast2, 0x1}, @in6={0xa, 0x4e20, 0x9, @mcast2, 0x47332c62}]}, &(0x7f0000000340)=0x10) timerfd_gettime(r1, &(0x7f0000000400)) write$FUSE_INIT(r1, &(0x7f0000000380)={0x50, 0x0, 0x6, {0x7, 0x1d, 0x6, 0x100000, 0x7fff, 0x9, 0x3f, 0x4}}, 0x50) [ 3350.961768][T11475] binder: release 2204:2210 transaction 265 out, still active [ 3350.980200][T11475] binder: unexpected work type, 4, not freed [ 3351.004814][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3351.039593][T11475] binder: send failed reply for transaction 265, target dead [ 3351.065207][ T2290] input: syz0 as /devices/virtual/input/input1169 04:41:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x3f00, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3351.232786][ T2452] binder_alloc: binder_alloc_mmap_handler: 2416 20001000-20004000 already mapped failed -16 04:41:32 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) sendmmsg$inet_sctp(r3, &(0x7f00000001c0)=[{&(0x7f0000000000)=@in6={0xa, 0x4e21, 0x2, @rand_addr="9ffb929879169951c7ce46faaf916c51", 0x80}, 0x1c, &(0x7f0000000140)=[{&(0x7f0000000040)="fb6deaa0f5000fb66d367099352202e57f8272c6085097ee2db7c53bc5bbbbab5b02ebaba690d4e186e00b8d1c4868b7aac05534a9fb02ce83e91f8e6eeff73bf38721217378dcf1def570e27284c9ded4d7c09e747a1733123a299a96ec49b23706c7db0a10638fc1980de404ae59cf0ea139bf96c5673822de3081d0fbbaf57488af29c0cca2e70d3f715ee895cf4a824094", 0x93}, {&(0x7f0000000100)="1cc333cf53c7a28b752ddcf1f83d5c", 0xf}], 0x2, &(0x7f0000000180)=[@dstaddrv6={0x20, 0x84, 0x8, @empty}], 0x20, 0x20004040}], 0x1, 0x40000) fcntl$addseals(r0, 0x409, 0x0) 04:41:32 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x500]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:32 executing program 0: r0 = syz_open_dev$video(&(0x7f0000000040)='/dev/video#\x00', 0x9, 0x0) ioctl$VIDIOC_S_SELECTION(r0, 0xc040565f, &(0x7f0000000000)={0x200000001, 0x100, 0x0, {0x0, 0x0, 0x0, 0x300}}) [ 3351.309501][ T2446] binder: BINDER_SET_CONTEXT_MGR already set [ 3351.309526][ T2452] binder_alloc: 2416: binder_alloc_buf, no vma [ 3351.315527][ T2446] binder: 2416:2446 ioctl 40046207 0 returned -16 04:41:32 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r1 = syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0x1, 0x2) ioctl$sock_inet6_udp_SIOCOUTQ(r1, 0x5411, &(0x7f00000000c0)) [ 3351.396551][ T2452] binder: 2416:2452 transaction failed 29189/-3, size 24-8 line 3147 [ 3351.421643][T11475] binder: send failed reply for transaction 270 to 2416:2446 [ 3351.480810][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:32 executing program 0: flock(0xffffffffffffffff, 0x1) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") r0 = dup(0xffffffffffffffff) getsockname$packet(r0, &(0x7f00000000c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000340)=0x14) r1 = socket$packet(0x11, 0x2, 0x300) ioctl$VHOST_RESET_OWNER(r0, 0xaf02, 0x0) ioctl$LOOP_SET_BLOCK_SIZE(r1, 0x4c09, 0x2) preadv(0xffffffffffffffff, &(0x7f0000000300)=[{&(0x7f0000000100)=""/175, 0xaf}, {&(0x7f0000000080)=""/25, 0x19}, {&(0x7f00000001c0)=""/5, 0x5}, {&(0x7f0000000200)=""/218, 0xda}], 0x4, 0x0) poll(&(0x7f0000000340), 0x0, 0x7a7) close(r1) getgroups(0x3, &(0x7f0000000040)=[0xee01, 0x0, 0x0]) mmap(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x1000000, 0x148850, r1, 0x57) setgid(r2) ioctl$EXT4_IOC_MIGRATE(r1, 0x6609) 04:41:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x1000000, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3351.683536][ T2610] binder_alloc: binder_alloc_mmap_handler: 2583 20001000-20004000 already mapped failed -16 [ 3351.728454][ T2584] binder: BINDER_SET_CONTEXT_MGR already set [ 3351.749817][ T2584] binder: 2583:2584 ioctl 40046207 0 returned -16 [ 3351.758609][ T2630] binder_alloc: 2583: binder_alloc_buf, no vma [ 3351.773291][ T2630] binder: 2583:2630 transaction failed 29189/-3, size 24-8 line 3147 [ 3351.786805][T14003] binder: release 2583:2584 transaction 275 out, still active [ 3351.814963][T14003] binder: unexpected work type, 4, not freed [ 3351.841501][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3351.870243][T14003] binder: send failed reply for transaction 275, target dead 04:41:33 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$BLKPBSZGET(r1, 0x127b, &(0x7f0000000040)) 04:41:33 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x600]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x3f000000, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:33 executing program 0: r0 = syz_open_dev$video4linux(&(0x7f0000000000)='/dev/v4l-subdev#\x00', 0x0, 0x0) r1 = dup(r0) syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0xd, 0x401) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000240)='/dev/vga_arbiter\x00', 0x800, 0x0) ioctl$KVM_GET_REG_LIST(r2, 0xc008aeb0, &(0x7f0000000040)=ANY=[@ANYBLOB="090000000000000007004000000000000800ccb78bb5366911c754d0fb154649000025f5faebf8ffd51effffffff010000000000000001f835e3"]) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) getsockopt$IP_VS_SO_GET_DESTS(0xffffffffffffffff, 0x0, 0x484, 0x0, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(0xffffffffffffffff, 0x84, 0x72, &(0x7f0000000400)={0x0, 0x6, 0x10}, &(0x7f0000000440)=0xc) syz_open_dev$media(&(0x7f00000001c0)='/dev/media#\x00', 0x0, 0x84000) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8000000000, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$rfkill(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rfkill\x00', 0x2000, 0x0) r3 = syz_open_dev$mice(&(0x7f0000000080)='/dev/input/mice\x00', 0x0, 0x40) ioctl$FIONREAD(r3, 0x541b, &(0x7f00000000c0)) r4 = socket(0xb, 0x400005, 0x800000000) r5 = syz_open_dev$ndb(&(0x7f0000000340)='/dev/nbd#\x00', 0xffffffffffffffff, 0x0) openat$cgroup_ro(r3, &(0x7f0000000200)='cpuacct.stat\x00', 0x0, 0x0) ioctl$NBD_SET_SOCK(r5, 0xab00, r4) mkdir(&(0x7f0000000140)='./file0\x00', 0x80000) gettid() socket$inet_udp(0x2, 0x2, 0x0) perf_event_open(&(0x7f0000000140)={0x5, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000000000, 0x2000000000000000, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$KVM_X86_SET_MCE(r1, 0x4040ae9e, &(0x7f0000001240)={0x8000000000000000, 0x0, 0x8, 0x6, 0x9}) perf_event_open(&(0x7f000001d000)={0x800000000001, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r6 = syz_open_dev$dspn(&(0x7f0000000180)='/dev/dsp#\x00', 0x1, 0x0) ioctl$int_in(r6, 0x800040c004500a, &(0x7f0000000040)=0x80000002) read$FUSE(r6, &(0x7f0000000240), 0x1000) 04:41:33 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x54, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3352.169928][ T2748] input: syz0 as /devices/virtual/input/input1170 [ 3352.177009][ T2749] binder: BINDER_SET_CONTEXT_MGR already set [ 3352.184603][ T2745] kvm: apic: phys broadcast and lowest prio [ 3352.200900][ T2752] binder_alloc: 2746: binder_alloc_buf, no vma [ 3352.244140][T14003] binder: release 2746:2749 transaction 280 out, still active [ 3352.269449][ T2749] binder: 2746:2749 ioctl 40046207 0 returned -16 [ 3352.276592][T14003] binder: unexpected work type, 4, not freed 04:41:33 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0x4, 0x400) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x75, &(0x7f0000000040)={0x0, 0x100000000}, &(0x7f0000000080)=0x8) setsockopt$inet_sctp_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f00000000c0)={r1, 0x3ff, 0x86d0, 0xec9a}, 0x10) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x1) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:33 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x700]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3352.288121][ T2752] binder: 2746:2752 transaction failed 29189/-3, size 24-8 line 3147 [ 3352.297524][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3352.306422][T14003] binder: send failed reply for transaction 280, target dead 04:41:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0xfdfdffff, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3352.413765][ T2826] kvm: apic: phys broadcast and lowest prio [ 3352.492115][ T2873] binder: BINDER_SET_CONTEXT_MGR already set [ 3352.507573][ T2875] binder_alloc: 2872: binder_alloc_buf, no vma [ 3352.526053][ T2873] binder: 2872:2873 ioctl 40046207 0 returned -16 [ 3352.533693][T14003] binder: release 2872:2873 transaction 285 out, still active 04:41:33 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000240)='/dev/full\x00', 0x48000, 0x0) ioctl$sock_bt_bnep_BNEPGETSUPPFEAT(r1, 0x800442d4, &(0x7f0000000280)=0x10e00000000) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r2 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x501401, 0x0) ioctl$BLKFRASET(r2, 0x1264, &(0x7f0000000180)=0xfffffffffffff4b2) ioctl$SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT(r2, 0xc0bc5351, &(0x7f00000000c0)={0x4, 0x3, 'client0\x00', 0x0, "3c4e0c2f2cea7b7d", "abb29b83019b8e2667440de200e8a1436a6c8440bbe339667155ee2c9c5ee40c", 0x8, 0xfffffffffffff196}) [ 3352.555321][T14003] binder: unexpected work type, 4, not freed [ 3352.592129][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0xfffffdfd, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:33 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x2000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3352.616270][ T2879] input: syz0 as /devices/virtual/input/input1171 [ 3352.627573][T14003] binder: send failed reply for transaction 285, target dead [ 3352.751494][ T2913] binder: BINDER_SET_CONTEXT_MGR already set [ 3352.774072][ T2914] kvm: apic: phys broadcast and lowest prio [ 3352.780348][T14003] binder: release 2908:2913 transaction 290 out, still active [ 3352.788765][ T2913] binder: 2908:2913 ioctl 40046207 0 returned -16 04:41:34 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x68, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3352.798000][T14003] binder: unexpected work type, 4, not freed 04:41:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x100000000000000, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3352.830528][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3352.854232][T14003] binder: send failed reply for transaction 290, target dead 04:41:34 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x200, 0x0) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f00000000c0)={0x8000, 0x1, 0xa9, 'queue0\x00', 0x2}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:34 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x4800]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3352.974588][ T3105] binder_alloc_mmap_handler: 3 callbacks suppressed [ 3352.974606][ T3105] binder_alloc: binder_alloc_mmap_handler: 3076 20001000-20004000 already mapped failed -16 [ 3353.010681][ T3109] input: syz0 as /devices/virtual/input/input1172 [ 3353.021947][ T3096] binder: BINDER_SET_CONTEXT_MGR already set [ 3353.049582][ T3096] binder: 3076:3096 ioctl 40046207 0 returned -16 [ 3353.080214][ T3105] binder_alloc_new_buf_locked: 1 callbacks suppressed [ 3353.080224][ T3105] binder_alloc: 3076: binder_alloc_buf, no vma [ 3353.088822][ T3118] kvm: apic: phys broadcast and lowest prio [ 3353.132152][T14003] binder: release 3076:3096 transaction 295 out, still active [ 3353.143815][ T3105] binder_transaction: 2 callbacks suppressed [ 3353.143832][ T3105] binder: 3076:3105 transaction failed 29189/-3, size 24-8 line 3147 [ 3353.152628][T14003] binder: unexpected work type, 4, not freed [ 3353.191269][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3353.227560][T14003] binder_release_work: 7 callbacks suppressed [ 3353.227567][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3353.292405][T14003] binder: send failed reply for transaction 295, target dead 04:41:34 executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x22, &(0x7f0000000040)=0x220500000001, 0x4) r1 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000001300)={{{@in6=@dev, @in=@initdev}}, {{@in=@multicast1}, 0x0, @in=@initdev}}, &(0x7f0000000180)=0xe8) fcntl$setsig(r0, 0xa, 0x15) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000001440)='/dev/autofs\x00', 0x440, 0x0) ioctl$RTC_PIE_OFF(r2, 0x7006) ioctl$KVM_GET_IRQCHIP(r2, 0xc208ae62, &(0x7f0000001480)={0x0, 0x0, @ioapic}) ioctl$KVM_GET_DIRTY_LOG(r2, 0x4010ae42, &(0x7f0000001600)={0x103ff, 0x0, &(0x7f0000ffc000/0x4000)=nil}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f0000000200)={{{@in=@multicast1, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6=@ipv4={[], [], @initdev}}}, &(0x7f0000000000)=0xe8) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f00000000c0)={'team0\x00', r3}) setsockopt$inet6_tcp_TCP_ULP(r2, 0x6, 0x1f, &(0x7f0000001640)='tls\x00', 0x4) ioctl$BLKRRPART(r2, 0x125f, 0x0) connect$inet6(r0, &(0x7f0000000080), 0x1c) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f00000001c0)='tls\x00', 0x4) fcntl$F_GET_RW_HINT(r0, 0x40b, &(0x7f0000001400)) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, 0x0, 0x0) setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x1, &(0x7f0000000100), 0x28) r4 = syz_open_dev$amidi(&(0x7f0000000140)='/dev/amidi#\x00', 0x2, 0x8000) setsockopt$inet6_MRT6_DEL_MFC(r4, 0x29, 0xcd, &(0x7f0000001580)={{0xa, 0x4e24, 0xcc0, @local, 0x3f}, {0xa, 0x4e24, 0x4729cd53, @loopback, 0x20}, 0x7ff, [0x80, 0x5, 0x0, 0x2, 0x9, 0x2, 0x8, 0x3]}, 0x5c) setsockopt$packet_buf(r4, 0x107, 0x6, &(0x7f0000000300)="99a8da6adfcd300fb87d8b84163500d6a08e8d0dcbb774d0f1bca80b026323c4960b4ab1403247b2e00566642c52e700ec1a85df279c8eb5e6535255cf9e874a85efdcd0b985ee863630c9d8a6cc41e733cbc7e74ae3c9b9986391cdb8fdd433780cdb3072492bd30f38b34c66187ea47021265b74d5b31eedf1d209d6788cbed6d04884503e9f89368590b20718f3b5ff13d739df2ace4d71d618df79b1f931cf52f8d6d4c87084e51059f1fd92591096606b2857053340065e4b4b0aca88a000d44c236741d2432780b3356d4fda224a259c869a54a7d930e847e1f21430eddba3248ed5f81370adfc099f43c05d69c287fd8d31c0743f25270a77b60fb738d222dcc6a99fd7c6f16d7b91aa8f5b31c0f47aef644d7692470dbc0223c882f6a0bb5e5c15ca22dc65a6b62a1aad0fdf058af1468c0fd114ccc23284b0546d8e4c88da8d46d251eb501982810f17ac5ce4ceff4b4eab8c2501415c2584df972c300a91433e6659129efd02534d2b2674cbfc584b481e9d84553dcd2359d6b4588222148fdcf6cfe92257db1b3c769a453b36b880490a41ab5903887215addce3fd310dc5c608f9ff6fd937bff3f1c60c0e7ee72c51b2b3a07795ba11c65ab56a9e2c385ac38433baa2acde00c2994c6f8fb4af59b97d575eab35cf240ea0d69b609f3d4345bec7e2d60c3b42bd98901b92c1bf525ea566da0423e68897bb906b5e83755613abc609735cf491f6d6ce0d86835687ef9015d36ac4b635ac3f056798d177a5ed72dcdd8a9dba2cf70cbc015fe9ab0c78c084e3b9e3e290d91e2b4c46096dd779d57e068d0f55f40638836d50a9d07389d6eab84281dfba0c43ad4605bf39df187eba44a38dc6725a84b638babd175dfbb2364acf460904b670efbc7f15ae997e90d17e89bba1f97541d7a07308023b2b6babb63d75adabbac3c01f3418067106379178dc23db2e3f57940fafc41857a890c2926301a6efbdc7253f19e9ae5a757d85c2d82be1202a44ff268bc488ad2f76a321ab74b6b4784e57223fd838ff9758078de43ce7d63c0156d6ae37d81d6d140c39b9eeebb5f3b6c95f6e8a98931bcf294beb5d15e31bf1cc26cccaaccc5c46eccd68bfa8fe5c7e76cfe2d2a7bec9c2d33c531dfa248587624f8d355711f9954b0cc5d17eac4027f998a4847781048b3031e0c38325503688edd344979e97ed15a32e97860c04bd70568f2c707912609cdc26be128a4968756d3a80af9d2c8f1102525f8fea3bdd7a57f3191a2d281e8f9cf1867123b2c550f546715b3ba950a49e40bc40514ee2cf23284d96490e7d56fbcfbff6bcc36720a5ee3464551c925d93ba3849600ed683c519410857bd01a360906554f41ae33cf03b7235f7791301daffa64e3bf7de9d81489f5365a3ff60c6798790f22a12939358f859820ad90460916caffd8318e55407bbfc9f2567137b12f0aedea7bac3d7dd56b7e945ce6fa1e1a56fdc3dd15b6b5305246f5090008e7946c06a97a8ee0683912b603b20217f72224108c55b22c2efca789dd0c177211801133c44d0438c5964d6d6266a663555c64c1ae1e1a2e670489aaa4a5ef7890022297ce2d3cbf6dae6b45f0a273406a1ddf3bec94fd00d3fb2259d10096c9ba00c8b87f6f8deda409f2593edac02487fd4164a42dd1296ffb348d411275631ad96b14789d25020cdf8c11f1ff936987daf79030070ad256427137dd4d7d7002081aba3e5c50f3e82309e040af44c72a6996a0a640a9fbc05ea0cb4874a918a96a0a0c47ccf7f10894adb7fd04fb59d3c26324bb6eb32c8ac5f695fba9b52e1846d9bee54182894182012a530e7fa767cb9df6ba6ccf9ddc18cb02c66ca9147ccc2c699213cf7e72fdcb254e6f4b1ab032ffa38b8efca2edebc91c3b942ae05bc5af97e0a1b31d1fac8e8e6b1dcfa301004b607f30e30b117f1f7f2a54fb652926aaa680cae076eb01d14f7f1362b5f48a82186fa59a2adc881a47e22dd6488249b0178462c9f5d4296c41f325b15326c1eb9ccaef090835eb720291e1edee30c02fa6781cacae5da9652dfc226ca85c934a3b504fa28e04d3d72d380bbd55d568f39c36c75dee8a613c5400ce5da295fb06be7805f1c02579d5dc62299903ef917bd1cd0b400e62d6125b5042be8d247d6f2eea64bf3a85e1f93e9fd264a845d32e2f6b2d69021fd10b485f1172e0d19ceceaac4d8dd41d62178d0a7d3478adcd0adfa4ee3bd3550f783294067a490ee1bfdbd78bebe40878341555346ba2a339422254b4c822326373e9b9cbea340726b587d97ef70398cf7680d4ec4580c20bee35dc2b6e50d08cedb3cc114f197f70147e73968195b73d58d6587f1c5a4a50812b92ee95f253ff4e2e09f435dd7ab66a3c6d468ef8e28bb3395e0a97d2e33805afe9cf27ceae7358e4694855333a9581ddb4823b13b2e75419c3eb9afcba8f3b08688d0f103c6019d7cfbb4c2773a4a4e02123c831d9acbb0d54978807a36eb3762df5f3a5da17d304b7224e210120f62fffae24bff9a763536dc5b5d9669f81e7cc0f66bc0a01f3fb3e233bfc734d636e3675ffcf549108d885dc8174f8ec571b370d4166072742582c4f345ed2446db1205ee9fc21f5cab0b74d1f23b318edf798df8cf478a620312a409e4f65166dfd8107e152e838f97f837ee9f28ae0d59ac95bf84885a9f9c98f4483bd4c600298a2abc94a79ab8fb4206525cbe5abe9b6824314f49372629735a399dc9d4a041cba8f9173ee2d0b79b234d481a31a4e4aee10639e95710a1e571dad98d33ea884d0ccca493dcde2733964ad8e59e54c02a8a50926258436c32d36918f873c979abdf2a7db9846b7fbf5a603de6133bc2942fb199c6b45febe2315fabed98f0b8e65370e39814c2a74f695007ee120c77e3cac5c82696ec56f75ca7e026ca0cad2276e9d6b9fe13f3bf6eb89015576d9aa2594548a2090f51996d37f277fffaacf2138cd66efed03b481c54323e05e163abc705d4cc234411b0365da43a11237d86c580a02d671e4c0038ef8e4129335c91afa1a0123f3715880f66fcb9f67cb81e8573015aaad270436b3cd317a574fa776de7f1e49e1de23baaabe34ad9577c1426e271d7cc787b7cba1463d15df6c58d182b1d3d76206c535ac78eba858a227b9d5240c6e0bf1df0a9c9e7fa4c16474b04f2daac61b81be84887e2d0e7e53bfa92a3ab0637e5a9f424980dbd008682a7943f50bdad664c1e03b837e84db70197fc1e40c182e7f4cb8cae8ede6ef3ee54d8cf5bcacda3083bd5bc84b14730e8bf077c00f79cd78894b10c7288197b9236f267ec9dba9c8fee733130cb5fa570acdfdd63e26eb9e49b12eeb22863375c8c524de978ec2e1cad6cfe64444e67e05e8e12056e43597bee0b94f30d3230a03d7c3140414ca6d12f34f7b7c2186016c3f1ab97e923ccc0725127b68a7f682f28f29cd474cfcf543437b02af75e808600650caa11404929560d9de614d9b9d1090df52afc3acf8a20859e0bb4373ccfd60c2d59a0cc0d18a442faf03cc8df36b73b22da9a667c581238e59eaefa75a07207989975655cfa223ba4463c8e834e602be2ece22c6059032dc262e25e42522ba1ac7d328e64026f6c4cd2698d3165e39e360798d124cc66a6653cc1c9f740fb217d6337a9f5d69f86ada22305075b720f9ade593a090a5cfdc904e65292277160702171093a5ce94fb118430622399f5e78a41741599c16fbbddc4a181b1daffc35e5fe3a937e85fe74ed7751c54aab2357399b5b9951d895ecbbbe19e052162753ea3f543f6540e8c50d0e2fb2027009394ea0f874662eaa439eb5842b5b43b5c90ad2450a18718969ef2fd8c22c4d053ad9ce5651fa60b3b1d7f83857409689ad22921a86d0c31013df35e893cd7f78ac3f99d8e296280a3eb4e6b981febc2b3c7d856cd6c0c34e0cfd4422f5ed0d59f97c38924798a4cd1eef20940a9874439cb9b95ba8dd13189193bfd923d06a56bee9f352fab85c37fb0757f3afad0335defce858ef1476308d6088d8114245eefc29c5efc5de1e27687d8a094101ed16bba0163fe3fd2ff50a87056cd53abcb1b12ecfd755595fa1879965fa08ba36bd9f3a26fe362528c5899c4b3e0770f67f5700b3a143cf5342832635a83a855227244ed573e42d02e40775d439ac16457e13f1a5dbe42ed97218906db49f5fe14d6c1cbd5add10781d5c6c02ede1b8ad909f42f70161b8856fedae3d96b920bb600aa91c28d13f05f4a6bf0928d895bcc8caee6f39ecb604bbc7d6f795ff57bf2a0f9562659855e84fc1c9334fe9a9f158ffb14c55c10bf77478045bc5a8f5531a040abd82bb9da542b432c9da6513a56a6e98f388e5c962b12346cafca8fadc97b05fb6016b9ffb572738cf372a67e82510786365b0014d5cce3c5afe788349dd88718e21eae719c36da50b0d57a22dcf029dcd7698e62bf157ece547be00dc682ee4bc34dac5c6ab74f127965feb586cc5380b4acb9ccb8e014b66427e039273e28faaa878e25501e5a62c3d03ac95ec067d88de7e402acce8eec767601e77b6a085fadf37cd7d8a8a5c978fed3ebe5af1835e16f7f30b36f9a7851d0a91b5e2769d7c8a80e7b7fa5d65ff03e165431299a604b579a9d5f2af64d8ea7befbc10b20943ae9e2d9ec9c8d605a9986f60f879af8dd7cbc6002cee764d5faa2c5ebb63d2f6576d32946063a7dd1df1f6fa8df3d2600f7c1b505719ac6b201afc9d528d00b37a58a9d97691582f5eca287288d74937989794aa390b0ef15136e79225a295e53a25734f5959125e4feb86dd425ac004d5ba8fb537b38d3916a5cce5c989bbf87553acfebd8517c6091728569a512236b7ec37fcc1b2cbe5d64462213669ad90fa5e42cc59ef8a237785c4f18e9da77f6f87970abe7e6fb06e3ef1c2508d1cbd6cdbad353554ed5a9ca21ccf28e46f5c4f39966f0524ef569f4a24fc5d941782943b20b995d345e58d8e01100ce32a3fc059d32a3a20920d3988348c67606e19e8e37c8edd67849e8400c06dd00257e427dc789fb75a358aa4097abdcd1436096be744e45d98f0632f1758bcfdfd5ad3570ff2a2820ea13e973dad56053610fa324e8110f71623d543b5d6c46741fc39a0305d64a04c88ee2fb68953811e3aafd0ed80e36b023e5ddafa273f92d6efeba7451ce8c75eb4d707453ea0e14d1742c0735fd1696a7c679e2a4b3653627c44de3eb65d220450136e03f4c007f90724a256e78e23f98203103d2d8831afcd1240fcab9e9b9549889cfacfa179002cc96956a05b77638a7d07106cc0c5ee5a935553079e8c223935199d7e85fe0ca1a33714ff42e3f64b86b68aa290c195a0624e3107afbbe0398764902075f39c8dd2b8a3aed50fe14dcf11e61e2092e5e94c98280e4876cb2fecfea278770e55fc371cf55a032913f1c578e3c7d4ae50724d015ff37add041e0e6ec0cc3a339b7ae4533ec7ec00e70ea520fc81bfefac3bc674dc2474bf5bef0d503372e7777084abd8cdcf262d775232869f1681cc31ab117a96edacd2e2509d080659e2a264cc4658dad97c4b6f3bd2c9fd40cc94b4ae26bedcc3b7ea15d69d819bc79dc45416f79d87182dee7b33aedd96767c975031a0bc3600219931ead339f7d0532bc7950737b44b05f8aef3997322d812fc39040283f80bd80e059ca123d3f6354981e6d0e70252c424a3e8434d42f419d6204358906e11c1f5afdc22cb19abd9fa6e269bc090fd609e4504b00d2881ae129b1bfc5a50ad6d537e91bb0e02a96eadafa255", 0x1000) 04:41:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x3f00000000000000, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:34 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r0 = socket$rds(0x15, 0x5, 0x0) getsockopt$IP_VS_SO_GET_INFO(r0, 0x0, 0x481, &(0x7f0000000000), &(0x7f0000000040)=0xc) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:34 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x4c00]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:34 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) ioctl$FITRIM(r0, 0xc0185879, &(0x7f0000000040)={0x1, 0x95, 0x401}) ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(r0, 0x40106614, &(0x7f00000000c0)={0x0, @speck128}) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_SET_PHYS(r0, 0x4008556c, &(0x7f0000000100)='syz0\x00') ioctl$UI_DEV_DESTROY(r0, 0x5502) fcntl$getownex(r0, 0x10, &(0x7f0000000140)={0x0, 0x0}) capget(&(0x7f0000000180)={0x19980330, r1}, &(0x7f0000000240)={0x5, 0xffffffff, 0x7fffffff, 0x8, 0x6, 0x6}) 04:41:34 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x1f4, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3353.457556][ T3270] input: syz0 as /devices/virtual/input/input1173 [ 3353.475529][ T3276] binder_alloc: binder_alloc_mmap_handler: 3264 20001000-20004000 already mapped failed -16 [ 3353.518463][ T3268] binder: BINDER_SET_CONTEXT_MGR already set [ 3353.547114][ T3268] binder: 3264:3268 ioctl 40046207 0 returned -16 [ 3353.584814][ T3382] binder_alloc: 3264: binder_alloc_buf, no vma [ 3353.596881][ T3382] binder: 3264:3382 transaction failed 29189/-3, size 24-8 line 3147 [ 3353.608510][T11475] binder: release 3264:3268 transaction 300 out, still active 04:41:34 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3353.648234][T11475] binder: unexpected work type, 4, not freed 04:41:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0xfdfdffff00000000, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:34 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio\x00', 0x200000, 0x0) faccessat(r1, &(0x7f00000000c0)='./file0\x00', 0x0, 0x200) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3353.695122][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3353.716784][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3353.749633][T11475] binder: send failed reply for transaction 300, target dead [ 3353.789456][ T3506] input: syz0 as /devices/virtual/input/input1174 04:41:35 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) add_key$user(&(0x7f0000000300)='user\x00', 0x0, &(0x7f0000000380)="d9a32f177cf5944dcda6", 0xa, 0xfffffffffffffffe) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) socket$inet6_udplite(0xa, 0x2, 0x88) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) setsockopt$inet_buf(r1, 0x0, 0x27, &(0x7f00000000c0)="297ada03d40a3409503c76ec39584f63d1b43f829bf5f25ae18c621d387d449a93cecf913643f23e6b23bc99b4ac16bd1b3b4dc540d8a0646c6684f7211930ccaaf0027be8b62846e37a987ce8ec4e747697cb2744d9c7f6610b1726d1e882a07f4ff81f7f576e0d3a3aa1389ab48a1828ef", 0x72) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff], 0x1f000}) prctl$PR_SVE_SET_VL(0x32, 0x76) r3 = syz_open_dev$vcsn(&(0x7f0000000140)='/dev/vcs#\x00', 0x6, 0x80000) ioctl$EVIOCGPROP(r3, 0x80404509, &(0x7f0000000180)) lsetxattr$trusted_overlay_origin(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.origin\x00', &(0x7f0000000080)='y\x00', 0x2, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 3353.821588][ T3511] binder_alloc: binder_alloc_mmap_handler: 3508 20001000-20004000 already mapped failed -16 [ 3353.889567][ T3510] binder: BINDER_SET_CONTEXT_MGR already set [ 3353.911300][ T3510] binder: 3508:3510 ioctl 40046207 0 returned -16 [ 3353.949454][ T3567] binder_alloc: 3508: binder_alloc_buf, no vma 04:41:35 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6800]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3353.989993][ T3567] binder: 3508:3567 transaction failed 29189/-3, size 24-8 line 3147 [ 3354.008603][T14003] binder: send failed reply for transaction 305 to 3508:3510 04:41:35 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x300, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:35 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$amidi(&(0x7f0000000040)='/dev/amidi#\x00', 0x7, 0x301000) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000100)='TIPC\x00') sendmsg$TIPC_CMD_SHOW_LINK_STATS(r1, &(0x7f0000000240)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x40000}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x28, r2, 0x0, 0x70bd2a, 0x25dfdbfd, {{}, 0x0, 0xb, 0x0, {0xc, 0x14, 'syz1\x00'}}, ["", ""]}, 0x28}, 0x1, 0x0, 0x0, 0x4000}, 0x800) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x630b, 0x1}], 0x0, 0x0, 0x0}) [ 3354.050201][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3354.065932][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3354.095660][ T3646] kvm: apic: phys broadcast and lowest prio [ 3354.168711][ T3690] input: syz0 as /devices/virtual/input/input1175 [ 3354.199105][ T3680] binder: 3678:3680 ERROR: BC_REGISTER_LOOPER called without request [ 3354.211745][ T3680] binder: 3678:3680 unknown command 1 [ 3354.217465][ T3680] binder: 3678:3680 ioctl c0306201 200001c0 returned -22 [ 3354.246712][ T3753] binder_alloc: binder_alloc_mmap_handler: 3678 20001000-20004000 already mapped failed -16 04:41:35 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r1, 0x0, 0x0, 0x400010000) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:35 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6c00]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:35 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r0 = socket$rds(0x15, 0x5, 0x0) getsockopt$IP_VS_SO_GET_INFO(r0, 0x0, 0x481, &(0x7f0000000000), &(0x7f0000000040)=0xc) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3354.365679][ T3680] binder: BINDER_SET_CONTEXT_MGR already set [ 3354.382906][ T3680] binder: 3678:3680 ioctl 40046207 0 returned -16 [ 3354.393830][ T3753] binder_alloc: 3678: binder_alloc_buf, no vma [ 3354.421421][T14003] binder: release 3678:3680 transaction 310 out, still active [ 3354.428912][T14003] binder: unexpected work type, 4, not freed [ 3354.449559][ T3753] binder: 3678:3753 transaction failed 29189/-3, size 24-8 line 3147 [ 3354.462142][T14003] binder: send failed reply for transaction 310, target dead 04:41:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x630c, 0x1}], 0x0, 0x0, 0x0}) [ 3354.477051][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:35 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x1, 0xfffffffffffffffe) [ 3354.580545][ T3865] binder: 3862:3865 unknown command 1 [ 3354.596931][ T3883] input: syz0 as /devices/virtual/input/input1176 [ 3354.625006][ T3865] binder: 3862:3865 ioctl c0306201 200001c0 returned -22 [ 3354.666756][ T3931] binder_alloc: binder_alloc_mmap_handler: 3862 20001000-20004000 already mapped failed -16 04:41:36 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x7400]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3354.712381][ T3865] binder: BINDER_SET_CONTEXT_MGR already set [ 3354.733752][ T3865] binder: 3862:3865 ioctl 40046207 0 returned -16 04:41:36 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x3e8, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:36 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) getsockname$packet(0xffffffffffffffff, &(0x7f0000000040)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000080)=0x14) setsockopt$inet6_mreq(r0, 0x29, 0x1f, &(0x7f0000000100)={@initdev={0xfe, 0x88, [], 0x0, 0x0}, r1}, 0x14) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) r2 = semget$private(0x0, 0x8, 0x0) semop(r2, &(0x7f0000000000)=[{0x4, 0x7fff}, {0x0, 0x5}, {}], 0x3) semctl$SETALL(r2, 0x0, 0x11, &(0x7f00000000c0)=[0x100000000, 0x9, 0x0, 0xff]) listen(r0, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) socket$inet6(0xa, 0x80000, 0x7fff) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3354.824441][ T4021] kvm: apic: phys broadcast and lowest prio [ 3354.848361][ T4064] binder_alloc: 3862: binder_alloc_buf, no vma [ 3354.932544][ T4064] binder: 3862:4064 transaction failed 29189/-3, size 24-8 line 3147 [ 3354.949989][T14003] binder: send failed reply for transaction 315 to 3862:3865 04:41:36 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r1, 0x0, 0x0, 0x400010000) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:36 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) fcntl$notify(r0, 0x402, 0x10) ioctl$FIGETBSZ(r0, 0x2, &(0x7f0000000040)) r1 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x40000, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r1, 0x6430) syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', 0x6, 0xffff) ioctl$UI_DEV_DESTROY(r0, 0x5502) openat$smack_task_current(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/self/attr/current\x00', 0x2, 0x0) 04:41:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x630d, 0x1}], 0x0, 0x0, 0x0}) [ 3354.974887][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3354.992264][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:36 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x7a00]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3355.112649][ T4095] binder: 4090:4095 unknown command 1 [ 3355.128465][ T4094] input: syz0 as /devices/virtual/input/input1177 [ 3355.142988][ T4095] binder: 4090:4095 ioctl c0306201 200001c0 returned -22 [ 3355.211513][ T4111] kvm: apic: phys broadcast and lowest prio [ 3355.236772][ T4174] binder_alloc: binder_alloc_mmap_handler: 4090 20001000-20004000 already mapped failed -16 [ 3355.281422][ T4095] binder: BINDER_SET_CONTEXT_MGR already set [ 3355.307603][ T4095] binder: 4090:4095 ioctl 40046207 0 returned -16 [ 3355.345268][ T4174] binder_alloc: 4090: binder_alloc_buf, no vma [ 3355.372344][T11475] binder: release 4090:4095 transaction 320 out, still active 04:41:36 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r1 = socket$inet6_udp(0xa, 0x2, 0x0) r2 = syz_open_dev$mice(&(0x7f0000000040)='/dev/input/mice\x00', 0x0, 0x280000) setsockopt$sock_attach_bpf(r1, 0x1, 0x32, &(0x7f00000000c0)=r2, 0x4) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:36 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$UI_SET_PHYS(0xffffffffffffffff, 0x4008556c, &(0x7f00000005c0)='syz0\x00') ioctl$GIO_SCRNMAP(0xffffffffffffffff, 0x4b40, &(0x7f0000000600)=""/226) semget$private(0x0, 0x4, 0x4) semctl$GETPID(0x0, 0x0, 0xb, 0x0) setsockopt$bt_BT_FLUSHABLE(0xffffffffffffffff, 0x112, 0x8, 0x0, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) ioctl$KVM_SET_DEBUGREGS(r0, 0x4080aea2, &(0x7f0000000380)={[0xf000, 0x4, 0x2001, 0x3000], 0x0, 0xd8, 0x7}) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_PR_STREAM_STATUS(r0, 0x84, 0x74, &(0x7f0000001940)=""/4096, &(0x7f00000004c0)=0xfffffffffffffe65) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) r2 = add_key(&(0x7f0000000080)='id_resolver\x00', &(0x7f0000000100)={'syz', 0x3}, &(0x7f0000000140)="90f156b0577231eaf832966b3ac78b2810e1a5e9b136f06e186d36b778bd6bf75f91a88ae48b5a50f775157109d8bb22cb715fd2a3aafbd645f3d7c0148927e52c4a33772406427db005023916b9283ed10711d85d8e74867b3a0f6e24105bb952ce951fb3cb1f451039e2c122587a57a1b8621514269b", 0x77, 0xfffffffffffffff8) keyctl$assume_authority(0x10, r2) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r0, 0x28, 0x0, &(0x7f0000000040)=0x5, 0x8) [ 3355.389923][ T4174] binder: 4090:4174 transaction failed 29189/-3, size 24-8 line 3147 [ 3355.400660][T11475] binder: unexpected work type, 4, not freed [ 3355.414339][T11475] binder_release_work: 3 callbacks suppressed [ 3355.414344][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046302, 0x1}], 0x0, 0x0, 0x0}) [ 3355.483467][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3355.509282][ T4305] input: syz0 as /devices/virtual/input/input1178 [ 3355.520439][T11475] binder: send failed reply for transaction 320, target dead 04:41:36 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xff00]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3355.668995][ T4355] binder: BC_ACQUIRE_RESULT not supported 04:41:37 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) lsetxattr$security_smack_transmute(&(0x7f0000000140)='./file0\x00', &(0x7f0000000180)='security.SMACK64TRANSMUTE\x00', &(0x7f00000001c0)='TRUE', 0x4, 0x1) r0 = openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000440)='/dev/video36\x00', 0x2, 0x0) ioctl$VIDIOC_S_SELECTION(r0, 0xc040565f, &(0x7f0000000040)={0xd, 0x0, 0x2, {0x8, 0x7, 0x3, 0x101}}) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r1 = open(&(0x7f0000000000)='./file0\x00', 0x121001, 0xfff6316cd7532c86) ioctl$sock_inet6_tcp_SIOCOUTQNSD(r1, 0x894b, &(0x7f0000000200)) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r2, 0x0, 0x0, 0x0) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r2, 0x84, 0x73, &(0x7f0000000340)={0x0, 0x5, 0x0, 0x80, 0x5}, &(0x7f0000000380)=0x18) getsockopt$inet_sctp6_SCTP_PR_SUPPORTED(r4, 0x84, 0x71, &(0x7f00000003c0)={r5, 0xfff}, &(0x7f0000000400)=0x8) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r6 = syz_open_dev$dspn(0x0, 0x0, 0x0) ioctl$sock_FIOGETOWN(r6, 0x8903, &(0x7f0000000080)=0x0) ptrace$setsig(0x4203, r7, 0x5, &(0x7f00000000c0)={0x37, 0x28, 0x7ff}) creat(&(0x7f0000000240)='./file0\x00', 0x80) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) write$FUSE_STATFS(r1, &(0x7f0000000480)={0x60, 0x0, 0x6, {{0x80000000, 0x6, 0x5, 0x1, 0x7ff, 0x3, 0x7, 0x400}}}, 0x60) [ 3355.716009][ T4355] binder: 4346:4355 ioctl c0306201 200001c0 returned -22 04:41:37 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio\x00', 0x4000, 0x0) ioctl$TIOCSETD(r1, 0x5423, &(0x7f00000000c0)=0x17) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3355.790280][ T4448] binder_alloc: binder_alloc_mmap_handler: 4346 20001000-20004000 already mapped failed -16 [ 3355.834638][ T4355] binder: BINDER_SET_CONTEXT_MGR already set [ 3355.855672][ T4355] binder: 4346:4355 ioctl 40046207 0 returned -16 04:41:37 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x500, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3355.890731][ T4451] kvm: apic: phys broadcast and lowest prio [ 3355.899577][ T4454] input: syz0 as /devices/virtual/input/input1179 04:41:37 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x40000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3356.029447][ T4552] binder_alloc: 4346: binder_alloc_buf, no vma [ 3356.058676][ T4552] binder: 4346:4552 transaction failed 29189/-3, size 24-8 line 3147 [ 3356.076975][T14003] binder: send failed reply for transaction 325 to 4346:4355 [ 3356.115831][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3356.141202][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3356.163223][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:37 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000300)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = socket$inet_smc(0x2b, 0x1, 0x0) r2 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vga_arbiter\x00', 0x2, 0x0) setsockopt$sock_attach_bpf(r1, 0x1, 0x32, &(0x7f00000002c0)=r2, 0x4) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwrng\x00', 0x0, 0x0) ioctl$KVM_SET_PIT(r3, 0x8048ae66, &(0x7f0000000140)={[{0x4, 0x6, 0x5, 0x3000000000000, 0x101, 0x8, 0x16e0000000000, 0x10001, 0x6, 0x2, 0x7f, 0x1, 0x100000001}, {0x4, 0x9, 0x20, 0x8, 0x6, 0x1, 0x9, 0xfffffffffffffffd, 0x8, 0x5, 0x8, 0x0, 0x1f}, {0x1, 0xff, 0x2, 0x7f, 0x81, 0x6, 0x3, 0x401, 0x100, 0x2, 0x7, 0x0, 0x1ff}], 0xc}) ioctl$KIOCSOUND(r3, 0x4b2f, 0x1000000) r4 = socket$inet6_udplite(0xa, 0x2, 0x88) ioctl$KVM_UNREGISTER_COALESCED_MMIO(r0, 0x4010ae68, &(0x7f0000000240)={0x10000, 0x9000}) r5 = syz_open_dev$radio(&(0x7f0000000040)='/dev/radio#\x00', 0x1, 0x2) setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f00000000c0)=r5, 0x4) 04:41:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046304, 0x1}], 0x0, 0x0, 0x0}) [ 3356.273034][ T4639] binder_alloc: binder_alloc_mmap_handler: 4631 20001000-20004000 already mapped failed -16 04:41:37 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x80ffff]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3356.314553][ T4636] input: syz0 as /devices/virtual/input/input1180 [ 3356.380076][ T4634] binder: BINDER_SET_CONTEXT_MGR already set [ 3356.462281][ T4664] kvm: apic: phys broadcast and lowest prio [ 3356.472958][ T4634] binder: 4631:4634 ioctl 40046207 0 returned -16 [ 3356.473539][ T4692] binder_alloc: 4631: binder_alloc_buf, no vma [ 3356.548302][ T4692] binder: 4631:4692 transaction failed 29189/-3, size 24-8 line 3147 04:41:37 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x3e8, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3356.600219][ T4639] binder: 4631:4639 IncRefs 0 refcount change on invalid ref 1 ret -22 [ 3356.623651][T14003] binder: release 4631:4634 transaction 330 out, still active [ 3356.634821][T14003] binder: unexpected work type, 4, not freed [ 3356.644533][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:37 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x700, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3356.651199][T14003] binder: send failed reply for transaction 330, target dead 04:41:37 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x1, 0x40002) sendmmsg$alg(r1, &(0x7f0000003ec0)=[{0x0, 0x0, &(0x7f0000000600)=[{&(0x7f0000000040)="66156d134cc0a6fa801fab3e4fae1898c1ede50cb6406d02359efb7650c009b3573ce34a1110195fb094c212eaa78ca2bee0ba9a435e0d9ee9844c69254a575f3bbbcc7ac1705d01e1288e6ac2a8565b02996da25480773bbeb19e731b0610160b5ba55a7b", 0x65}, {&(0x7f00000000c0)="ad8a176e700525c0afb5eff4fbb65858cee7cefae630499fdd1a88d068286d25c2e9ce5adf0c75955432c8199d3f01f8b0806ee75a0a3abd7f2f181b95f5467b68d5c8d3d9855fb89789abf7fc7530e27016dedbd5a7776dc4e7841bf4684a62d01549d8ed0d191e21601001fb066005b1e1bbad6347729febb326c7c34cb250bde76ae08bcc0625dc68c4727632266ba4775d907f7dc4b823d68a79bfb007af5077865454d87357d6160af932d6cbd1e52a38cb350ff036fc25011feb9308235bfcfeebeb7816ee7856855f192dc83c68df2a429897303a2cc2a6e3bffb635cf10dff2ca6908b4134a1f6591d90", 0xee}, {&(0x7f00000001c0)="ae92e00cb6b4b13926b0e33274ca66999675d046195d684b9be81833f9963988702ccc10d9bb120b2c1de3a833493adb851164bd385b2d2643fbb9bfaba0daf1240ee3fb53e9bee771ed7d095f3dfd6dda885bf3e1c0ab4179355d", 0x5b}, {&(0x7f0000000340)="aad72014b7f445c24f294bfc82b69f5410012f277782cfd7e865a19fcc9663625fe259c872b3c2b1e2b6ce283ed57dd5b7d3454809e5876d9272c30ff8df53957d4c723a33d24678244baeaf897bff20f06c92fe3099e0109a84983d7f8dac858717b6469b643281b435055dc5ec8a83b42d52a44ca62243ba038949e2fbb17e104a13acf3aaaa", 0x87}, {&(0x7f0000000400)="f977ddf7ac7d4fb439b04b384c20abdff424430314cc0f7c8f543e0058f6f156a1b54319c48bf50907ece18e254e769e1f3366239f760004950cc59050ccb4a52fe5f9294c5847ce4b8217739d7b79f3c5c66141b5d132bf27ee36ae149896e9f2bdbc291cac8103", 0x68}, {&(0x7f0000000240)}, {&(0x7f0000000480)="eb57541341fd819bfcae0b4da36203f7cc06e6d3b049cf723435ef8e84bc190672051840f8380ef822f7cf290ea7cb6fb502ee7108f504882549b0b3a87e285805157ee8c67ed6758638422ca2142044edc28bdfa5ee25cefd52144514b931ff10adf7a6acfeace190064b6dd4d8104ed58209b431e8d70f559d608e33a97d51a315450758cc4d903496e8ff079319c12e6d2a510d2eae023cf7b5f437c0b1cffe162d6bee0f1d1721c611c930c8fd", 0xaf}, {&(0x7f0000000540)="6a6de4f30ac31d8703e3a91774afcc08619ae71ae496711f41d221f17e5b4b9ba03f1efa2cc2d1fd0280f73da73f450b2a8eff27f289c126f88e1baea4d7a83c9aa9865ca411c240be5494c63a56cc38df4cdb4d9e06082f95609c874003e912073745b6c8e7349323db94bdbf6b4368eeff07a9e009fba562bb9f5e782c119e23fb", 0x82}], 0x8, &(0x7f0000000680)=[@assoc={0x18, 0x117, 0x4, 0x6}], 0x18, 0x40885}, {0x0, 0x0, &(0x7f00000017c0)=[{&(0x7f00000006c0)="68e7407603fbf125bcd3e261c09e1f84d5cb8567f7e84e2975d0a61e67cb3a597c81285baa795c4c52bce2bf2ec3f0a3b0f8b47621d54a954b37f1ae65d341f65a6007713e84dcd6a204647adef2e58f01ab33f27d223160c42b4eae32e8c67e38d51bacc5b6e6ed2f0e84b4c4426211d89789ddbfe9fb917991dbd3cd9f47db9829e5d2652787719d99c3c3c38e784334395fd5e5823bd0793c0de5a9f62ba25f54a83e820785aca5413dfad743c667cf4fb69c60ddac9b28b48e5195fc55edbc2cad6ded23669fd993100f1b76eec1d6b6a109456e5be42cc8ebca9fe96be58a7410734ee729530228d84627792f3cdaf11fd765843d9dfcb408fb953ee2fbde99e288b6bad04d6016e1fad92a2000ab533e948945f972c0b981eeaf6400237ca2d26c3ba8321d9caa0595adec88545fee87419ba3b16b4475b3b2e93c6abc1366fba3e82aca4f1e7081a1620e526a4f607586590402b34b293da6a6810606d4ef6ebed22211562fc27e63f447a2f77d4883125272b592cfc014d021991b7260ae1a9291f1d2d3a0cf2e3c610148c52d3c3e2ad9bef3d402d22facc3cb21910563a68926f2b1e9d2b533c2d9e1b6dc715d6ad5aa7017a3c3c6074ec3070bc46c13d1200a44d1b65f453c91343f13c99d89340e07d43e4a364ab351e23d676d1c21524148636987a7fec5ee4a97271225cf7f3b014e0f1bdcc34fd1d54327d413822db980ece1e2afbff4c6502a051d51abd2c2d491076f546946765a75b16104946546cccefbc159f54ca5c94421c08ebf0ac06c42511327974f68504c4a0080718daa3c83ce33b4181dbce6cf836eb5a85ff94a19de602d98bad936110aba518fd678824a29bf872e8afd45c605dcd1595666a7204b8727d5e0e62f2ea01e79a6a32e8bafbe084fb27f4393123dcb6b14243c68dc861d0a917d9410a3f8a32534ad7cafb69495d9664c0d9fa85a233d385623ac58527515216466ab9f5fefb28c0a308c905e47b2477bcc912519e45cf5f0910a05d54b483a1909307c1bacf3825b9a358f46dce4f90d77df5a809ca67bf637c48434e3c3b5e46fe576398666cd0e024387fab45d1abe26159caaf623ca1f8e972d8709963d118ac3a617c249ff18bfe53b31e103657862ed49368818a59dabb528b3288a45bfeb8e3429ab359f3258a89696543b00de77e1808824f29f48f22e7a21cbe7bc14b3fac9cb6108973115b31b673f770f9393035612b60e902460be7bbdea78091c396145e9817ea3c6920eda3ee8312d6a8dd2b883000c00e73fd23d1a027e0265687ffece503267b80d66332ba48d8b33e0a3620e47049abb0780b269e0bf160df38fa6ae2e12abf72845bdaf8137948558ae4e97dd37369f5da241232e08c6179d65ac98799276888282dcd9751a76777a0b794148e931ad3458296349ae13a6d14201ec85ff4d041d29756e0699f778bd509c52abe4d1a3b8735b2abd7b6469812e2160160af5ea29d369e4e74fd2cf46c9d770b44b7e0d20942386672bb6b65b9f55b653a96ae7e60f1fb05b264f340a83b5474e7ab4db34a6b7b272188ad1b4ba09559ca72059c9df0f5cd08bdc8364dd00e61d0dda5906a7bb8bbba8bd86ed09b5b8164a74d7f12fb93d17dfc4aee67d82067841886433d45fed66808195bbda1cb8037199aa24c2a071ce1a9bbf4b38026c83f9916002264494593d486569f1ad1d5fd7da133d52aa71f00f491352b99582808869119f489144d656187ab4874e6c1184db642b0c604a73e0880aaaafa278048db7b2f15f08fae307980b871e031d667c96ad5ceaedbf3caffb2145799c242abe5571b1757cea8328fd5e235db08b0438ef013049d1a3dc05f631faa74706bc0cfa86f52fa9b42c2168dc00c2e4836336a71943afdb006a61392d96b620f15dcea0a1ab6b430273110abf1980bc3bae1c89b71ebba06c0f8dd6b1e75065007866c6aef0f66619f30e9c66460af5c2301c259a3f41d89c8e2021207436403dd0bce81f8d1ae3e1c75d9eb03c1aa72e3b1874e10cc96ab429665ff8763c6341aba3ba8cd99ee46c588b2f4eba150364741b2aa6141e8d830b69d0dc68c004632bf0fc3ad1b90f94e9f92c837598a31700244ffb207a87797603c1a64c6c0a4f79116b1a36682763c87546f18aa97df3aa6b45c418248bad886f3b78aee92c4b2101389e2e0e54cd7e52bcefb0eb28ca37d6b67eb76f25fd2218ad550c71f48ec33ad74ca4726c00aba31c9397a63fc09832957d08d2081fcea399e3e87a042c6c94e3db726c1324af7d070a6f98a2a6f1abd3becb20d9499b6b89c80fb5d268207fc0412a79e65ee774f657df08b07c0a6e50ef825ada4d69c6dee2301d7aa90eaf2a462e63c740c844d77cbfc9ed93e73ba3cf2eacca3f081791a833f262f6a9f0f3a888c47bddccb43813b37f91ffe9cbfc836be9fbb5f7350e932cbafb20714e74304ed0a9492bc9efbee51e781aae9fc7ed6a8af62673aea81201f89e1b58898882d08068edf9f7987c8069250dc013bc8fddd7d9f57e633592298c1501ec3bcc48eb5cb8e4ebd0d4a46a5c078c23fc1475f0d87f44dcc7660fa9466da953a0e856c748b3fb543a9261dd5bde05129e9f025905bcdfe033aec7423a1e444e50e586dc11ccec2666ae2001ec986ba9034240c65f2b4fd3aa9e4d840cbdcd65471c8434470b5c7199caad25bf41d7a00f81f08afc1cc363dda5f0ff270e6d8905f4461f2b0e076fd2a3dea514a1dee0b5c86df6096331a101726e32dfbb4a6188dd4f3a71af3d5012d6ab28f02e101232a7116429308a6ba3651f63197f0965af7aed7ad203eec3939b559e227d2c3c97e8b472266c386a4de963f4255c49d797be55074d6cbe84125ee42da827d934cd6a954b3b34915458f00fb8e4abd0b07a9f962ec2443281adb2efa72df1891c16e2e06778dfc44dbcad3d656ec0327c1f37e62e006c693e084adca74c5d6ecda29c08d04ec22aff15e1dfcee7aa57177db9d66b8068845527243870c02dc8af9415fdab67bf545b61df5d0a2e37b96de1a1704e1b2daaa2909a4f38acd7f5a31bc5d3f359452e741fefd61f194d0412785b2562f7fcc86780713d973ee8a79f1e82fd18274bddaa09b58b59a9410e72c4913ada092e12afa90be107d585acf63446a87013bb4ba9d9dae561fb584e90d374d28b4a8718fe61fa452714958a78b69ffc4755206cb5a176cc7319cc8bdb66de17173966357c42c9a82ce1b843847a67ed01d18c74d516ba92d78f9ed0c92775f35ac71901458c6ba38f49e3949cadfe0b7f2a773b678f41dfa9a34e63d8914730b011c10b8d3d7a925cdd896fd2440da1702527e018e61b4bd54568b6f756246c88393cbb2298926149f3f46b6ad40d97ae4576e6e88ab94ec586c119047bdd005a644caa2530064aba11ba5ab681579248ce5f0971099f4395a6562a958b728c1ca75499690781cc31fd1f60a3b27bb52a1fd7ddfb1548b377b58336f784a55f0ee51472435929b777f115ea12b404589a055901bd4df690eec5a2eaf312b97aef7b702de4738600a5a2d2f95d11c4fecea80eebf6a451f96d36811f8f6cfcbe28565c903e58801be014f7ac40a3d4d4217b6b0836eeb1fc88e82c1acc61caa15eb10fdc87abc1e38205a0b1027139da1c8b5184a4abaccfbd0f534844169a78de82183bcf03e4df0126cf8bfbc145b9571d492c5877a06eb8b8276006919914efdde3abf277cb48f4fc1f9c8362ec70a7bcca901412a74a45f4c4a5e60a6a3c59f277f7939b79607bb610dd30e65c44783a289a66d26d6bb87a44367aed678692b5379e12bce6478ff31523cc319443dbded253af4ae64fb3dc5437dd5d89e73693a32d04204db974a47e32ca0d8250c7cd3a6fd423b734e5afab82ccb4255273c7affb92579d2f3dc5ba4606b9e6add334aae54cd34aa51af3a7e472b93726f6cb70756c67e1e83855dd213d126a15e674330799f4e3d9c521236971d2deaedd4f8e1ab142d0b8d10e94224f12093ab519fcb9b6629122dedb5330847643c425a3a350e59ef1d3e45299cbffe313e2cdffefcedd45cf57f8cdb2aaf2d9d95df3bd52c66e2220cd5071fcabdb6d7e9be67b51b8c1ac09a2d792cce8c4f9554637c0bd101c80b6379429896052e416ea66d02edf87d47a2303c91ae86f77170d563a45b6d7e065c94942e9177b878fd8abb9954f852d08bb8cf8aa0d79f09e1c7c1799f4eb42ac3043a847bf0bebf4372cac798cb7bd6e123f35be82aea70ddcb41478609fdb6d71459f09610423466d21d3d12105329b32d593ef50d27846025428ce13eccd9f7ba239534a97ed6f6246cda96b8bb41b599ebb8bd5a6e27178fafae67760c3ac5bcadb0c361e752a78b436514b68a7d2be7d74f88835088cf9b62546e12c3c6236c5b0d5b1424875126c338f9af537985e0a65712938fba23c382a8f2e265d61b06cf07af24ec6adfad85fc689b41f1ea8b57d8bc80ca60fdc4df658d96483908ca87844cf5afdd371d1894561bbc84f7346e771cd77ed5df46c7f0bfee36cb47c49d35515aab4316e2aa0679e2d784f1d8270a3f0a8159b7eb68f6487c65076fcb7ab952e6f656045d947a8ae06938cf224084e2ec975274e2aa4a40d27311eeac95013ee690bec8616ddaede320d4626eb8ad6834f6ca9d9235871e3deeb792b26ebb6bc8166bc21e0267c7e5dd31d5358f77031a720d4a5f5eafaae8bd86e8ffd1cee56e229333846356abb9a18f7910a765dd9ea43c89d406432e3a305d70f8338baff411bb5602e600b92b476e27c2a6c95476b796f6bdedca9fb02d71fd1b3e787af3ba21188b16c3128220a3727d2905aebc52d758b49667977cb85d8f0b64aa0dadb16e0c4f649af0e3bf5a56e68fca8c9469dc1f91575d92a00ac9c34c6e0b370b18bd02bf35c4de843b3c3ad49fb7e47ef8311252c7d66d5c04e46a08f7f1c7f5d27b182fa08472634d0f34e8f84945927c5ac98069657c52ebdca211bae69a113e0608e1e59832ce2a15522b4e4388266801843c15c9486bf98d79069d5a1520bdf455592b8a8f611e6a60623d0f830ac208238397a1b68c0090360fca0b67b1d9c5801526f76b26cfaebaec5bc9f9dfef005e84cbe950a9608893c3114d761fd31b1e970118637163e38aca273888d78871d0a88fd74f86054f284b67eb72c35dbdcb638874834b01d30bd8d3ebd2e92ac1b0c8397e391ecce660202dfc67960efa529c19ab2e21f9e435664afd2d6e2671097ea3c2adc4a9e2c6b1f3daeea12bbb02e2ca510cf61990ba69a3809eb6c53c80955838a7446a563309dc3eecc0d9c7dea84f2061bf5dff6fb1e1a4729256d04fe7953e1aca9c45c9bc6d353ef56fb377e214bf8138e7e3111088d7ce08e70d4cc0d2a576798961d9ff509f9e33698ee43e328fbc2fe0fb65a010cc54a67a65dfbe4f7406f4787e35eb2b8fe67960d665c7fe12822fb4dfb28684ace80f144ea82a5f77c9ee38ae4b4fed8aa08a8ea771cc5fb9dc817dc2e75c7079826cea60ad442e2f564228f695e97592f0af334a9fe31047cd1cb7da84b7c26b05e4c0980d2a03336d30d1fad2eda7c949f57c5e56241ed527eaae36070785fb8b1bc298ce68df47e56e7f6adc78e1fae13f198c83ef7f5cfdf532c1b56d8b584196481278e0ad5a112a6816bbe8e21e8448e7edc797586acac7e7dcc36c1f8aeb3fa8227c751fe69d1a0cdcfad46bef5223f0631fa4829611da14f33c5976e9c9a8d18f44df4fa76f9c02ab2f7f1bbfe2d6c", 0x1000}, {&(0x7f00000016c0)="285a139b1a5c44679b7350e86748bd1ac049febc1044b045d91d8c2372192958032c1e743f3bd573e24612262d43a56df2d7a656dfc66e17d7d1ebe26051d208db28235f4039ac9899375a1188c12d397959815d60ef6d974b695aa30513fc9d8dead8074bc9968d2f8f8adc2a766de2784c6d3ddbcfdda4eb33a2cdfaa40bd34117e5a2cef8cd72ea791a93905dad3221d6f7e886332091854fc1b5e36e12fdf8142b94951fa3503b17ac269b0fa2503c6bee303445b1d1d58fe1b9f541386016530a512fd63ff8", 0xc8}], 0x2, &(0x7f0000001800)=[@iv={0xc0, 0x117, 0x2, 0xa9, "8a5f105818987be580ce1587710fa3a0ace96203e0886fe424335c1894d78a509d1c377305acbccdba52024559af563d4621f204c9d793cbd14c2ffaa76b803468f14bb2cf59407e8ce22b89405e85e532420cc664f39b0640ce602046b2907618a2abe5d8c7399cd69c473535682264c1c6b8ebea34d410d777a453b27a52351ee0333390bbf65ed8a2a1921a91a977041161741b806d17496ea410b3c24a630fe195cd5a208f2e27"}, @iv={0x48, 0x117, 0x2, 0x2e, "f721ea90d2ecc4a06e688ad7f846eebab49411e427b0cabeb5c92db2adcb4a9582c37d087a732ebf9e0fc5b4a9e7"}, @iv={0x90, 0x117, 0x2, 0x76, "8f5cee4354dfed784e24fe7d3aaa6b21a05b440dd355b83db9addc912ef885ed2ec37613d8934c261770dc05197591eba740d60ccb4d63d6c27bdc55f82ecd392e3830863adde059c77f1dacb3530a2c8670528f9512075358d9d7249207865fbe307dcc50f793167059fe89606e183e35e95caddd77"}, @op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18}, @op={0x18}], 0x1e0, 0x4}, {0x0, 0x0, &(0x7f0000003b00)=[{&(0x7f0000001a00)="8c554386b8c27161cb0d037a166c616e0ae4d0c28017b1b5c12fe5ab5f8708c933a2801fd9eefd473b46ceaa173ac57316f27b81d96792c45a60312cc41d5c228b313326db73bc130db342995b65a20a8f585525648ffdc5c46af64d2ff9eed018da9c14e6e4ed03d9ee1df502da4a4603a4a60a84ab41f3cdaf1cfffe324cf450f3c07ca3598bd03fb8f5c418ba8cadca34474c17c827851fc2f518898b817c619b52e8d3ce4954ef78eef4103e4fef938f257c04ee092da2454c5cf69b6ddb48ef821c9c4b2d7e4e0975eee7226ee7ca0031c79513a3cb000037879e8ba8fa22e940540069dde2a301e5464798f786abbd922fdf73bcbe36908fdb3357dbc9d64be9e1da8d960e8721ff08eae69f0f9f212dced655dea9d4d1b9bf47d1bf64b464932600c639a4ba8b07787631d337c3da0e015341e049fa0aa00e28a41cf0fd575001660ca99f8bbf53cc3205ebbc43d2e3c39df31668f8e67a7b363201e93fc4c077892556b6b1ae9fcb5e07709223cb54ee4a05c5213669aa1353da7cecd91d354f8288bda268e930891648a1f10404b50be0b23a219e99d884f24002d2dbc25531dce9b5eb268e2b80ef82d16f36152f64cdfb7e1413a4411ca7bd0a99851552a2847e6137ec405411119f8207f8be7fdf0ae09f0d6cc7589aed655d1953eba08d0ca3e6f9843ebae4642fb9a17f101803ca1341712fca1956234cb16d189764d206ec3f09220c520bb7895009960f79221161c774efe1e97e269699f21acca79d2165eaf0b0282a93966c64c7ea1323c4a3cc173038d0fb6077009141500210f75e011f57415a58781bdcf3f6ca3b9131ae1390eb1524c51537e68c781187589b850e55e275fb6091e898a00ccd1087418f3bdb18e6965aff5266d0a335a4ea2edd484c00680413c14e184d92de559f0fb7144d18039915f4a7726a2d22382a917f9cc548d5e03334e9954a912b30e7bac1daaf79561cdb5b7ade52ea4ad22a1649bbfe5802309a44f6f2040d3e2b1fd74ec5722fe7094053445e94d3fab93b233896b1dfc5618b71547a12284d9a37b755332906bc79574470e5ac1b3cd2f8ebd2146831e91ebf2994723c44fc3d1369c11019e14e6e6948a6256498f9192c166d3fdf157d64d0d1a0957e63f24c933db0c531ebf1e8b0c91e3f6686b02b68232d81afbb321d1743f86f873dffe232ef6b1abf55e7d1368cd0f7a6c942b41c6cbe4422180c142daffbd6f62b993e552ff164b82ab42fbaa863a8fc547160368808c8df95a4ed0fd031269e947e43a53d70bd91470a09133c666a094be92f56061b60b3d9d7576648fa922faeff05fcc7859605be2e505c6966ea7e8a56eca871df18916128f5e83962eb7176b59ec1741b0edc34c1ac44ed1e72dedd2b747ba2600c68da181793569ce64f99d7b0c51cd572b84f789ee67eb1574deeeaa3cc14a10a1e4f95e8fa46c74155e2306c36c6e651297bd52b3a66e79f0cc1594fe097e722480622a3807ae8292c5d5778f936f60d4c4cdcd6febe36fdaed14f92d9a0e197bfb529abcc15f9d8e0e696c92e33376ef2de864c733a8fa9dc9fd464b539dbaa24e1613adced1521013dd8bbd62ecd86b811faf693544695c911f741dc7795db556852dec25115c76fe7689424d9551ff91866a04d86d1c367ee968e3b043e8f15d2a163812f195a61d4867b60041aac4bc9fe9d6c9e2e860a413558a182d6da787aba8fe1450206f64b9ade2d38adbb3077f782f53aa0338fa71a9fcd9fbc680e4439d56e92066c05bd32cb8332b6ae246b742d0c3ac9061371d1014144b99bba8d30abd2cf13fbe9781fd25e8eef5184746c70437425192c9fb55b827f81e5a92bac6f6f3058ebac4aed79262f5d59522f1062f7c5d87cfc2717939b31cda7ec11ad684753384925fc6c874a2fd30a9e7b2e80f03dfaa5f31cb88fb500489f9fdcfd467508adcbeed8dde8cd7649f58b7350cb8383137ab9fa5604d2436dad9c3676cac833e9c5f9bb5d8b7e8d3cc6c7465002a8e1907c4d2012d1b8515b04db2c357de345f5580067d0c97ea61ffee4fda4d7ef5226bf23a388a3e81f483cc458dd2c4c687424b2a3808b8892e68e042daa753844edff5b67abd06735008d50d464075226603ec70debc0dd3d5d4eaf194d4c11d5fd0fb7efec89d19f936a88fcc2db7607cdf9b51377cec9c7dabe5ae9dd8d1538ba91864064c7443da680b2ac6a54aaa65f968fe13e77cf9e8e5e1a6ad8f15d8ea237c9d8be681c863bc5346a47a3b993ab2815d3d7dcaf71a485f764af94e6f9ab863710a0389cec3af25a336429c7b77e50882488ef559b51711b750837ac5da8b98d4827bd7fb59991fcae17d0466bac3fd71173503bc851baf9790d7489fe319796484e372c5f24fb7bf1f21d17a1b97063e4e94104efbf4ee36178a9b872efd2f7d5cc86025a5043e0463780c5057327fcfc5f5ed1b6a5014dbe4f718093fd3d35aae55c021d6e3cf7560b6cc64d0c5ce7c4fcd0aabc55faa5b774b28e24e9c82c5e9c26c41ccc7320517dcf7b2b2f5ee33d6b4d8dec4bdf3386992f79a48dd73aea6c18509fa153381479bfd3173fb1dc201f92fff1f9d7f8aa2e608f4bd9ee3daa810b168c069da2533f478463fba8f4fba3419bd2345f31a99854de839abf99e7d51920680d5f1327108263f9f594fe56e3fec68b3dbe67c6a4a89decd0abf03e7f0b6fd681fb9dc8e57867054854037ac24eeddc0febc10c110e951ee8a866eea40f8109703dcca7e155c8c147579303d09967006ac377aa72e25a1247ac8c1b739e424d8f5f2be0a7eeb2653edeaad4bd9afc4c50dcb73011ba03d87f2d21530132a23f634138c38917a46958f6f9933563e93ee335824859b44e56ca5a7df995b52105c03026da3458f8837cea30fd271acde31ab170c5286d22a2ea53026ce1536dd628103811b2e697eec9407bba75f4aa372da580e38ab104c0179a1988f086c8007e49ac5db18186f089a0fc286a5e4873dab6b6f0a0511d8173b297e18475e12f3cbc5cf3840e5bab7c4fd210b59fe0fa266848f0b525ba1e8a7bd5631e273c6d0cef6bd21b4f4efd83608c2eb54faafd359b6576b942070a3d112dc2e2ded528a2435608b0caa24147fd7c3eca5380258f67a27c3bc74e73477f68333b6c85a1f2c4f6dcd33a99d963d0d1150bc93a94beabd43317544b5a1fcb26d2923d4f96dd4c8bcf015726b018573e94a33cfbf3f95dba45381216d601ef3f47cb62c30e3a5e277565715607c62d3e663b9aa4e154a4919e84edcbe75574bffc832a741e27faf7a845ee7296c9e74f62cbb20912d776cf88823379952bfeea60177711187325fc8c4f50ff101dfe5e15599b421efa2300210f3fa570b8b6ff984f2e7a14e6fb0734c01c7c4de057f0022f12612c0f6f43f523fdb3e883b73a3e29053e814e5f7cc2b0883df9cf679bf4f61d183544059a9932aa9a28ecc00a0e3acbdcb09ad8efa5bd3da602b2320dd0047eb10988d3edef5c8f4d3c00e0e55257ebbb8e85a28fb2fe9fc0430746d64b3202f8c2605a8b9b8471276a85530e50217ba0bb8f5b73baac7f5a94af2345e9217f1a5e819f599cde96760e597f45e2a425466b31c6059c9a00d45e2d94f20fe032622ed1b1099958c0839db45349b2057ee734417f84398c365309c600497d968076c4fadf2b096349c7f2c3eb3b50946ef16d540f3a59a0269cd28c259220c400b6f54ef56d56409da6ca6a9af8f3ca7aa1034e20fe357907c3215ae9b326b21c1294c557c030a1e3be67a0e3c3d1569ce88a3d4780f6dbbaeb7c29fe71af33d33c6c27ce420674b4495493e8ef8c7bbe1e967ef1624b1ab99a23c9e8e9756c823fb66751c88ff7dabf19b44a149246e5adeec6e4c771feb83ac98cd3f19af138e6e1f6ce9345d7b8bd4abeddaaf4726e6f04b2cb2ca7ead36faacb1181c3a0cb78d557f5d12dfdb38a97a5dce528c7f6a8bca2d8a8096680d8bd0cd5bd1036244bd5d3d3424163e8731cde95c82e7c66d454f3c88ddcd4f29ae76e8569547b3f12a5e016b39c8dd79072d5ecd3dbbae616541186ae2c6089f9df490280de8d9062ebcb0f54726bb6fd9dc1cb6d5d82870ff054756bd3c796a56df7a901338e6f5cf5a7e0be822344ef19961ae53651273a398fbd00061f1479874fef468f8460afc0000dd003295550177b135f892744ecaf91245a925773c46652f2fe4827bedc18ba7f12728ac02953d9c88138a3e69726b26e8589ac7428a071a54c43a5a812bc5d09daeb6eb1a0bd80c6121ba030ba3440739044cd15b28db15ad2a0128ba3b30a4c645e5185fc5b6bd620bb8f7c7c13ad479a8f6ba3b53dcab3adeaa77900319090c70598b4bdd89ef12815fcf1b3d078638541e0232c7b62b4e0fa30742834af7e64124dfb5d1f3a7cd68ad01bfba20154d05f1ce76b40961bd6f45bd44597f36a228cc3d798535e8fe52404d3fb93b2d0abef7240152a32b3db4e90e4b5e1a25d0fc3934b3459c0405b07b275a49d752c194bb8764eb51adf977cb7c7ec3418bac6634fe6073d738b40dbfd76cd03cf3a66702ac627dc3c0d33238ade3a3ba5fe7a9b30fe3d2f014be6c9c3c9c12b38b8b58c7a4ee2843d8def3354b57b5d7e739f276d6adcc8833477a3df8d324f04de00b6a55a2dcabcf27645eedd9ce102837a04f817694676a1e64d5f302122a46c987f17eca8c544544b8c3ece33e36576d6916a2bbd6a87de46f3cf5567c6165801c5bdd37d49ab908c194ee2d2a99e0ca85df99e6deb590ca853689f79db00db254ee6bca52831bc40765548f05397d281cd12a67f111c7b449eea0491e86f9c74880c9b95a4281ca01b494fa9cf66f4120ed7e65cf3c0fbe157b46439a8a92f39e3b52e32a2df2a95d647c41a84b328c8a62349e923a2edbb5162cd1cfebbc7e727ed49c5503ff36acd6b5f61991324add2272764e8a8aa6bb6aa99ce8eb110d14231d56b35d8037f743820be690bf73ad8d06967789e22c4405b8eef0b1a7e79be3ce6f22bb8c9c4fb038f4d335cd4e2290bf671a8dd1b7b9d8adb8d2e065d15d178bd7dbc3874ea0e0c3c48dba1b7df23404040828ec58cef73d6f5e651ebff820692cb2e0fd422eb9be111c5d0f04370765e91fe0fbeab2c490817131d2e507672ab2b1f452badbade0c538328653977d3e21811ff5178cff3d15c9d9a3261ed70c8e349c5c965eb17ea35227837a10d3cc973339651319c0cfc1f2232ec35f2320461bfa8a1f512ccdd99e8270d4287df124e6c1fb5b465f142661bd88487e58e8f897f3e78e21626a7651068dd53aafe869c23e024176ea167f2146abf1420123d52969c83f8fb9b607a70ebc1d4658e662f2c76330a31e9ddbd33952543f34e1f1f8157369f7b0848c308c6e1e2c9a4432465b6f8a4c171d1931d6dc3450cef33d2aeb5113e067cc416332d81f845cfb6ed7f081f3daed7cd6781935743597122c57d107df9e1a5ef337359f1126cede25a4e6387770179ce3116a4d0a6e9caa3284df185039a0ae6ea1a969733488ddcf1a2c12c790cea002ef8f0c0e451647ca75c654adeb69e26b4c11371c4cc192e326a280cbd35407eb14b7a79fc5ee0ba131fc3226a807fdfa6be2edb492f919fefbacb50f55eb145b999c44d5c2844853b7f295f2c09aee296feee5a519a8b0ea1a6fa8316cc1bb890d5acdd666045942bc540813f61bd4b3659087cceec066e3012917edaac60d50924a024a48994c0080f560b0a51f60461715b5ecc663c3742c26f138802", 0x1000}, {0xffffffffffffffff}, {&(0x7f0000002a00)="ad09cf136994635820c51020d36aa6421a956c33531c7a5821c7e99f4a52c744ffc32a1b3bebc582879376ce96377379ce2f14c3d99a63a0d4be556f94fa4ef2d3af4f53df0e131827827a91c7018eeb86fab1df3c4c05686d238d759715f077ac69ab060b992a16ac3b854833dccfafcfe42492a4ff3622f23a518c940c06ac13f4ca5ee45c423f4af758165243813bbeea73bc71b922dd6e4fb48897f3c4ec7e52bcdbbdbf34e6780bd36a05c9e1fefdc5300a5c963ad1a12e1fdb0b7f30305048c2636e57666f606e2db750da08", 0xcf}, {&(0x7f0000002b00)="a32ab9c7c116711d4c5ddd6d69453e6f00f0682dd9b48790a78af9bd3132e2ac849ce22d28c40a71fc945d1f39f5e3435af5c6b6813a512aaea9ad35ae5b23570856af8d7488708f677713e7d466573aa8aa85eab8fe511c634a1abb3d89186551904b6861f98db87d538ccacc98bcc17e33e25bf29a3f50c79d339dc130d49c54927744c40bbde8f44b24e46f513092eae4b2eb0217a7739f518cca437270f23962f38aa149545a1353afb47026f329554757220fb31cd4df41c00866f7bf80e1acb933bfc9b64c70274768e752e2a7b417e5bfaaa7e008599b72b1895b20c7e099cc5f81615f85f6d498fdb9a2e24e29adb2b9fc85b058cd468fcc93a2f41c61f095d980722d96afac689c548108accb5d3dd88be481f19d2b049b9b458f6d00a0df23f929a9e642ec4392817f8f0bf009d7625687f11420de2b5b0d94477ece68966cb104511e45663a82e18cc2839d9c8175cdf5c8d14cb2ad6cf05134434116db987c37d9fd7c38543f5c612da2f912995abe6d04dfae81b5fd252b6423feb675a4ca06224198ece3b16c6e39a4afbe27db9de5d1cd09c7b6cb278ae79dc53d002d4423df9113eaa4540e42359a0d744db90d29ddcb29a98a222e3e5607ec2ee2bbc2e4727143743c0ffa39a70ed4c1bacc4ce64c31dd3728d6546d4d9387f163ea2717ca6e7ef1b1632936c5cbcdeb32f7762d9ce5cd29b068ad898607e0ceace8dcefbf02e461539679a796be7a464cd818ca6a86ac01efead7126b7c693c175fb6f934367a351ec8881a974b49bd5f140972357d5148b624907f45c0154d9f1234f8b611f02b5e5b8b5edc09e13dc0fddc12737fd59541428f2f7665ae5663428b3f13152f291f17b22ec03433a944b44d04c8808875f685713f0eb23edc3fc11ec9df00740ba1eef2096ebe19c46cf7df1b30d1eb4621920d90c641fa5f4c9c640d7438441caf8b317ec58f474b28b92b954042db2da5e1dd27a7872a58dcafb39be25a1eb57357bbebffd43acf8ad5550234390e7611fd3fcfd6fba14c057fd709ce407d011c972784ff37783add6502cf8b6ac00abcf4d59928fe2dc076d440ca88af387dde218fa1b2dc4f38f1bc9cf8c39f43a569ba8e3827786a33790ca2cf16dbadf46ad73db9ba20934efcc10797028ed2ede6a824a8e177e4151de17669f72b52e94570c773ce6e6dc7079c97e45083587ff8f1fd7f7a3dfa7717407009a8222b3e3195c498dc42c3eb2eee270d31b14034c5ba5c419cc1d413cc3edef7ea0b6dcb087705014afebb163e964810de00de9f67af8339883d27b0311efc3139753825c9031ecf1364dd7bd419912ddfc1eaf2889fdc65c206a522e3a4f10593bd7a2f6c02430bc9a199c3b39b1db77a91dcd3b399821f0efd8ab07454db7843cd25f1287d6c787386b9c827a264a8d7d80833cc44210e22c57479672189e1609e54645ecb360b3336737b7a84fd1e96b159c39f0c5fe5a89f0b31f3b3a10e6907137fb464f33547fb3925ffc5f2ee01f412d5cabe448a4d4112f63923d9d205817f835010deea74ae63170d930e134ec5550352f3f94d7baf3d1ab0e38b57e634e5ab167198943df4834650300bda9055231b2909a83014457eda4be5e85b44ace65ffd4dd4f38ce57e3428d6b013743b5323f098f74ac1604b5b28728efe21ce2b3cfaf20d5f436a7be8ad0e316fb00f0b796758329534c1ba41be6059a5420eeb09093ace9c99f5b0ead730a8b9851b3270b5de4251bd087dd984d265fdb7ee9d7dc2a5a3f1de28c2f7a854700b492f144684350d33ba6ee505648cb0d9e01bf4b7befec3e69d6a109d3393b7c9243ccbfa463cf2de935e8f502b2d1fdf78b567cd1a5bf75fbae36f950749b5d547787e247cf333ca31e8473ea4d7cfc12f7ef52f6df24344c1c67bef5c3bf3643cc68b3c7826a907e8a16fd9eb4e5e97c387423424e195ac29cae72ed74cdb4ff729da4f66a4aac00ca828fd53f2ff21b53d4a8ef267c36351a7937b9b527cebe91699cd0821f5b66b71fb9c159e3fa83fc7259993b70bc5b92e2852f7c057de82794e232ef872879d3de192281d18d992db4e3d0f2cf00fd7f7ade92fe56e8b578342b0c4657c6b5d6d097c28b52793c4f3e63be8bbdf8c50781ebb70cde243fd968d042d46df2b2f05d8f416a485aa818154dd49a204219797eab91ff6b98f9acb0e7d579b6385ed438df34124984a869e6c38fc8947bb802c2242ec49e49a7055881a669d7a065d4494e3e9e2c1f9a36d69a6a2e96ca750ebb16fe10980a79937b2c2748e016509363fe311e61d5302902aea07af31dd3d5c1de95ee86cf4491c4ae24083c73d4c34fcdae2785a45560aa98eb359d9f2bb45ce28c345e10116c812144c36f110a5639ecc9e7524816c699ae9dde70c6964ce88092f24b18e6d95ca778c8d058674f749d83683183d1368256495c68cb07c218432c234f8a82fb5f67746b85c055456d1f8ce1840b2373ee23ffd99590851dca13153d9c89ccf1716d7d3e005a0ed9bd4472effcc031228d388f63aa52395aaee8603471435ba8cfbbc367c3839e351d9a81a799cfc9e86d417b82538fc7b9d2e6424eade1e66b90f21173eda04c4fd06a61451469c890dd34bc0098f582e203c3c375aee0a28b7b3eedcb01c261535f015fc92e361c28def71c037759ed019d37377c8af4190ce8a7026f98dc43cccac49177ec8e5a9b1e9653d38e28121bbca0323984da2bdd52f2682e7240bdb038473ff9307107f0bf87f078f7ab3d72153fb0792d96047f7a5120f87eef50bd4a873578ebb7515b0c9ee59213a2e515c25202412d20f67eeb88b0940879959a41fd724c256ade57944e8df0a1badace7d16d4a4a032ac9d00ceb61f34fc57a4c78b7d093820863f4b1aa8edfa6bfcf15eecb0785de4f7d604c018168c24361773d16a41c21a61108ca0ae8278b1030913b088e8804f47fe136997c3491966a841a57194c7ea3114df4f8ddf6cb2b7de2b97774f695433217110091a035be5e061452e1bc046f8c7d94fd91e1d2b3be00ef100cb6227e2cd00b460c24bc62e25d0d1598101336dffc0687fa6db50df15e0e9892fb19393a32cb5003b73e40c6b69fb3e6e491f00f277cd20fef8e74f68c73667d803aa04732ce6c0e08f584e9170465e124e6dbf172e2acc141652c5129be075cc382059160930972205f87634d3608987f57291a107c6ce5e33242de27cce21d05c36c76f88e901fd01ac0104bb470e26fcc6f9363baead26d5cb4930255a8db8221f09d2e6c3e3893661ab618ee254f20c3f1b7a2c5e2c80e183e65e5a9ff4b9cc4505c078010c2452ce06602890921cf3a3c3262213433d63de2720cb66d31e2e94dbb2824c8d8e397b8c75129e77640faa76c05a0083a37c3cb694c8d1899f5f2bffc873acb7ac91ab60597a90a8aa8b2c00401e8c36c442038ff11c232ff772e79f0ef1e1ec5d572790bf80522ead897a2460d7e8c5a92106d6002f3d70ed4efbaa8c31558832b16a4aae7a26ff860e1fd2e36a38fa383a7c69dbd8a7c2d916576aa7be308a54f06a1f9fe72d58525a92cb67bc6d04255a181432d515aa0e62215fe4a36ff5309ee0e46639acc75241643786e7895209a84f2e16446bb02bbd014673876ca71c06268893c76ad3697f737a0661cc55f73c2b777dc38133721302adf6f2dce224fa771e284bdcec2a14aaac9a0f05f1adef2d9c7386fd45324f9040d3e4d8327829bb72febc38700b3ea4d426cd3b2a77ea267ceb51d316d548f7708b8062171fc7b2443a6633134bb9b03c7c69223f206d94a4740a037928f9c32a23a9a65f7fddb8bbc1968db7e7e1a40c6e5e8fb149100f05cc47079197f1cc9ba580e102c90516e747555d49413447b383dc1a63955dfd4a499f7ae261ade0dce397db0b360e58a23abd2228c40c74572b002dd765b5df8ff079705d19f5ee35f81cbc98881956837e2e1373f31d7313c7a1d46eee17de49abac9184cb0c55e7546da869e161e6e09e6c927e0e897c2864ae4380bd7edb4914744d370b99c899834708ee6bffa2605ade4d1938f4a4a3b5cdc13b255928599af66dad4860dc0a357301030359e03257ba8514420948c68c72820f184372fba84949f0a21a4887bafaa0b460d99597fbcdb6c5230464719cd9bcf2f8a3ae00aeca6aecdf90bf80b47d755681fe6404cd04ac107cdcbcf95c36fcd3b34df4d98738699be67cbd668eaadc0deac49c74186ace6b9132788cf5a614847ef5bbabb018defca86d2410373083b70530be56c4da38157d9dbe30eb6fde9f4d498e59be5ddd29abbbab83590cfc8b2e9d568f0042a81de6941a5f1de0d265c98eef56a2ab9f00b2eec7ff551d3a072048628cb3d2ac1782eadf39518d67e0945dcbc2b9362f7b9465f413d69538a871278e6b2041dcaf919e652045e04b2e388413d53560884b7b5a44995725c2f1ca063d9e8347cdcffeac9852e1bed51aab42780676b37ab0d1434fcc4de919ae154ecc06c3132ca36015944ee97750a7f08c41035b8cf128d825b26b7479cbe1ed6fc1d64c7bb684f17a4d498fca7f2335bf9ae78bba49ee600d1d80de3479650d6ec0e395cfa874da8b40e433b9d553f8113187d5fb81a3b498a2f41d67cd245c2149e601e32c1aa66899a079597fb42499e52260d853610f40c7d1da91bf4e6cf5f55fe04c15c50b4fb809d1d8be359b2d9312d607d4401fa33fcfdffee3ab6ad07636abfff4d034faa25bcb6f80df551d92ac1c3ec50dc573b7b2d12c989dfefcf0068feb6ee38808cd1f24047cae5e50a78ee4a09ef6957fd45d4d0288d3479f07920358d47b68ee7e0c4b2b84a119a85fe93b24cc98cc4483fcc09a28b68c822306731931894a5d6ba46a9169d71ce087e08b005a284d38bf1785e265bca792fcabe1a8962a1d8cc9782935a4e13b15c95cdcaa28fef5dd8472cc90cd728d25e1e2a210de9be7b8d39a03603381b8805a693cdfb05a9f13130bded47e462d9da93d458cb0a4b8290a4fddca5ab5c80a21e8b06cd00bbb55e94e2dfea001a298aea2370cf8c03dcc3a1418d775629c61df7c9859d7fc41c8b646b4bde6a90a37a1bb8da473757288302575e4836291267c264f8aec9d3d691ae98c4f268600137467865454329b73a4a312afbbe5d78d46be645d050aaf239c261c109fab3bb4efa7c18cbe858aafcef23e2f78425236e5ba4da259876a30ddc3297522a4f97c2503cbd73c4f73ab8dd58a288acd145854ec4c9294c5ff3e614249a339eafeab4bb83267afebc6a25904f7d110ae30cb78220c69f401845226209dec277ef778a45c949a7a27ab8e207631a1bb68c4f52c68a62cd1bfdf278521832d0e58c084871d8c598320702361fc732f8c6ed27e9104ba46b598ca7a848ec9a9bc482599e07e6466f1c185f8af69189d11e5b14d703a6c80eb58dd5b5d1858823c82c15d55754c30ceb28792ace9f08a01deca4bbf77a70f48281e257c5d8d3318ef93eb0c8e196b9592f5d7098432fc034b2ff545e53fd9c5638353558f44d1fe28dbdced36fa8a22105a572d6dfeda562ad8cec7b5bfa5dcce28ba7faee121cad322d86d91aa32729e821c8ca932aa4487c29c18414280e4f1c32b5e5f0212b679ba145ed4d7ab861cdecc5d9556c641983b962a3058d15e355bab0fa61770a4683d385d7b8ad0e55cfff26e614c229d31274761df716123466c3f7af1005a5837faf80baf81e7a62c0d4acbefb2fcf42b394875121dd681d0592f3af7eee8dc3401cf1a72ad4", 0x1000}], 0x4, &(0x7f0000003b40)=[@assoc={0x18, 0x117, 0x4, 0x9}, @assoc={0x18, 0x117, 0x4, 0x9}, @assoc={0x18, 0x117, 0x4, 0x1}, @op={0x18, 0x117, 0x3, 0x1}, @op={0x18}, @op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x3}, @assoc={0x18, 0x117, 0x4, 0x9}, @assoc={0x18, 0x117, 0x4, 0x1}, @assoc={0x18, 0x117, 0x4, 0x7ccb}], 0xf0, 0x40000}, {0x0, 0x0, &(0x7f0000003e40)=[{&(0x7f0000003c40)="a27e7e8e0e9c5d3ccfae96750e8df252782e2fda5e3ce977ce228aa032fbd776e56ba348a9abb597580d28663d9009dd22be58350627a8a456a232b5f5668dfe58374846bf9af0ead1c96dfbff79cf608f8593054a", 0x55}, {&(0x7f0000003cc0)="ea596c3707577de710ecdf89e0700c2c331ecb625306ae279a5e6617d5d1b4dfbcd1756e8e51a9d4dc58fc3069f22f29b1de4685f9dddc587d66", 0x3a}, {&(0x7f0000003d00)="d5c5b2db6bdb0a6e1fa14f5198b176c804fd4483216ada55a7e8d1592fcd7f2c68500a789cdb25872b22432c90f971cff79e126ec9151f5354bb470a9ebed8260024b8b4792b50175cf70bd1db53ed494380bc64f2d0afbfa96d2788d86e4d4799a4942fbe82cfb8137971", 0x6b}, {&(0x7f0000003d80)="d92ae0d78235bb9f06e7ad5a73ef3d4201e7ada344833fcbafd5998483dc494c8bef363f9040ddd81875e8cc5dff0934d05e7e03095b65f951e0685fa9e6c2dc44dac21e22154b25b3974c2b66d18ac541847062d1818b239c59701213904fba46049e12c33886afa46d3cb071342fce6d46ae437cd4d53fd008c6dd8e1440c113a4c24d0fda199e58f9354c98e6f8052e5defcb49cdd9072fa6c1a76f8322af69a22c59d9dae9bbf73d240491", 0xad}], 0x4, &(0x7f0000003e80)=[@op={0x18, 0x117, 0x3, 0x1}, @op={0x18}], 0x30, 0x10}], 0x4, 0x24044095) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:37 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x1000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:37 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) sched_setscheduler(0x0, 0x5, &(0x7f0000000040)) getsockopt$inet_sctp6_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1b, &(0x7f00000000c0)=ANY=[@ANYBLOB="0a03982fdd8c4ad79da3dabea78b714bb8f268783a531812ba6bf1b5d11088841fecd1ba69b16f04e88c5d44d05241529768412cedb33dfa346db86aaf87fe5ad2e49ddf8f4e69b05afecd1acd9a708edcfedae10c47d41d4dfd6380"], 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fcntl$F_GET_RW_HINT(0xffffffffffffffff, 0x40b, 0x0) r1 = syz_open_dev$usbmon(&(0x7f0000000140)='/dev/usbmon#\x00', 0x5, 0x400) r2 = syz_genetlink_get_family_id$fou(&(0x7f0000000240)='fou\x00') sendmsg$FOU_CMD_ADD(r1, &(0x7f0000000300)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000280)={0x24, r2, 0x201, 0x70bd26, 0x25dfdbff, {}, [@FOU_ATTR_REMCSUM_NOPARTIAL={0x4}, @FOU_ATTR_IPPROTO={0x8, 0x3, 0xff}, @FOU_ATTR_REMCSUM_NOPARTIAL={0x4}]}, 0x24}, 0x1, 0x0, 0x0, 0x4004040}, 0x80) r3 = openat$ptmx(0xffffffffffffff9c, 0x0, 0x1, 0x0) ioctl$TCSETS(r3, 0x40045431, 0x0) r4 = syz_open_pts(r3, 0x0) write(r3, 0x0, 0x0) ioctl$TCSETS(r4, 0x5402, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2000005, 0x5c831, 0xffffffffffffffff, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046307, 0x1}], 0x0, 0x0, 0x0}) [ 3356.805472][ T4833] input: syz0 as /devices/virtual/input/input1181 [ 3356.880212][ T4838] binder: 4837 invalid dec weak, ref 337 desc 1 s 1 w 0 [ 3356.892452][ T4836] kvm: apic: phys broadcast and lowest prio 04:41:38 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x3e8, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3356.964212][ T4916] binder_alloc: binder_alloc_mmap_handler: 4837 20001000-20004000 already mapped failed -16 04:41:38 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x2000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3357.035201][ T4838] binder: BINDER_SET_CONTEXT_MGR already set [ 3357.067151][ T4838] binder: 4837:4838 ioctl 40046207 0 returned -16 [ 3357.087172][ T4987] binder_alloc: 4837: binder_alloc_buf, no vma [ 3357.094917][ T4987] binder: 4837:4987 transaction failed 29189/-3, size 24-8 line 3147 [ 3357.110702][ T4838] binder: 4837:4838 DecRefs 0 refcount change on invalid ref 1 ret -22 [ 3357.125224][T14003] binder: release 4837:4838 transaction 335 out, still active [ 3357.165628][T14003] binder: unexpected work type, 4, not freed 04:41:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046312, 0x1}], 0x0, 0x0, 0x0}) [ 3357.208178][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3357.236893][T14003] binder: send failed reply for transaction 335, target dead 04:41:38 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x3e8, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3357.395703][ T5093] binder: 5091:5093 unknown command 1074029330 [ 3357.402335][ T5093] binder: 5091:5093 ioctl c0306201 200001c0 returned -22 [ 3357.411439][ T5094] binder_alloc: binder_alloc_mmap_handler: 5091 20001000-20004000 already mapped failed -16 04:41:38 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x3000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3357.460485][ T5093] binder: BINDER_SET_CONTEXT_MGR already set [ 3357.482911][ T5093] binder: 5091:5093 ioctl 40046207 0 returned -16 [ 3357.503951][ T5095] binder_alloc: 5091: binder_alloc_buf, no vma 04:41:38 executing program 2: ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x5501, 0x0) mknod$loop(&(0x7f0000000040)='./file0\x00', 0x0, 0x0) r0 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x8, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffff9c, 0x29, 0x22, &(0x7f00000000c0)={{{@in6=@initdev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}}}, &(0x7f0000000240)=0xe8) fsetxattr$security_capability(r0, &(0x7f0000000080)='security.capability\x00', &(0x7f0000000280)=@v3={0x3000000, [{0x3ff, 0x1}, {0x4, 0x24b}], r1}, 0x18, 0x3) setresuid(r1, r1, r1) ioctl$UI_DEV_DESTROY(0xffffffffffffffff, 0x5502) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) [ 3357.511004][T14003] binder: send failed reply for transaction 340 to 5091:5093 [ 3357.551009][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3357.566381][ T5095] binder: 5091:5095 transaction failed 29189/-3, size 24-8 line 3147 [ 3357.614161][ T5102] kvm: apic: phys broadcast and lowest prio 04:41:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40086303, 0x1}], 0x0, 0x0, 0x0}) [ 3357.746380][ T5202] binder: 5193:5202 BC_FREE_BUFFER u0000000000000001 no match [ 3357.816464][ T5202] binder: BINDER_SET_CONTEXT_MGR already set [ 3357.849000][T11475] binder: release 5193:5202 transaction 345 out, still active 04:41:39 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x900, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x4000000000000024, 0x32, 0xffffffffffffffff, 0x0) r1 = userfaultfd(0x0) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f0000000000)) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000001fe2)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r2, 0x84, 0x21, &(0x7f0000013e95), 0x4) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) setsockopt$inet_sctp6_SCTP_RTOINFO(r2, 0x84, 0x0, &(0x7f0000000300), 0x10) close(r2) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000040)='/dev/snapshot\x00', 0x840, 0x0) close(r1) listen(r0, 0x5) r4 = socket$inet6_sctp(0xa, 0x5, 0x84) r5 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) sendto$packet(r5, &(0x7f0000000000)="72d04d9c1e1ccfc7ae92130f0b0710775ed39cc9fd79dadf5490836c686956581b22e2ceeac67197db8762acc2f85fa878eef51c", 0x34, 0x41, 0x0, 0x0) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:39 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x4000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:39 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) flistxattr(r0, &(0x7f00000000c0)=""/196, 0xc4) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3357.863694][ T5202] binder: 5193:5202 ioctl 40046207 0 returned -16 [ 3357.871042][T11475] binder: unexpected work type, 4, not freed [ 3357.881042][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3357.886997][T11475] binder: send failed reply for transaction 345, target dead [ 3357.931766][ T5323] input: syz0 as /devices/virtual/input/input1182 04:41:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x4008630a, 0x1}], 0x0, 0x0, 0x0}) [ 3357.985803][ T5320] kvm: apic: phys broadcast and lowest prio 04:41:39 executing program 0: r0 = socket$inet(0x2, 0x4, 0x5c4) r1 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0xfffffffffffffffd, 0x161100) r2 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vga_arbiter\x00', 0x402a00, 0x0) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000180)=0x5) ioctl$SG_GET_RESERVED_SIZE(r1, 0x2272, &(0x7f0000000a80)) getsockopt$bt_BT_DEFER_SETUP(r1, 0x112, 0x7, &(0x7f0000000780)=0x1, &(0x7f00000007c0)=0x4) ioctl$sock_inet6_udp_SIOCINQ(r2, 0x541b, &(0x7f0000000140)) r3 = getpid() r4 = syz_open_dev$dmmidi(&(0x7f0000000080)='/dev/dmmidi#\x00', 0x91b, 0x101000) ioctl$SNDRV_CTL_IOCTL_ELEM_INFO(r4, 0xc1105511, &(0x7f00000008c0)={{0x2, 0x3, 0x9217, 0x1, '\x00', 0x1}, 0x0, 0x30000139, 0x1, r3, 0x8, 0x5f, 'syz0\x00', &(0x7f0000000800)=['/dev/vga_arbiter\x00', 'cpusetprocwlan1wlan0vboxnet1]cpuset(m\x00', '/dev/vga_arbiter\x00', '/dev/vga_arbiter\x00', 'md5sumeth0-]em0\\\x00', '/dev/dmmidi#\x00', '/dev/vga_arbiter\x00', '/dev/vga_arbiter\x00'], 0x99, [], [0x2, 0x52da208c, 0xfffffffffffffffd, 0x800]}) mq_timedsend(r1, &(0x7f0000000200)="6a194e1a9375e7585b1b0db8f6d6d5cce460f4863c4edab178b6cc46d4154598a84b8d760c48d3b708e8c85b70bc7c45a6612984583a55d5d7062854a7eb62ab1ef663dca414f091493c56e1cfe656e70ee19442b81a36c416fc8490b02a2ff30ee1eccc47172b0d6a0801879562addf3241ceb4f9d5e34d3494e71a4e99f150271eeb445be447f92849682d61dd0d26894b2b0ad4d1658262730cb043039f7341110d987449604b16afcd4e07689b210848b0d59da011ad67b1d70d881914a6ab9ee9c5699488099fd4c8726c1691814833ae9384717fb68c7ed48f11c7f769ff4221fc8f57c16740aa49303a0925ddb17f418910", 0xf5, 0xfffffffffffff800, &(0x7f00000000c0)={0x0, 0x1c9c380}) getsockopt$inet_dccp_int(r2, 0x21, 0xf, &(0x7f00000001c0), &(0x7f0000000740)=0x4) 04:41:39 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) fcntl$getownex(r0, 0x10, &(0x7f0000000140)={0x0, 0x0}) perf_event_open(&(0x7f00000000c0)={0x5, 0x70, 0x3, 0x8, 0x9f0, 0x6, 0x0, 0x9, 0x2, 0x8, 0x8, 0x1, 0x4, 0xdec, 0x7, 0xfffffffffffffff9, 0x101, 0x3, 0x6, 0x6, 0x7b5, 0x1, 0xfffffffffffff800, 0x3, 0x3, 0x3, 0x101, 0x62, 0x7fff, 0x3, 0x66, 0x2, 0x3ff, 0x40, 0x400, 0x5, 0x2, 0x100, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000040), 0x4}, 0x80, 0x1c, 0x104020000000000, 0x7, 0x1, 0x7, 0x81}, r1, 0xffffffffffffffff, 0xffffffffffffffff, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:39 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x5000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = add_key(&(0x7f0000000000)='syzkaller\x00', &(0x7f0000000080)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffa) keyctl$KEYCTL_PKEY_DECRYPT(0x1a, &(0x7f00000000c0)={r2, 0x4, 0x4}, 0x0, &(0x7f0000000100)="19fb459c89fd3c7d6112a4004c6d76c83a4d66a3b20cce93be8734a5cf2e3ec5c94ed99c133ad507a9752236f41727f91d126644324621c24fba0b157d5006e0bd243a25698a9fd63f75421b9ca3d51e22ed6ec7270cfb0e82880c02dcb8683f6e747d8135060218c2fbd2b836f7addda6124ef988aad11d", &(0x7f0000000180)=""/95) r3 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x82000) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3358.196494][ T5438] binder: BC_ATTEMPT_ACQUIRE not supported [ 3358.209234][ T5438] binder: 5434:5438 ioctl c0306201 200001c0 returned -22 [ 3358.257670][ T5444] input: syz0 as /devices/virtual/input/input1183 [ 3358.263811][ T5452] binder_alloc_mmap_handler: 1 callbacks suppressed [ 3358.263828][ T5452] binder_alloc: binder_alloc_mmap_handler: 5434 20001000-20004000 already mapped failed -16 [ 3358.327041][ T5438] binder: BINDER_SET_CONTEXT_MGR already set [ 3358.361471][ T5438] binder: 5434:5438 ioctl 40046207 0 returned -16 [ 3358.384450][ T5554] binder_alloc_new_buf_locked: 1 callbacks suppressed [ 3358.384459][ T5554] binder_alloc: 5434: binder_alloc_buf, no vma [ 3358.405602][ T5554] binder_transaction: 1 callbacks suppressed [ 3358.405619][ T5554] binder: 5434:5554 transaction failed 29189/-3, size 24-8 line 3147 [ 3358.436148][ T5438] binder: BC_ATTEMPT_ACQUIRE not supported [ 3358.447778][T14003] binder: release 5434:5438 transaction 350 out, still active [ 3358.466662][ T5438] binder: 5434:5438 ioctl c0306201 200001c0 returned -22 [ 3358.481848][T14003] binder: unexpected work type, 4, not freed [ 3358.500123][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3358.524663][T14003] binder_release_work: 5 callbacks suppressed 04:41:39 executing program 0: socket$kcm(0x2, 0x2, 0x0) 04:41:39 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40086310, 0x1}], 0x0, 0x0, 0x0}) [ 3358.524670][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3358.551031][T14003] binder: send failed reply for transaction 350, target dead 04:41:39 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xa00, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:39 executing program 2: ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f00000000c0)={{0x0, 0x0, 0x8000000000000000}, 'syz1\x00'}) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x405c5503, &(0x7f0000000140)={{0x1f, 0x3, 0x2, 0x9}, 'syz0\x00', 0x22}) ioctl$UI_DEV_SETUP(0xffffffffffffffff, 0x5501, 0x0) r0 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0xa) exit(0x200) ioctl$UI_DEV_DESTROY(0xffffffffffffffff, 0x5502) [ 3358.662709][ T5664] binder: 5663:5664 BC_DEAD_BINDER_DONE 0000000000000001 not found [ 3358.679797][ T5662] kvm: apic: phys broadcast and lowest prio 04:41:40 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) r1 = pkey_alloc(0x0, 0x2) pkey_free(r1) syz_emit_ethernet(0x300b00, &(0x7f0000000000)={@local, @empty, [], {@ipv6={0x86dd, {0x0, 0x6, "b40900", 0x300030, 0x3a, 0x0, @ipv4={[0x2, 0x2, 0x543, 0x0, 0x60], [], @multicast2}, @mcast2, {[], @icmpv6=@time_exceed={0xffffff81, 0x0, 0x0, 0x0, [0x7, 0x4], {0x0, 0x6, "b680fa", 0x0, 0x0, 0x0, @ipv4={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x2], [], @broadcast}, @ipv4={[], [], @remote={0xac, 0x14, 0xffffffffffffffff}}}}}}}}}, 0x0) r2 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vga_arbiter\x00', 0x181040, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000000140)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f00000001c0)={r3}) r4 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KDSKBMETA(r2, 0x4b63, &(0x7f0000000280)=0x45d) bpf$OBJ_PIN_MAP(0x6, &(0x7f0000000240)={&(0x7f0000000200)='./file0\x00', r2}, 0x10) ioctl$SNDRV_CTL_IOCTL_ELEM_UNLOCK(r0, 0x40405515, &(0x7f0000000000)={0x5, 0x3, 0x0, 0x1f000000, 'syz1\x00', 0x5}) ioctl$KVM_CREATE_DEVICE(r4, 0xc00caee0, &(0x7f0000000180)={0x4, 0xffffffffffffffff}) ioctl$KVM_SET_DEVICE_ATTR(r5, 0x4018aee1, &(0x7f0000000080)={0x0, 0x2000000001, 0x1, &(0x7f0000000040)=0x80ffff}) [ 3358.719849][ T5671] binder_alloc: binder_alloc_mmap_handler: 5663 20001000-20004000 already mapped failed -16 [ 3358.769310][ T5664] binder: BINDER_SET_CONTEXT_MGR already set [ 3358.775361][ T5664] binder: 5663:5664 ioctl 40046207 0 returned -16 [ 3358.776497][ T5671] binder_alloc: 5663: binder_alloc_buf, no vma 04:41:40 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x7000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3358.808821][ T5671] binder: 5663:5671 transaction failed 29189/-3, size 24-8 line 3147 04:41:40 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null\x00', 0x80, 0x0) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f00000000c0)={{{@in6=@local, @in=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@multicast2}}, &(0x7f0000000240)=0xe8) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000000280)={{{@in, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@empty}, 0x0, @in=@multicast2}}, &(0x7f0000000380)=0xe8) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f00000003c0)={{{@in6=@empty, @in=@multicast1, 0x4e20, 0x2, 0x4e21, 0x3ff, 0xa, 0x20, 0x0, 0x16, r2, r3}, {0x3, 0x3, 0x1, 0x8, 0xff, 0x80000000, 0x7f, 0x3d}, {0x7, 0x20, 0x63d08c1f, 0xbca9}, 0x1f, 0x6e6bb7, 0x0, 0x0, 0x2, 0x3}, {{@in=@dev={0xac, 0x14, 0x14, 0x24}, 0x4d5, 0x6c}, 0xa, @in=@dev={0xac, 0x14, 0x14, 0x23}, 0x3506, 0x3, 0x2, 0x6, 0x9e, 0x6, 0x4}}, 0xe8) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3358.883184][T11475] binder: release 5663:5664 transaction 355 out, still active [ 3358.886882][ T5671] binder: 5663:5671 BC_DEAD_BINDER_DONE 0000000000000001 not found [ 3358.895637][T11475] binder: unexpected work type, 4, not freed [ 3358.937947][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3358.959599][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3358.975649][ T5837] input: syz0 as /devices/virtual/input/input1184 04:41:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x400c630e, 0x1}], 0x0, 0x0, 0x0}) [ 3359.000150][T11475] binder: send failed reply for transaction 355, target dead [ 3359.118093][ T5944] binder_alloc: binder_alloc_mmap_handler: 5928 20001000-20004000 already mapped failed -16 [ 3359.154271][ T5944] binder_alloc: 5928: binder_alloc_buf, no vma 04:41:40 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) r1 = syz_open_dev$usb(&(0x7f00000000c0)='/dev/bus/usb/00#/00#\x00', 0x40000ffffff, 0x1) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) ioctl(r2, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") ioctl$FS_IOC_FSGETXATTR(r1, 0xc0185500, &(0x7f0000000040)={0x1c0323, 0x2}) accept(r0, &(0x7f0000000100)=@hci, &(0x7f0000000080)=0x80) listen(r0, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r0, 0x0, 0x0, 0x0) ioctl$sock_kcm_SIOCKCMUNATTACH(r4, 0x89e1, &(0x7f0000000000)={r0}) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) r5 = syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') sendmsg$SEG6_CMD_DUMPHMAC(r1, &(0x7f0000000380)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x48008000}, 0xc, &(0x7f0000000340)={&(0x7f0000000200)={0x60, r5, 0x300, 0x70bd28, 0x25dfdbfe, {}, [@SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x40}, @SEG6_ATTR_DSTLEN={0x8, 0x2, 0x4}, @SEG6_ATTR_SECRETLEN={0x8, 0x5, 0x1}, @SEG6_ATTR_ALGID={0x8, 0x6, 0x3}, @SEG6_ATTR_ALGID={0x8, 0x6, 0x2}, @SEG6_ATTR_SECRET={0x18, 0x4, [0xffffffffffffffff, 0xffffffffffffffff, 0x7fffffff, 0x0, 0x4]}, @SEG6_ATTR_SECRET={0xc, 0x4, [0x5a0c, 0xd]}]}, 0x60}, 0x1, 0x0, 0x0, 0x4000084}, 0x8004) [ 3359.172769][ T5944] binder: 5928:5944 transaction failed 29189/-3, size 24-8 line 3147 [ 3359.188334][T14003] binder: release 5928:5933 transaction 360 out, still active [ 3359.208956][T14003] binder: unexpected work type, 4, not freed 04:41:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x400c630f, 0x1}], 0x0, 0x0, 0x0}) [ 3359.234889][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3359.268115][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:40 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio\x00', 0x200, 0x0) getsockopt$inet_udp_int(r1, 0x11, 0x6f, &(0x7f00000000c0), &(0x7f0000000100)=0x4) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:40 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x20000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:40 executing program 0: r0 = syz_open_dev$dri(&(0x7f0000000040)='/dev/dri/card#\x00', 0x1, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x80000000000045, 0x0) ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x6212bff4) r3 = syz_open_procfs(0x0, &(0x7f0000000140)='net\x00') ioctl$TIOCCONS(r2, 0x541d) ioctl$BINDER_THREAD_EXIT(r2, 0x40046208, 0x0) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000840)={0x6, &(0x7f00000002c0)=""/13, &(0x7f0000000780)=[{0x400, 0x22, 0x87, &(0x7f0000000300)=""/34}, {0xfe, 0xdc, 0x0, &(0x7f0000000340)=""/220}, {0x5, 0xb3, 0x6, &(0x7f00000004c0)=""/179}, {0xffffffff00000001, 0x7, 0x3, &(0x7f0000000440)=""/7}, {0x7ff, 0x96, 0x3, &(0x7f00000006c0)=""/150}, {0x81, 0x1d, 0x88ea, &(0x7f0000000580)=""/29}]}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x102, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x1000000000, 0x0, 0x0, 0xfff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x1ffffffffffffe, 0x0, 0x0, 0x2, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000180)=0x0) getpgrp(r4) fcntl$getown(r2, 0x9) ioctl$KDSETLED(r1, 0x4b32, 0x1) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000080), &(0x7f0000000100)=0xc) r5 = getpid() r6 = getpgid(r5) getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r3, 0x6, 0x23, &(0x7f0000000000)={&(0x7f0000ffd000/0x3000)=nil, 0x3000}, &(0x7f00000000c0)=0x10) r7 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) setsockopt$inet6_MRT6_ADD_MIF(r7, 0x29, 0xca, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x5}, 0xc) ptrace$setopts(0x4206, r6, 0x7ff, 0xa) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f00000005c0)={{}, {{@in6}, 0x0, @in6=@mcast2}}, &(0x7f0000000480)=0xe8) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000280)={r3, r3, 0xa, 0x2}, 0x10) ioctl$sock_inet_SIOCSIFFLAGS(r7, 0x8914, &(0x7f00000008c0)={'syzkaller0\x00', 0x100}) getrandom(&(0x7f00000001c0)=""/129, 0x81, 0x2) ioctl$LOOP_CTL_GET_FREE(r3, 0x4c82) ioctl$EVIOCGUNIQ(r1, 0x80404508, &(0x7f00000000c0)=""/39) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x400200) close(r0) [ 3359.289517][ T5999] vhci_hcd: USB_PORT_FEAT_BH_PORT_RESET req not supported for USB 2.0 roothub [ 3359.306558][T14003] binder: send failed reply for transaction 360, target dead [ 3359.327110][ T6003] binder: 6002:6003 BC_CLEAR_DEATH_NOTIFICATION death notification not active [ 3359.408451][ T6008] input: syz0 as /devices/virtual/input/input1185 [ 3359.416149][ T6011] binder_alloc: binder_alloc_mmap_handler: 6002 20001000-20004000 already mapped failed -16 [ 3359.465949][ T6013] kvm: apic: phys broadcast and lowest prio [ 3359.477088][ T6003] binder: BINDER_SET_CONTEXT_MGR already set [ 3359.504601][ T6003] binder: 6002:6003 ioctl 40046207 0 returned -16 [ 3359.554104][T14003] binder: release 6002:6003 transaction 365 out, still active [ 3359.579336][T14003] binder: unexpected work type, 4, not freed 04:41:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40106308, 0x1}], 0x0, 0x0, 0x0}) 04:41:40 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xbb8, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:40 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x48000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3359.610108][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3359.645048][T14003] binder: send failed reply for transaction 365, target dead 04:41:41 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) set_mempolicy(0x0, &(0x7f0000000140)=0xc46, 0x5d570598) pipe2(&(0x7f00000000c0)={0xffffffffffffffff}, 0x84800) bpf$OBJ_PIN_PROG(0x6, &(0x7f0000000100)={&(0x7f0000000040)='./file0\x00', r1}, 0x10) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3359.780104][ T6124] binder: 6123:6124 BC_INCREFS_DONE u0000000000000001 no match 04:41:41 executing program 0: r0 = syz_open_dev$dri(&(0x7f0000000040)='/dev/dri/card#\x00', 0x1, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x80000000000045, 0x0) ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x6212bff4) r3 = syz_open_procfs(0x0, &(0x7f0000000140)='net\x00') ioctl$TIOCCONS(r2, 0x541d) ioctl$BINDER_THREAD_EXIT(r2, 0x40046208, 0x0) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000840)={0x6, &(0x7f00000002c0)=""/13, &(0x7f0000000780)=[{0x400, 0x22, 0x87, &(0x7f0000000300)=""/34}, {0xfe, 0xdc, 0x0, &(0x7f0000000340)=""/220}, {0x5, 0xb3, 0x6, &(0x7f00000004c0)=""/179}, {0xffffffff00000001, 0x7, 0x3, &(0x7f0000000440)=""/7}, {0x7ff, 0x96, 0x3, &(0x7f00000006c0)=""/150}, {0x81, 0x1d, 0x88ea, &(0x7f0000000580)=""/29}]}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x102, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x1000000000, 0x0, 0x0, 0xfff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x1ffffffffffffe, 0x0, 0x0, 0x2, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000180)=0x0) getpgrp(r4) fcntl$getown(r2, 0x9) ioctl$KDSETLED(r1, 0x4b32, 0x1) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000080), &(0x7f0000000100)=0xc) r5 = getpid() r6 = getpgid(r5) getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r3, 0x6, 0x23, &(0x7f0000000000)={&(0x7f0000ffd000/0x3000)=nil, 0x3000}, &(0x7f00000000c0)=0x10) r7 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) setsockopt$inet6_MRT6_ADD_MIF(r7, 0x29, 0xca, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x5}, 0xc) ptrace$setopts(0x4206, r6, 0x7ff, 0xa) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f00000005c0)={{}, {{@in6}, 0x0, @in6=@mcast2}}, &(0x7f0000000480)=0xe8) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000280)={r3, r3, 0xa, 0x2}, 0x10) ioctl$sock_inet_SIOCSIFFLAGS(r7, 0x8914, &(0x7f00000008c0)={'syzkaller0\x00', 0x100}) getrandom(&(0x7f00000001c0)=""/129, 0x81, 0x2) ioctl$LOOP_CTL_GET_FREE(r3, 0x4c82) ioctl$EVIOCGUNIQ(r1, 0x80404508, &(0x7f00000000c0)=""/39) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x400200) close(r0) [ 3359.828707][ T6128] binder_alloc: binder_alloc_mmap_handler: 6123 20001000-20004000 already mapped failed -16 [ 3359.873831][ T6124] binder: BINDER_SET_CONTEXT_MGR already set [ 3359.895046][ T6124] binder: 6123:6124 ioctl 40046207 0 returned -16 04:41:41 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x4c000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3359.924091][T11475] binder: release 6123:6124 transaction 369 out, still active [ 3359.934716][ T6128] binder_alloc: 6123: binder_alloc_buf, no vma [ 3359.942538][ T6134] input: syz0 as /devices/virtual/input/input1186 [ 3359.960246][T11475] binder: unexpected work type, 4, not freed [ 3359.986449][ T6128] binder: 6123:6128 transaction failed 29189/-3, size 24-8 line 3147 [ 3359.997146][T11475] binder: send failed reply for transaction 369, target dead [ 3360.042907][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3360.074590][ T6006] vhci_hcd: USB_PORT_FEAT_BH_PORT_RESET req not supported for USB 2.0 roothub 04:41:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40106309, 0x1}], 0x0, 0x0, 0x0}) 04:41:41 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x60000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3360.296393][ T6331] binder: 6317:6331 BC_ACQUIRE_DONE u0000000000000001 no match 04:41:41 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r1 = accept4$inet(0xffffffffffffffff, &(0x7f0000000000)={0x2, 0x0, @dev}, &(0x7f0000000040)=0x10, 0x80000) setsockopt$inet_sctp_SCTP_NODELAY(r1, 0x84, 0x3, &(0x7f0000000080)=0x9, 0x4) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) getsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f00000000c0)={{{@in=@broadcast, @in=@local}}, {{@in=@empty}, 0x0, @in6=@empty}}, &(0x7f00000001c0)=0xe8) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x2, @loopback, 0xfffffffffffffffe}, 0x1c) listen(r2, 0x5) prctl$PR_GET_NAME(0x10, &(0x7f0000000200)=""/6) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = syz_genetlink_get_family_id$tipc2(&(0x7f00000004c0)='TIPCv2\x00') sendmsg$TIPC_NL_BEARER_ENABLE(r1, &(0x7f00000006c0)={&(0x7f0000000480)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000680)={&(0x7f0000000500)=ANY=[@ANYBLOB='dA\x00\x00', @ANYRES16=r4, @ANYBLOB="100027bd7000fcdbdf2503000000e40004000c00010073797a31000000000c00010073797a3000000000440007000800030080000000080001001c000000080003000100000008000300ff01000008000400800000000800040000000000080004000100000008000300080000000c00010073797a3000000000540007000800030005000000080001001e000000080001001a000000080003008100000008000400070000000800040003000000080001000400000008000300020000000800030080000000080001001400000024000700080002000800000008000100060000000800040004000000080001001b00000060000100180001006574683a626f6e645f736c6176655f31000000000c0002000800040003000000380004001400010002004e24ac1414bb0000000000000000200002000a004e2000000005ff010000000000000000000000000001ff0700000c0009000800020002000000"], 0x164}, 0x1, 0x0, 0x0, 0x8800}, 0x1) r5 = syz_open_dev$admmidi(&(0x7f0000000240)='/dev/admmidi#\x00', 0x7, 0x2) readlinkat(r5, &(0x7f00000003c0)='./file0\x00', &(0x7f0000000400)=""/94, 0x5e) ioctl$EVIOCGEFFECTS(r3, 0x80044584, &(0x7f0000000340)=""/112) r6 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x7, 0xfffffffffffffffd) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r6, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:41 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) r1 = syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0x6, 0x200) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000140)='/dev/input/event#\x00', 0x7, 0x1000000000000000) ioctl$UI_DEV_DESTROY(r0, 0x5502) write$UHID_GET_REPORT_REPLY(r1, &(0x7f0000000000)={0xa, 0x2, 0x800, 0x5}, 0xa) [ 3360.372478][ T6351] binder_alloc: binder_alloc_mmap_handler: 6317 20001000-20004000 already mapped failed -16 [ 3360.409618][ T6331] binder: BINDER_SET_CONTEXT_MGR already set 04:41:41 executing program 0: r0 = syz_open_dev$dri(&(0x7f0000000040)='/dev/dri/card#\x00', 0x1, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x80000000000045, 0x0) ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x6212bff4) r3 = syz_open_procfs(0x0, &(0x7f0000000140)='net\x00') ioctl$TIOCCONS(r2, 0x541d) ioctl$BINDER_THREAD_EXIT(r2, 0x40046208, 0x0) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000840)={0x6, &(0x7f00000002c0)=""/13, &(0x7f0000000780)=[{0x400, 0x22, 0x87, &(0x7f0000000300)=""/34}, {0xfe, 0xdc, 0x0, &(0x7f0000000340)=""/220}, {0x5, 0xb3, 0x6, &(0x7f00000004c0)=""/179}, {0xffffffff00000001, 0x7, 0x3, &(0x7f0000000440)=""/7}, {0x7ff, 0x96, 0x3, &(0x7f00000006c0)=""/150}, {0x81, 0x1d, 0x88ea, &(0x7f0000000580)=""/29}]}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x102, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x1000000000, 0x0, 0x0, 0xfff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x1ffffffffffffe, 0x0, 0x0, 0x2, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000180)=0x0) getpgrp(r4) fcntl$getown(r2, 0x9) ioctl$KDSETLED(r1, 0x4b32, 0x1) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000080), &(0x7f0000000100)=0xc) r5 = getpid() r6 = getpgid(r5) getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r3, 0x6, 0x23, &(0x7f0000000000)={&(0x7f0000ffd000/0x3000)=nil, 0x3000}, &(0x7f00000000c0)=0x10) r7 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) setsockopt$inet6_MRT6_ADD_MIF(r7, 0x29, 0xca, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x5}, 0xc) ptrace$setopts(0x4206, r6, 0x7ff, 0xa) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f00000005c0)={{}, {{@in6}, 0x0, @in6=@mcast2}}, &(0x7f0000000480)=0xe8) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000280)={r3, r3, 0xa, 0x2}, 0x10) ioctl$sock_inet_SIOCSIFFLAGS(r7, 0x8914, &(0x7f00000008c0)={'syzkaller0\x00', 0x100}) getrandom(&(0x7f00000001c0)=""/129, 0x81, 0x2) ioctl$LOOP_CTL_GET_FREE(r3, 0x4c82) ioctl$EVIOCGUNIQ(r1, 0x80404508, &(0x7f00000000c0)=""/39) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x400200) close(r0) [ 3360.469597][ T6358] input: syz0 as /devices/virtual/input/input1187 04:41:41 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe00, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3360.512225][ T6331] binder: 6317:6331 ioctl 40046207 0 returned -16 [ 3360.525705][ T6364] binder_alloc: 6317: binder_alloc_buf, no vma 04:41:41 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x68000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3360.593820][T14003] binder: release 6317:6331 transaction 374 out, still active [ 3360.624041][T14003] binder: unexpected work type, 4, not freed [ 3360.656275][ T6364] binder: 6317:6364 transaction failed 29189/-3, size 24-8 line 3147 [ 3360.661581][T14003] binder_release_work: 1 callbacks suppressed [ 3360.661586][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3360.716087][T14003] binder: send failed reply for transaction 374, target dead 04:41:42 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$EXT4_IOC_GROUP_ADD(r0, 0x40286608, &(0x7f0000000040)={0x5, 0x29, 0x7ff, 0x1f, 0x4, 0x6}) r1 = syz_open_dev$midi(&(0x7f00000000c0)='/dev/midi#\x00', 0x4, 0x8000) ioctl$KVM_SMI(r1, 0xaeb7) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40406300, 0x1}], 0x0, 0x0, 0x0}) [ 3360.807592][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3360.880553][ T6576] input: syz0 as /devices/virtual/input/input1188 04:41:42 executing program 0: r0 = syz_open_dev$dri(&(0x7f0000000040)='/dev/dri/card#\x00', 0x1, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x80000000000045, 0x0) ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x6212bff4) r3 = syz_open_procfs(0x0, &(0x7f0000000140)='net\x00') ioctl$TIOCCONS(r2, 0x541d) ioctl$BINDER_THREAD_EXIT(r2, 0x40046208, 0x0) ioctl$DRM_IOCTL_MAP_BUFS(r3, 0xc0186419, &(0x7f0000000840)={0x6, &(0x7f00000002c0)=""/13, &(0x7f0000000780)=[{0x400, 0x22, 0x87, &(0x7f0000000300)=""/34}, {0xfe, 0xdc, 0x0, &(0x7f0000000340)=""/220}, {0x5, 0xb3, 0x6, &(0x7f00000004c0)=""/179}, {0xffffffff00000001, 0x7, 0x3, &(0x7f0000000440)=""/7}, {0x7ff, 0x96, 0x3, &(0x7f00000006c0)=""/150}, {0x81, 0x1d, 0x88ea, &(0x7f0000000580)=""/29}]}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x102, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x1000000000, 0x0, 0x0, 0xfff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x1ffffffffffffe, 0x0, 0x0, 0x2, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000180)=0x0) getpgrp(r4) fcntl$getown(r2, 0x9) ioctl$KDSETLED(r1, 0x4b32, 0x1) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000080), &(0x7f0000000100)=0xc) r5 = getpid() r6 = getpgid(r5) getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r3, 0x6, 0x23, &(0x7f0000000000)={&(0x7f0000ffd000/0x3000)=nil, 0x3000}, &(0x7f00000000c0)=0x10) r7 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) setsockopt$inet6_MRT6_ADD_MIF(r7, 0x29, 0xca, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x5}, 0xc) ptrace$setopts(0x4206, r6, 0x7ff, 0xa) getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f00000005c0)={{}, {{@in6}, 0x0, @in6=@mcast2}}, &(0x7f0000000480)=0xe8) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000280)={r3, r3, 0xa, 0x2}, 0x10) ioctl$sock_inet_SIOCSIFFLAGS(r7, 0x8914, &(0x7f00000008c0)={'syzkaller0\x00', 0x100}) getrandom(&(0x7f00000001c0)=""/129, 0x81, 0x2) ioctl$LOOP_CTL_GET_FREE(r3, 0x4c82) ioctl$EVIOCGUNIQ(r1, 0x80404508, &(0x7f00000000c0)=""/39) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r8, 0x8912, 0x400200) close(r0) 04:41:42 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6c000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3361.038496][ T6601] binder_alloc: 6579: binder_alloc_buf, no vma [ 3361.049461][ T6601] binder: 6579:6601 transaction failed 29189/-3, size 0-0 line 3147 [ 3361.110103][ T6657] kvm: apic: phys broadcast and lowest prio [ 3361.153247][ T6687] binder_alloc: binder_alloc_mmap_handler: 6579 20001000-20004000 already mapped failed -16 04:41:42 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) r1 = fcntl$dupfd(r0, 0x406, r0) r2 = ioctl$LOOP_CTL_GET_FREE(0xffffffffffffff9c, 0x4c82) ioctl$LOOP_CTL_ADD(r1, 0x4c80, r2) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) 04:41:42 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x2000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3361.216918][ T6601] binder: BINDER_SET_CONTEXT_MGR already set [ 3361.284370][ T6601] binder: 6579:6601 ioctl 40046207 0 returned -16 [ 3361.284414][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3361.305968][T14003] binder: send failed reply for transaction 379 to 6579:6601 04:41:42 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$dspn(0x0, 0x0, 0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r3, 0x84, 0x70, &(0x7f0000000080)={0x0, @in={{0x2, 0x4e24, @local}}, [0xdf, 0x0, 0x4, 0x40, 0x5, 0x8, 0x4, 0x7, 0x3, 0x4, 0x6, 0x401, 0x8000, 0x6, 0xa761]}, &(0x7f0000000180)=0x100) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r2, 0x84, 0x1a, &(0x7f0000000340)={0x0, 0xf7, "b40592dbf95e2fa5d5cfe106fb8e3f77e2e134cf449bd6c84a55cd7e916492602b1fde7fe3bef307cf152ef0fb27b4edaa75fcf1b8f5e5df6a8dd9eb4632bcf97cb719963b8e5b879d07e897aba85bb2ed07c1f0e51dc203898b2bc8242ba79aaaa0a461fd7eab711118b87259c4fd8276f38be09c73d593adcffac997d2a0297f0ca894bdd3eeb6546fd8bcc1c5a5ef9c0f75ed3bfcb2f5b8af88eb83e02de5ba98858bfa657bbadbdb1e87c3bf9edf7ca1514ea53ab832244f049bcb5e4d393f4db0983700d71db26d899a38ad3ac00654fd4159c22a6a7632838f120fcf7b8a9a9abbc63cd5eaf0dea2c13ad4d728715edaf9e27023"}, &(0x7f0000000200)=0xff) getsockopt$inet_sctp6_SCTP_MAXSEG(r1, 0x84, 0xd, &(0x7f00000001c0)=@assoc_id=r4, &(0x7f0000000040)=0x1) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x7, 0xe000000, 0x0, 0x54}, 0xfc9a) [ 3361.339279][ T6724] input: syz0 as /devices/virtual/input/input1190 [ 3361.374471][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:42 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x74000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40406301, 0x1}], 0x0, 0x0, 0x0}) [ 3361.415457][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3361.566909][ T6863] binder: 6835:6863 got reply transaction with no transaction stack [ 3361.620996][ T6863] binder: 6835:6863 transaction failed 29201/-71, size 0-0 line 2899 04:41:42 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) recvmmsg(0xffffffffffffff9c, &(0x7f0000005800)=[{{&(0x7f0000000080)=@rc, 0x80, &(0x7f0000000100)=[{&(0x7f0000000240)=""/4096, 0x1000}], 0x1}, 0x10001}, {{0x0, 0x0, &(0x7f0000000180)=[{&(0x7f0000001240)=""/156, 0x9c}, {&(0x7f0000001300)=""/132, 0x84}, {&(0x7f0000000140)=""/4, 0x4}], 0x3, &(0x7f00000013c0)=""/24, 0x18}, 0x4000000000}, {{0x0, 0x0, &(0x7f00000029c0)=[{&(0x7f0000001400)=""/238, 0xee}, {&(0x7f0000001500)=""/4096, 0x1000}, {&(0x7f0000002500)=""/52, 0x34}, {&(0x7f0000002540)=""/247, 0xf7}, {&(0x7f0000002640)=""/220, 0xdc}, {&(0x7f0000002740)=""/216, 0xd8}, {&(0x7f0000002840)=""/184, 0xb8}, {&(0x7f0000002900)=""/155, 0x9b}], 0x8, &(0x7f0000002a40)=""/69, 0x45}, 0x3}, {{&(0x7f0000002ac0)=@ipx, 0x80, &(0x7f0000003180)=[{&(0x7f0000002b40)=""/25, 0x19}, {&(0x7f0000002b80)=""/193, 0xc1}, {&(0x7f0000002c80)=""/224, 0xe0}, {&(0x7f0000002d80)=""/28, 0x1c}, {&(0x7f0000002dc0)=""/130, 0x82}, {&(0x7f0000002e80)=""/79, 0x4f}, {&(0x7f0000002f00)=""/137, 0x89}, {&(0x7f0000002fc0)=""/90, 0x5a}, {&(0x7f0000003040)=""/253, 0xfd}, {&(0x7f0000003140)=""/46, 0x2e}], 0xa, &(0x7f0000003240)=""/96, 0x60}, 0x2}, {{&(0x7f00000032c0)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff}}, 0x80, &(0x7f0000005340)=[{&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000004340)=""/4096, 0x1000}], 0x2, &(0x7f0000005380)=""/225, 0xe1}, 0x6}, {{&(0x7f0000005480)=@nfc, 0x80, &(0x7f0000005700)=[{&(0x7f0000005500)}, {&(0x7f0000005540)=""/182, 0xb6}, {&(0x7f0000005600)=""/247, 0xf7}], 0x3, &(0x7f0000005740)=""/161, 0xa1}, 0xff}], 0x6, 0x0, &(0x7f0000005980)={0x77359400}) setsockopt$inet6_opts(r1, 0x29, 0x0, &(0x7f00000059c0)=@hopopts={0x0, 0x3, [], [@hao={0xc9, 0x10, @local}, @ra={0x5, 0x2, 0x10001}, @enc_lim={0x4, 0x1, 0x7}, @enc_lim={0x4, 0x1, 0x5}]}, 0x28) [ 3361.667015][ T6914] binder_alloc: binder_alloc_mmap_handler: 6835 20001000-20004000 already mapped failed -16 04:41:42 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x7a000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3361.750448][ T6917] input: syz0 as /devices/virtual/input/input1191 [ 3361.766927][ T6863] binder: BINDER_SET_CONTEXT_MGR already set [ 3361.834175][ T6863] binder: 6835:6863 ioctl 40046207 0 returned -16 [ 3361.887153][ T6921] kvm: apic: phys broadcast and lowest prio [ 3361.901242][T11475] binder: undelivered TRANSACTION_ERROR: 29201 [ 3361.935327][T11475] binder: send failed reply for transaction 384 to 6835:6863 04:41:43 executing program 0: r0 = openat$vimc0(0xffffffffffffff9c, 0x0, 0x2, 0x0) r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/snapshot\x00', 0x20601, 0x0) syz_genetlink_get_family_id$ipvs(0x0) sendmsg$IPVS_CMD_SET_CONFIG(0xffffffffffffffff, 0x0, 0x0) ioctl$VIDIOC_QUERY_EXT_CTRL(r1, 0xc0e85667, &(0x7f0000000400)={0xc0000000, 0x8, "74374bbfc96726bf92dc710a62f378764df69f915ea1a347c302a9842cc6324c", 0x2000, 0x0, 0xb5, 0x0, 0x0, 0xffe00000000000, 0x4, 0x1, [0x3, 0x3ff, 0x6, 0x6]}) fcntl$getownex(r0, 0x10, 0x0) write$binfmt_script(r1, &(0x7f0000000680)=ANY=[@ANYBLOB="2321202e2f66696c6530202f6465762f736e617073686f74000afdfcbfd83b385ddc3f0abafb946ad46bad42ee49d9579caf563793f6e8cbbb96158beda6cfe7d4bf1b47734902c4640ec98b2b8af54ead7fafa40c66e9228b282c6f258c6ef1693cea858bcd15d112dd9af44352a5fe54743784e010393e2decf6e597d816ace125ac4d7f0345a81a42731ebc38189d63a4c63f6649eddbf4b27a4b3dc069ea8748f1c8702a7b8cd401754ea1789adf2d13c826a8d0303e6f908fd4d60a8a4cc8"], 0xb6) write$smack_current(r1, &(0x7f0000000000)='/dev/snapshot\x00', 0xe) stat(&(0x7f0000000240)='./file0/../file0\x00', &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) write$FUSE_CREATE_OPEN(r1, &(0x7f00000005c0)={0xa0, 0x0, 0x5, {{0x0, 0x2, 0x0, 0xca9, 0x0, 0x0, {0x0, 0x0, 0x807c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, r2}}}}, 0xa0) close(r1) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000140)='TIPC\x00') sendmsg$TIPC_CMD_RESET_LINK_STATS(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x28, r3, 0x800, 0x70bd29, 0x25dfdbfb, {{}, 0x0, 0x410c, 0x0, {0xc, 0x14, 'syz0\x00'}}}, 0x28}, 0x1, 0x0, 0x0, 0x800}, 0x40005) futimesat(r1, &(0x7f0000000300)='./file0/../file0\x00', &(0x7f0000000340)={{}, {0x77359400}}) ioctl$NBD_SET_BLKSIZE(0xffffffffffffffff, 0xab01, 0x8) 04:41:43 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x3f00, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3362.013353][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40486311, 0x1}], 0x0, 0x0, 0x0}) [ 3362.063796][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:43 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xc0ffffff]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:43 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r2 = syz_open_dev$sndpcmc(&(0x7f0000000180)='/dev/snd/pcmC#D#c\x00', 0x6, 0x10000000000200) epoll_ctl$EPOLL_CTL_MOD(r2, 0x3, r1, &(0x7f00000000c0)={0x10000018}) [ 3362.297455][ T7147] binder: 7045:7147 transaction failed 29189/-22, size 24-8 line 2994 04:41:43 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xfdfdffff]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3362.342660][ T7048] binder: 7045:7048 got transaction to invalid handle [ 3362.375090][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3362.383110][ T7048] binder: 7045:7048 transaction failed 29201/-22, size 0-0 line 2994 04:41:43 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) utime(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={0x100000000, 0x2}) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00', 0x6, 0x0) ioctl$SNDRV_SEQ_IOCTL_DELETE_QUEUE(r3, 0x408c5333, &(0x7f0000000040)={0x25, 0x5, 0x8001, 'queue1\x00', 0x3a}) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:43 executing program 2: r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/autofs\x00', 0x4a00, 0x0) ioctl$SNDRV_TIMER_IOCTL_GINFO(r0, 0xc0f85403, &(0x7f00000000c0)={{0x3, 0x2, 0xffff, 0x0, 0x4}, 0x9, 0x4, 'id1\x00', 'timer1\x00', 0x0, 0x401, 0x4, 0x8, 0x1}) r1 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r1, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r1, 0x5502) 04:41:43 executing program 0: syz_open_dev$sndtimer(&(0x7f00000000c0)='/dev/snd/timer\x00', 0x0, 0x2004) r0 = accept4$packet(0xffffffffffffffff, 0x0, &(0x7f0000000000), 0x800) accept(r0, &(0x7f0000000040)=@ax25={{0x3, @rose}, [@bcast, @bcast, @remote, @null, @netrom, @null, @rose, @null]}, &(0x7f0000000100)=0x80) 04:41:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40486312, 0x1}], 0x0, 0x0, 0x0}) [ 3362.553218][ T7258] input: syz0 as /devices/virtual/input/input1192 [ 3362.624284][ T7260] binder: 7259:7260 got reply transaction with no transaction stack [ 3362.649288][ T7260] binder: 7259:7260 transaction failed 29201/-71, size 0-0 line 2899 04:41:43 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xff000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3362.712892][ T7304] binder_alloc: binder_alloc_mmap_handler: 7259 20001000-20004000 already mapped failed -16 [ 3362.737481][ T7260] binder: BINDER_SET_CONTEXT_MGR already set 04:41:44 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x4000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3362.766929][ T7260] binder: 7259:7260 ioctl 40046207 0 returned -16 [ 3362.832777][ T7411] kvm: apic: phys broadcast and lowest prio [ 3362.864707][ T7465] binder_alloc: 7259: binder_alloc_buf, no vma 04:41:44 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl$sock_SIOCSIFBR(r2, 0x8941, &(0x7f0000000040)=@generic={0x1, 0x8001, 0x5}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000000240)={{{@in, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{}, 0x0, @in6=@mcast2}}, &(0x7f0000000140)=0xe8) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000000340)={{{@in=@remote, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in6=@empty}}, &(0x7f0000000180)=0xe8) ioctl$sock_inet_SIOCGIFBRDADDR(r2, 0x8919, &(0x7f0000000c40)={'ifb0\x00', {0x2, 0x4e20, @remote}}) fstat(r0, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0}) getresuid(&(0x7f00000004c0), &(0x7f0000000500), &(0x7f0000000540)=0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000000580)={{{@in=@multicast2, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@loopback}}, &(0x7f0000000680)=0xe8) lstat(&(0x7f00000006c0)='./file0\x00', &(0x7f0000000700)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000780)={{{@in6, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6=@mcast1}}, &(0x7f0000000880)=0xe8) stat(&(0x7f00000008c0)='./file0\x00', &(0x7f0000000900)={0x0, 0x0, 0x0, 0x0, 0x0}) fstat(r0, &(0x7f0000000980)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) fsetxattr$security_evm(r1, &(0x7f0000000b40)='security.evm\x00', &(0x7f0000000b80)=@v2={0x3a9d337f66ed79fc, 0x2, 0x8, 0x7, 0x90, "3a6d1d433a8cf855dc874553d5dff170cac15eaa58f32ea1f6e787c581d1f0cb1503c401c56a214eeae14154e7b9f1d678f4ea2ec8e59c9517187ea6bb6b0005ddee5edf2701febeb34f83d29a23f04fc38fec18713ce414c7e0f1403c67bc83739ce7c56ee259ce7a132208c92c986349a854c4aee01c2a02004dfb119e163bfa510f7733c43ab79a7a957f8dc5c794"}, 0x9a, 0x1) getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000a00)={0x0, 0x0, 0x0}, &(0x7f0000000a40)=0xc) getgroups(0xa, &(0x7f0000000a80)=[0x0, 0xee01, 0xee00, 0xee01, 0xee00, 0x0, 0xee00, 0x0, 0x0, 0xee00]) setxattr$system_posix_acl(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)='system.posix_acl_default\x00', &(0x7f0000000ac0)={{}, {0x1, 0x2}, [{0x2, 0x2, r3}, {0x2, 0x4, r4}, {0x2, 0x1, r5}, {0x2, 0x4, r6}, {0x2, 0x2, r7}, {0x2, 0x4, r8}, {0x2, 0x0, r9}, {0x2, 0x4, r10}], {0x4, 0x1}, [{0x8, 0x4, r11}, {0x8, 0x2, r12}, {0x8, 0x1, r13}], {0x10, 0x4}, {0x20, 0x1}}, 0x7c, 0x2) [ 3362.876232][T11475] binder: release 7259:7260 transaction 391 out, still active 04:41:44 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xffff8000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3362.922608][T11475] binder: unexpected work type, 4, not freed [ 3362.943641][ T7486] input: syz0 as /devices/virtual/input/input1193 [ 3362.957668][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x3f00, 0x0, 0x0}) 04:41:44 executing program 0: r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x801, 0x0) r1 = gettid() getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000c80)={0x0, 0x0, 0x0}, &(0x7f0000000cc0)=0xc) ioctl$KVM_GET_SUPPORTED_CPUID(r0, 0xc008ae05, &(0x7f0000000dc0)=""/61) setsockopt$inet_sctp_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f0000000e40)={0x7, 0x8, 0x9, 0xffffffff, 0x0, 0x80000001, 0x5, 0x149, 0x9, 0x200000000000006, 0x9}, 0xb) sendmmsg$unix(r0, &(0x7f0000000d40)=[{&(0x7f0000000040)=@file={0x1, './file0\x00'}, 0x6e, &(0x7f0000000380)=[{&(0x7f00000000c0)="3040f7655a591cac0a206da418e02c1ec0", 0x11}, {&(0x7f0000000100)="541e6bcb89eeeaa42ceddf13273e7d95dfa47b0b7928eb5dbe94ff00cf59d1fdbd4418a1850e06176550c4e4ea1b7984507b4f12d651edb7d74655ba3bbb79f32b", 0x41}, {&(0x7f0000000180)="fdbc27f2affd28b21d2d4a2fde6259d21ab615348bbe250dbfd3e785d6eba60f25594cc02aca572835ce788deb613faa541e16f1822cecfa556e63e362e7c231e2e4c3020039fafdba946e1e4620520bd0f22e1d34477ad7860e8eb30502a2c6bd9f1c156269859c622a9d0686b1f3cb23cf38b3b8416d6412a701e1d9e1fe5b8108a52fbc4c5bcb45f924285c0150dd1dc9c4e8868e6659ebe92f36de6f670e6df619bc997cdf06cc43c8178bcbb5e62d9038d8f5bc37cdda976068b1b0806b74285bfab024abf3c0f35f251d147c31bee2fdf0efce732e8834bed9caa25d99bc91d92c22f7d3398eea9ec6ddc3faad5b123141edb767bbaa", 0xf9}, {&(0x7f0000000280)="9c293c56f4488825b7ef281158c4cd8e6ae9c832f7ad4e8df096ca9f2bde3b816795e5a1bd8a92a4b960d6812cdab674fa0d3665d88d7f0b52073c628b2946eedbe101d109f6c15eb584d570261ca1afaa3e05a9c83896c36bda1bf0eb0e33c6be1ca69d4c99d0aa53f82df6225c8e42c61d3f3056e7b45c7fe4cf6c4030fab8d1e8034d7d0688d97427a18e1976594598a4dac0935b2a9c277e99ffd02755c0ef9abc71f95d63171f0a6e779329161b2dc3065adc03553d991b9c96861692626df34bbedf7bff8d6a661c65847fb1db7c84e9974834bb2cc9a7682fca48dac696cd1f7dcffd985b18d928", 0xeb}], 0x4, 0x0, 0x0, 0x4}, {&(0x7f00000003c0)=@abs={0x0, 0x0, 0x4e21}, 0x6e, &(0x7f0000000a80)=[{&(0x7f0000000440)="8ebf219f7c83a9c41dc898fba2805044b8d5467761eda105e30ee886320522acd5b45120e2517a7acfa9f1dea9731a25e2a05ecaa9e85138b860a6dafdd873b912afbc74dfa4e55b17eb277d04ad976a2af4d822f6ae99a50b3f112ba010cd85d3380265ef2b45c1938c381e363d112918efc15462cd5c687906ecca09e1652e6d2c6589a3a8df26d70d053ab9bde51a1092586b93f80a056021f7fd", 0x9c}, {&(0x7f0000000500)="2c5bd5bda5575e2bd5227c54943e469be041a68c63277a985f9ae2f48621dc1b1ed089c4faf818b8a71eb7ffc1241c191361be6e8e172eb8ced8ca2f0c85608abd7ae06ba0ed6378792472ad29ee7036c8e7aa3c4794e51fe97e3214b6b81fe6115d1d9b6732a0787c3b633e57672a7b005175edb1d8557965fceba3305c0a3101c4244a6fd25c9ec5b0d6cedbe6572337280673341ed24048edfe32269c833dbd837b5df0a3d50b480cf1ee9079c4b537b3bf0bcea620929cc3d3", 0xbb}, {&(0x7f00000005c0)="f049c0a681e920ab1b6589cd1c97d5f92e7ab64d062fb0b47c1bdc8b33b81659b8a4a70eb9ad4be70686bd3efa33c7817edb7365d305f208aefbe66339982e81a898c71ce19c4e2df2ae8fdbd048149e2b05fa32059df53c1ac905f1126762c80505b787dff32634d2ce918c9004501463a339", 0x73}, {&(0x7f0000000640)="abaf55989d768af82fbbddee0116ae3b7517f1a3e07066e4a566cbf92f983b73c6cb8a8bf7122442d57eaf60d18458a39aabac052958f6c53dccd44da918b7fa9fbd6f399319d2ea54e9c9976f4b105568b165bfdf82616f22e13786b6ea5c6c7e2bfe25452de0a117b5aceef056a6d670cd7aea1a71ba871b2e3f784debf49441cea43167b9208f0181ae6044f7d45f88524fe5b0655bcf38c2c3350296edf84b0e4c214897b6a3c9db1bdb506b9f2612012ef7eb867d12618a74dd87486d845633383f3e1ee4d5319ff537ee222147e497ed0a12d18ab79ddc1912c3bbf404", 0xe0}, {&(0x7f0000000740)="97b9ceecfce8246bb1d932356a8d2181dc5d922a309ea0da2f1da7483455f3903a4798785b0d3279911066c28983548e7b6faa7bc5b1eda0f7ff946e1acf6e21f603026863610021f8540455e1ca24f660ad7467b8801b198fa27811bbcb14440b9f0b4c7ce61ae8f21d33dcb2f3b87617584a18930e7102dcf92eba9e6c976a3497aab16ef5836bf4019656fc5ae2a47849b8db0a8f87ec74d69a93ee6a56ec64694c85703f3b1551d56b875bc6e146216dcbf777f62cfdafb2bae48637ddcbb5e29c098b2b", 0xc6}, {&(0x7f0000000840)="f926e05dcaa7ac11d21f66918921fe520456ded445e44277e5e9b9a4aee5c8316103a55d272c3f814c300d754ef5552cebae2eefee052989cde667cd2a8e25d9b944a514afad615065d566c2f5179f22fedf62e51e0a3c5e67904a418a5645813dd755941b5c7a4e7942cb40dc8b0eecf6e36bb591324f75dfa943aa4759866713e130bd47c21cb1d1d44a7c028c061c2a59a24a1de5eefc52bfdbca818620d117816b37f09de3d598300f9d904abe21501d1488624850138ee343484eec6004f3a86930", 0xc4}, {&(0x7f0000000940)="4aa4fe8e57d4c17c9b8c3c0a1cc7e46d9b8b6efab0883fe8bef92e3e2d99175b16bc5f12c33d1388be698d662619361bd93a40b54c61bfc46cfb", 0x3a}, {&(0x7f0000000980)="389c9daa38430c2b6c62c9aaaf56935f88c9ccf23eb2c07d47360fefa8aa2c4fa2bfcf5ce99f70d5d2ed5d161d5597e62ccc5ea63b6cc00ff7fd569a24bf0db6413debdaef29b5a08fedc328", 0x4c}, {&(0x7f0000000a00)="f023fcceaae71b782f9e11f2ef8d9e0674e64d0128e5e5a2accbfe33ccc9ab5babc8549cb86c5d17fde0d1c3fc0f182b504c7f3c62476a60e186606c", 0x3c}, {&(0x7f0000000a40)="e5c2b90e59d67fbe", 0x8}], 0xa, &(0x7f0000001040)=ANY=[@ANYBLOB="ad0854053245940df3cd76f820000001d1d5f300010000985b3ba3", @ANYRES32=r1, @ANYRES32, @ANYRES32=r2, @ANYBLOB="0000000018000000000000000100000001000000bca801ec73e60ca242daa625b3bb2b32a66c56c307cfa2a22fa2db57679c22b01e688f6505e617d91dec7533e34185c32c74", @ANYRES32=r0, @ANYBLOB="c86933af0107f10b42334dc399a7a8c0e7caca94e34c280b287f4577ff61a9cb63547ee231b72b1082242243ac2f6113e2b18cd064c14c5389ccf538608c0ca172e369ad8885ae8682735c3fee"], 0x38, 0x40000}], 0x2, 0x40000) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000000e00)={0x0, 0xfff}, &(0x7f0000000f00)=0x8) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000000f40)={r3, 0x3ff}, &(0x7f0000001000)=0x2) ioctl$KVM_GET_SUPPORTED_CPUID(r0, 0xc008ae05, &(0x7f0000000b40)=""/58) writev(r0, &(0x7f0000001840)=[{&(0x7f0000001480)="149f40cf98249ec2d7bf61f4e0bd91b7ccebbb4936085e696a7acef578bfd970c53e0004cac7b5cbd285b8507b8bf22cd36719d54968284a569959efde4ec324", 0x40}], 0x1) ioctl$VIDIOC_G_OUTPUT(r0, 0x8004562e, &(0x7f0000000d00)) [ 3363.007564][T11475] binder: send failed reply for transaction 391, target dead [ 3363.140120][ T7560] binder: 7523:7560 ioctl c0306201 200001c0 returned -14 [ 3363.185983][ T7641] binder_alloc: binder_alloc_mmap_handler: 7523 20001000-20004000 already mapped failed -16 04:41:44 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xfffffdfd]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:44 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput\x00', 0x0, 0x0) ioctl$UI_DEV_SETUP(r0, 0x405c5503, &(0x7f00000001c0)={{}, 'syz0\x00'}) ioctl$UI_DEV_SETUP(r0, 0x5501, 0x0) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x4, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) [ 3363.227951][ T7560] binder: BINDER_SET_CONTEXT_MGR already set [ 3363.279611][ T7560] binder: 7523:7560 ioctl 40046207 0 returned -16 [ 3363.336240][ T7698] kvm: apic: phys broadcast and lowest prio [ 3363.338511][T11475] binder: release 7523:7560 transaction 397 out, still active [ 3363.342572][ T7716] binder: 7523:7716 Release 1 refcount change on invalid ref 1 ret -22 [ 3363.376423][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:44 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = accept$inet6(0xffffffffffffffff, 0x0, &(0x7f0000000000)) ioctl$sock_SIOCINQ(r0, 0x541b, &(0x7f0000000040)) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:44 executing program 0: sched_setaffinity(0x0, 0x8, &(0x7f0000000140)) r0 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) pipe(0x0) ioctl$KVM_PPC_ALLOCATE_HTAB(0xffffffffffffffff, 0xc004aea7, &(0x7f0000a1cffc)) r1 = syz_open_procfs(0x0, &(0x7f0000dec000)='smaps\x00') madvise(&(0x7f000092d000/0x400000)=nil, 0x400000, 0x10200000008) mlock2(&(0x7f0000bcc000/0x3000)=nil, 0x3000, 0x0) ioctl$TIOCGSID(r1, 0x5429, &(0x7f0000000000)=0x0) fcntl$lock(r0, 0x5, &(0x7f00000000c0)={0x0, 0x4, 0xe748, 0x100000001, r2}) sendfile(r1, r1, &(0x7f0000b58000)=0x200000, 0xffff) [ 3363.392995][ T7719] input: syz0 as /devices/virtual/input/input1194 [ 3363.401021][T11475] binder: send failed reply for transaction 397, target dead [ 3363.429818][ T7716] binder: 7523:7716 ioctl c0306201 200001c0 returned -14 04:41:44 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x5400, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:44 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xffffffc0]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x1000000, 0x0, 0x0}) 04:41:44 executing program 2: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f0000000140)=0x74, 0x4) bind$inet(r0, &(0x7f0000000180)={0x2, 0x4e23, @multicast1}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) sendto$inet(r0, &(0x7f00000012c0)="bb0224d1b5449778f5fde2561e416a17a41a0de3f6650937e2f9a79ecdbdab2a65e3a5bbef53ad8a8c120310e18b158121936492c3fec0bdaa2a2cf8508d1c66e2ef567f848b3a4f13e12d90b27ee4ab6626a81a53d113e884f4a6cfd97a68a1fabb85d6ce78b415e91a957905a7a558db6f6d87f8993c5a77e686f7b0ada3650fbc5732e18d34de5fdb14dc81ac4efeff01ddfd62afcfbac4762c03d1f3abe353b4b772f8be5cf8acd1b2f8bd7ae5f379ea97db0314f92750f61b4360cc620c3baf8e47e8186dcb8b9f68dfe648274c1a5ba5a0fa17f60551ca7b51825b865e57bc9b04d7cebe922d69dec2062ddbcf6911d423aa6b5b8cdac74abc97f394a80ecca7ecd31399f3fc9df3e1d3bb7bc5ee342e7b21d60e0e04397d297e9f6880e9f82fddfa0f043702f83ba4813017a00d2e308b171fc9d055f53b8600935131568ee24f8009db57e4cab294378f08e935c9b709f499edff76048d7efefb887d15eb08603abe2e02b9a965c64612825e70169748e6be94c4c9d46c52915f2e052fb9bbc939b15df1cb337e52298f12a44fe0ad6cbda10bdbce7828101b4b23c842fdcb4c6882ca2e74d2dc0faaee99bfee3b659d13181b91ac247abfc7b3494be909b71f2ccdc7411a045eafca28cd3bd029b7ad8c92e8746c6d3f7e6ae8f13f601486ed18e9eb947723a3266c663e68c9a0211986b25b4f487ec594d52fd7189f7af779ef52bac93f82b9ee6f4e7a25fcf5f6ebbdcd43e22e2bc81b48e6c396770177af305727c287e5c95ab9dc13903cc7107b9732ccebb6e511e7dc70060106bd27215970bc971a3a404daf836baa070d559ffbae65d1bf41e05ce9dfaec3ec5a9b6c4e8c11e2fc595aabbf68132d9823cfffc643f611fc61483283f13ce84116d2879b934920d7cde54ddda6e05098944c7fc8fa6f071cf82bcee045f5f494a56031f7f7f11ebcfc09db8e00f78aeeea181f1d7b6b4e231aa2b689138f937a73113315c82d04ab429d7f676c0b24bb5790afb969283e27a0fb0e5c6e8ddcf8275b993bc170484f8049c02ab8e6f0413d12e89ce8a3af0ba32675191749921d80131ad8e3aa0821fa76820fbb2250033756fb8de9790abf5bc619bad25ab6d48a3dde032b98ce82960baf647033ddf11ca172c6275c788d03364cb5403a6a4dd8cbe74955c5fa5494a71814b73f6f12dbe1d28cb5fc975e65f6d841432c7a76aefa29b294a2616fb223b41765a59cf81ad5bc435c9a151b7982d84b27e9fc25c700c90fcb7af90a3706c9639a924a1772a1e9a764649f161353e6e12fd836de7be3cd88a45153d1ce8c635ee82f2bbe4bae55cbe4f66723497a07d6177d0d76f74b52dd4c7d24f889e0e8c90c7100aa12bbf7f2aa8cf6d818942fde95713add7621c961165af471a5f3249d6f12ddbda594193a469c3ec17891650c4e8029ee0c897a6b66171782e7b2d163b2d637cd831d2732f374562c9cba3d3558060c5aba5782c9542a940f1e0a9142870e2be08c38c970eca0043bc114759855b093f2780aba5cb1bbd49c3029a2b2f4a8030b6ff2529aa5a50d7819297d47ebd0dfea0a54d024477e3b1a18536626bb68286f6c9ab7f6f677d08d37cd6c9bdafb1c9d70c905146a1e22fae5d43bb55fb825c3364298fcdbb631df1b1fe23a6a9c98073e93fa5963fc7fd9576002694cd9df44341ade7bee751095b22a76430cac1b855ab8fce1dcc7f3c17ef53970ea44153045f61195d45e798540bb64da05f4b3167d99578b3bcb63c3be6572d5bfe50ace29f6e9", 0x4f4, 0x0, 0x0, 0x0) [ 3363.688209][ T7871] binder: 7869:7871 ioctl c0306201 200001c0 returned -14 [ 3363.728200][ T7882] binder_alloc: binder_alloc_mmap_handler: 7869 20001000-20004000 already mapped failed -16 [ 3363.785914][ T7871] binder: BINDER_SET_CONTEXT_MGR already set [ 3363.818535][ T7871] binder: 7869:7871 ioctl 40046207 0 returned -16 [ 3363.858562][T14003] binder: release 7869:7871 transaction 401 out, still active [ 3363.866983][ T7882] binder_alloc: 7869: binder_alloc_buf, no vma [ 3363.878434][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3363.898720][ T7882] binder_transaction: 1 callbacks suppressed 04:41:45 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x40000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3363.898745][ T7882] binder: 7869:7882 transaction failed 29189/-3, size 24-8 line 3147 [ 3363.922901][T14003] binder: send failed reply for transaction 401, target dead [ 3363.978564][T14003] binder_release_work: 3 callbacks suppressed [ 3363.978572][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:45 executing program 0: r0 = syz_open_dev$midi(&(0x7f0000000100)='/dev/midi#\x00', 0x6, 0x101202) recvfrom$unix(r0, &(0x7f0000000140)=""/43, 0x2b, 0x0, &(0x7f00000001c0)=@file={0x1, './file1\x00'}, 0x6e) ioctl$BLKSECDISCARD(r0, 0x127d, &(0x7f0000000240)=0x3) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$full(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full\x00', 0x40, 0x0) ioctl$PERF_EVENT_IOC_SET_BPF(r1, 0x40042408, r2) r3 = creat(&(0x7f0000000080)='./file1\x00', 0x0) pwritev(r3, &(0x7f00000000c0)=[{&(0x7f0000000180)="5695572c82", 0x5}], 0x1, 0x0) lseek(r3, 0x0, 0x3) accept4$packet(0xffffffffffffffff, 0x0, 0x0, 0x0) socket$kcm(0x29, 0x5, 0x0) ioctl$KVM_INTERRUPT(0xffffffffffffffff, 0x4004ae86, 0x0) setsockopt$inet_int(r3, 0x0, 0xf, &(0x7f0000000280)=0x4, 0x4) openat$apparmor_task_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/attr/current\x00', 0x2, 0x0) [ 3364.031224][ T8033] kvm: apic: phys broadcast and lowest prio 04:41:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x3f000000, 0x0, 0x0}) 04:41:45 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0xc008ae88, &(0x7f0000000000)={0x1, 0x0, [{0x6e0}]}) [ 3364.224234][ T8093] binder: 8092:8093 ioctl c0306201 200001c0 returned -14 04:41:45 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x80ffff00000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3364.302803][ T8095] binder_alloc: binder_alloc_mmap_handler: 8092 20001000-20004000 already mapped failed -16 [ 3364.386457][ T8093] binder: BINDER_SET_CONTEXT_MGR already set 04:41:45 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) setsockopt$TIPC_SRC_DROPPABLE(r2, 0x10f, 0x80, &(0x7f0000000000), 0x4) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3364.445487][ T8093] binder: 8092:8093 ioctl 40046207 0 returned -16 [ 3364.445533][T11475] binder: send failed reply for transaction 406 to 8092:8093 [ 3364.457376][ T8129] kvm: apic: phys broadcast and lowest prio [ 3364.481037][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3364.501265][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0xfdfdffff, 0x0, 0x0}) 04:41:45 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x100000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3364.689241][ T8320] binder: 8318:8320 ioctl c0306201 200001c0 returned -14 [ 3364.782005][ T8323] binder_alloc: binder_alloc_mmap_handler: 8318 20001000-20004000 already mapped failed -16 [ 3364.824396][ T8320] binder: BINDER_SET_CONTEXT_MGR already set [ 3364.854584][ T8325] kvm: apic: phys broadcast and lowest prio [ 3364.875763][ T8320] binder: 8318:8320 ioctl 40046207 0 returned -16 04:41:46 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x6800, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:46 executing program 2: socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r0, 0x4008240b, &(0x7f0000000040)={0x7, 0x70, 0x1000, 0x4b32, 0x3, 0x3, 0x0, 0x3af2, 0x8008, 0xc, 0x9, 0x5, 0x8000, 0x0, 0x0, 0x2, 0xa58, 0xbf, 0x9, 0xc7b, 0x100000001, 0x0, 0x6, 0x16e, 0x3, 0x0, 0x10001, 0x100000001, 0x5, 0x4, 0x800, 0x2, 0xe86, 0x8, 0x1ff, 0x101, 0x6, 0x0, 0x0, 0x0, 0x4, @perf_bp={&(0x7f0000000000), 0x8}, 0x40, 0x508, 0x1f, 0x7, 0xffffffffcfbff808, 0x7, 0xfffffffffffff001}) [ 3364.924476][ T8327] binder_alloc: 8318: binder_alloc_buf, no vma [ 3364.940189][ T8327] binder: 8318:8327 transaction failed 29189/-3, size 24-8 line 3147 04:41:46 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x4, 0x0, 0x1000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10001, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}, 0x0, 0x3166b194}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = memfd_create(&(0x7f0000000180)='wlan0\x00', 0x1) setsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000000540)={{{@in=@dev, @in6=@ipv4={[], [], @loopback}, 0x0, 0x0, 0x0, 0xa07d, 0xa, 0x0, 0x0, 0x2f}, {0x4, 0x3, 0x831, 0x0, 0x1, 0x5, 0x5}, {0x0, 0x7, 0x8, 0x7ee}, 0x0, 0x6e6bbc, 0x1, 0x1, 0x3}, {{@in6=@remote, 0x4d3}, 0x0, @in6=@mcast2, 0x3503, 0x0, 0x1, 0x2, 0x0, 0x7}}, 0xe8) sync_file_range(r0, 0xfffffffffffffff8, 0xfffffffffffffffa, 0x1) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000001c0)={{{@in6=@ipv4={[], [], @local}, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}, &(0x7f00000000c0)=0xe8) setsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000440)={{{@in=@local, @in, 0x4e23, 0x1f, 0x4e20, 0x6, 0xa, 0xa0, 0x0, 0x2e, 0x0, r1}, {0x8, 0x6, 0x4, 0x93, 0x0, 0x8001, 0xba}, {0x7, 0x0, 0xffffffffffffff2d, 0x5}, 0x2, 0x6e6bb7, 0x0, 0x1, 0x2, 0x3}, {{@in6=@mcast1, 0x4d3, 0xff}, 0x0, @in=@rand_addr=0x80000000, 0x0, 0x3, 0x3, 0x80, 0x5, 0x3, 0x40}}, 0xe8) r2 = socket$pppoe(0x18, 0x1, 0x0) r3 = socket$pppoe(0x18, 0x1, 0x0) connect$pppoe(r3, &(0x7f0000000040)={0x18, 0x0, {0x3, @local, 'syz_tun\x00'}}, 0x1e) connect$pppoe(r2, &(0x7f0000000080)={0x18, 0x0, {0x4000000000000003, @local, 'syz_tun\x00'}}, 0x1e) connect$pppoe(r2, &(0x7f0000000100)={0x18, 0x0, {0x3, @empty, 'bridge_slave_0\x00'}}, 0x1e) getsockopt$bt_BT_FLUSHABLE(r0, 0x112, 0x8, 0x0, &(0x7f0000000640)) r4 = dup2(r2, r3) ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c06, r0) r5 = syz_open_procfs(0x0, &(0x7f0000000380)='net\x00') fcntl$setstatus(r5, 0x4, 0x4000) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000340)) recvfrom(0xffffffffffffffff, &(0x7f0000000780)=""/89, 0x59, 0x40000001, &(0x7f0000000940)=@un=@abs={0x0, 0x0, 0x4e23}, 0x80) msgget$private(0x0, 0x402) seccomp(0x1, 0x0, &(0x7f0000000080)={0x2, &(0x7f0000000000)=[{0x300000, 0x1, 0xbb1}, {0xe3, 0x4, 0x5, 0x101}]}) syz_open_dev$vivid(&(0x7f0000000140)='/dev/video#\x00', 0x2, 0x2) ioctl$EVIOCSREP(r4, 0x40084503, &(0x7f0000000680)=[0x9, 0x101]) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f00000002c0)={0x0, 0x80000, r0}) sendfile(r0, r5, &(0x7f0000000040), 0x1080005000) [ 3364.987199][T11475] binder: release 8318:8320 transaction 410 out, still active [ 3364.988873][ T8320] binder: 8318:8320 Release 1 refcount change on invalid ref 1 ret -22 [ 3365.001244][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3365.009367][ T8320] binder: 8318:8320 ioctl c0306201 200001c0 returned -14 [ 3365.024799][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0xfffffdfd, 0x0, 0x0}) 04:41:46 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x200000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3365.039401][T11475] binder: send failed reply for transaction 410, target dead 04:41:46 executing program 2: socketpair(0x9, 0x80000, 0xff, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getpeername$packet(r0, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000140)=0x14) connect$packet(r0, &(0x7f0000000000)={0x11, 0x1000f1, r1, 0x1, 0x2000000000000008, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x8acdd71feed2e2d4}}, 0x14) socket(0x0, 0x0, 0x20) [ 3365.154179][ T8338] kvm: apic: phys broadcast and lowest prio [ 3365.183351][ T8344] binder: 8340:8344 ioctl c0306201 200001c0 returned -14 04:41:46 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x300000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3365.261813][ T8435] binder_alloc: binder_alloc_mmap_handler: 8340 20001000-20004000 already mapped failed -16 [ 3365.280406][ T8435] binder: BINDER_SET_CONTEXT_MGR already set [ 3365.286412][ T8435] binder: 8340:8435 ioctl 40046207 0 returned -16 [ 3365.320039][ T8460] binder_alloc: 8340: binder_alloc_buf, no vma [ 3365.340015][T14003] binder: release 8340:8344 transaction 415 out, still active [ 3365.348938][ T8460] binder: 8340:8460 transaction failed 29189/-3, size 24-8 line 3147 [ 3365.362015][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:46 executing program 2: r0 = fcntl$dupfd(0xffffffffffffff9c, 0x0, 0xffffffffffffffff) ioctl$SNDRV_SEQ_IOCTL_SET_PORT_INFO(r0, 0x40a85323, &(0x7f0000000200)={{0x800, 0x5}, 'port1\x00', 0x29, 0x4, 0x81, 0x9, 0x9, 0x9, 0x80000000, 0x0, 0x2, 0x1}) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f00000000c0)="0adc1f2b3c023f3188b060") r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/autofs\x00', 0x408381, 0x0) ioctl(r2, 0x800000000000937e, &(0x7f0000000000)="0100000000000000610100000402008604ade0e66012fc232f") openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x1, 0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_LIST(r2, 0xc0505510, &(0x7f0000000180)={0x8, 0x2, 0xfffffffffffff8f3, 0x3, &(0x7f0000000100)=[{}, {}]}) 04:41:46 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x4, 0x0, 0x1000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10001, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}, 0x0, 0x3166b194}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = memfd_create(&(0x7f0000000180)='wlan0\x00', 0x1) setsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000000540)={{{@in=@dev, @in6=@ipv4={[], [], @loopback}, 0x0, 0x0, 0x0, 0xa07d, 0xa, 0x0, 0x0, 0x2f}, {0x4, 0x3, 0x831, 0x0, 0x1, 0x5, 0x5}, {0x0, 0x7, 0x8, 0x7ee}, 0x0, 0x6e6bbc, 0x1, 0x1, 0x3}, {{@in6=@remote, 0x4d3}, 0x0, @in6=@mcast2, 0x3503, 0x0, 0x1, 0x2, 0x0, 0x7}}, 0xe8) sync_file_range(r0, 0xfffffffffffffff8, 0xfffffffffffffffa, 0x1) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000001c0)={{{@in6=@ipv4={[], [], @local}, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}, &(0x7f00000000c0)=0xe8) setsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000440)={{{@in=@local, @in, 0x4e23, 0x1f, 0x4e20, 0x6, 0xa, 0xa0, 0x0, 0x2e, 0x0, r1}, {0x8, 0x6, 0x4, 0x93, 0x0, 0x8001, 0xba}, {0x7, 0x0, 0xffffffffffffff2d, 0x5}, 0x2, 0x6e6bb7, 0x0, 0x1, 0x2, 0x3}, {{@in6=@mcast1, 0x4d3, 0xff}, 0x0, @in=@rand_addr=0x80000000, 0x0, 0x3, 0x3, 0x80, 0x5, 0x3, 0x40}}, 0xe8) r2 = socket$pppoe(0x18, 0x1, 0x0) r3 = socket$pppoe(0x18, 0x1, 0x0) connect$pppoe(r3, &(0x7f0000000040)={0x18, 0x0, {0x3, @local, 'syz_tun\x00'}}, 0x1e) connect$pppoe(r2, &(0x7f0000000080)={0x18, 0x0, {0x4000000000000003, @local, 'syz_tun\x00'}}, 0x1e) connect$pppoe(r2, &(0x7f0000000100)={0x18, 0x0, {0x3, @empty, 'bridge_slave_0\x00'}}, 0x1e) getsockopt$bt_BT_FLUSHABLE(r0, 0x112, 0x8, 0x0, &(0x7f0000000640)) r4 = dup2(r2, r3) ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c06, r0) r5 = syz_open_procfs(0x0, &(0x7f0000000380)='net\x00') fcntl$setstatus(r5, 0x4, 0x4000) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000340)) recvfrom(0xffffffffffffffff, &(0x7f0000000780)=""/89, 0x59, 0x40000001, &(0x7f0000000940)=@un=@abs={0x0, 0x0, 0x4e23}, 0x80) msgget$private(0x0, 0x402) seccomp(0x1, 0x0, &(0x7f0000000080)={0x2, &(0x7f0000000000)=[{0x300000, 0x1, 0xbb1}, {0xe3, 0x4, 0x5, 0x101}]}) syz_open_dev$vivid(&(0x7f0000000140)='/dev/video#\x00', 0x2, 0x2) ioctl$EVIOCSREP(r4, 0x40084503, &(0x7f0000000680)=[0x9, 0x101]) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f00000002c0)={0x0, 0x80000, r0}) sendfile(r0, r5, &(0x7f0000000040), 0x1080005000) [ 3365.391278][T14003] binder: send failed reply for transaction 415, target dead [ 3365.428832][ T8552] kvm: apic: phys broadcast and lowest prio [ 3365.446228][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:46 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x200000, 0x0) ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000040)={0x5, @capture={0x1000, 0x1, {0x7a, 0x2b5}, 0x6, 0x3}}) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x100000000000000, 0x0, 0x0}) 04:41:46 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x400000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3365.644417][ T8635] binder: 8634:8635 ioctl c0306201 200001c0 returned -14 04:41:46 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xb80b, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:46 executing program 0: r0 = syz_open_dev$dri(&(0x7f00000001c0)='/dev/dri/card#\x00', 0x1, 0x0) ioctl(r0, 0xffffffffffffffb3, &(0x7f0000000000)) r1 = gettid() getpgid(r1) openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x10400, 0x0) 04:41:46 executing program 2: r0 = socket(0x11, 0x2, 0x0) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000580)={{{@in=@dev, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in6}}, &(0x7f0000000200)=0xe8) bpf$PROG_LOAD(0x5, &(0x7f00000002c0)={0x9, 0x4, &(0x7f0000000080)=@raw=[@ldst={0x2, 0x0, 0x7, 0x4, 0xa, 0xfffffffffffffff8, 0xfffffffffffffffc}, @alu={0x4, 0x7c, 0x1, 0x4, 0xf, 0x10, 0x8}, @map={0x18, 0xf, 0x1, 0x0, r1}], &(0x7f0000000100)='GPL\x00', 0x9, 0xc, &(0x7f00000001c0)=""/12, 0x41f00, 0x1, [], r2}, 0x48) mount(&(0x7f00000004c0)=ANY=[], 0x0, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x375, &(0x7f0000000140)=0x5) syz_genetlink_get_family_id$ipvs(&(0x7f00000003c0)='IPVS\x00') sendmsg$IPVS_CMD_SET_SERVICE(0xffffffffffffffff, &(0x7f0000000240)={&(0x7f0000000680), 0xc, 0x0, 0x1, 0x0, 0x0, 0x81}, 0x0) r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) chdir(&(0x7f0000000540)='./file0\x00') getsockopt$sock_cred(r0, 0x1, 0x11, 0x0, &(0x7f0000000500)) fcntl$getownex(r3, 0x10, 0x0) getpgrp(0x0) r4 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000340)='/dev/autofs\x00', 0x3, 0x0) mlock(&(0x7f0000ff9000/0x4000)=nil, 0x4000) r5 = open(&(0x7f0000000180)='./file0\x00', 0x40, 0x1) setsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r0, 0x84, 0x12, 0x0, 0x0) execve(0x0, &(0x7f0000000440), &(0x7f0000000700)=[&(0x7f0000000480)='\x00']) munmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) setsockopt$inet_msfilter(r5, 0x0, 0x29, &(0x7f0000000780)=ANY=[@ANYBLOB], 0x1) getsockopt$bt_BT_SECURITY(r4, 0x112, 0x4, &(0x7f0000000840), 0x1) execve(&(0x7f0000000280)='./file0\x00', &(0x7f0000000380), 0x0) r6 = socket$inet_tcp(0x2, 0x1, 0x0) sendmsg$TIPC_NL_PUBL_GET(0xffffffffffffffff, 0x0, 0x800) ioctl$sock_inet_SIOCSIFFLAGS(r6, 0x8914, &(0x7f0000000040)={'lo\x00\x00\x00\x00\x00\x7f\xff\xff\xe0\x00'}) setsockopt$inet_tcp_TLS_TX(r6, 0x6, 0x1, &(0x7f00000004c0), 0x4) ioctl$sock_inet_SIOCSIFFLAGS(r6, 0x8914, &(0x7f00000000c0)={'lo\x00@\x00\x00\x00`\x00\x00 \x00', 0x101}) socket$key(0xf, 0x3, 0x2) [ 3365.695957][ T8679] binder_alloc: binder_alloc_mmap_handler: 8634 20001000-20004000 already mapped failed -16 [ 3365.741401][ T8635] binder: BINDER_SET_CONTEXT_MGR already set [ 3365.755790][ T8678] kvm: apic: phys broadcast and lowest prio [ 3365.765293][ T8635] binder: 8634:8635 ioctl 40046207 0 returned -16 [ 3365.806271][ T8723] binder_alloc: 8634: binder_alloc_buf, no vma [ 3365.814191][ T8723] binder: 8634:8723 transaction failed 29189/-3, size 24-8 line 3147 [ 3365.826270][ T8635] binder: 8634:8635 Release 1 refcount change on invalid ref 1 ret -22 [ 3365.837001][T14003] binder: release 8634:8635 transaction 420 out, still active 04:41:47 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x500000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3365.855343][ T8635] binder: 8634:8635 ioctl c0306201 200001c0 returned -14 [ 3365.864403][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3365.885069][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x3f00000000000000, 0x0, 0x0}) [ 3365.933986][T14003] binder: send failed reply for transaction 420, target dead 04:41:47 executing program 0: r0 = openat$capi20(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/capi20\x00', 0x0, 0x0) ioctl$CAPI_GET_MANUFACTURER(r0, 0xc0044308, &(0x7f0000000040)) r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x3, 0x2) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000100)='cdg\x00', 0x4) ioctl$PPPIOCGNPMODE(r1, 0xc008744c, &(0x7f0000000080)={0x0, 0x3}) [ 3366.046112][ T8802] kvm: apic: phys broadcast and lowest prio [ 3366.062069][ T8812] binder: 8811:8812 ioctl c0306201 200001c0 returned -14 [ 3366.121565][ T8819] binder_alloc: binder_alloc_mmap_handler: 8811 20001000-20004000 already mapped failed -16 04:41:47 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x600000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3366.164935][ T8812] binder: BINDER_SET_CONTEXT_MGR already set [ 3366.183517][ T8812] binder: 8811:8812 ioctl 40046207 0 returned -16 04:41:47 executing program 2: r0 = socket$inet6_udp(0xa, 0x2, 0x0) r1 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r1, &(0x7f0000000040)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x0, @multicast2}, 0x4}}, 0x2e) getsockopt$sock_buf(r1, 0x1, 0x1c, 0x0, &(0x7f0000000000)) r2 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snapshot\x00', 0x0, 0x0) ioctl$RNDZAPENTCNT(r2, 0x5204, &(0x7f00000000c0)=0x7) [ 3366.206135][ T8819] binder_alloc: 8811: binder_alloc_buf, no vma [ 3366.266631][T14003] binder: release 8811:8812 transaction 425 out, still active [ 3366.275684][ T8819] binder: 8811:8819 transaction failed 29189/-3, size 24-8 line 3147 [ 3366.291383][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0xfdfdffff00000000, 0x0, 0x0}) [ 3366.322367][T14003] binder: send failed reply for transaction 425, target dead [ 3366.353247][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3366.528084][ T9035] binder: 9031:9035 ioctl c0306201 200001c0 returned -14 04:41:47 executing program 3: r0 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ubi_ctrl\x00', 0x2c182, 0x0) ioctl$SCSI_IOCTL_BENCHMARK_COMMAND(r0, 0x3) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) symlink(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='./file0\x00') listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cachefiles\x00', 0x0, 0x0) r4 = syz_open_dev$dspn(0x0, 0x0, 0x0) ioctl$VHOST_SET_OWNER(r4, 0xaf01, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:47 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x80, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0x240, 0x0, 0x0, 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r1, 0x4010ae67, &(0x7f0000000140)={0x0, 0x8000}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0x30, 0x0, 0x0, 0xfffffffffffffee3) ioctl$KVM_NMI(r2, 0xae9a) chmod(&(0x7f0000000040)='./file0\x00', 0x80) fcntl$getownex(0xffffffffffffffff, 0x10, 0x0) syz_open_dev$video(0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_GUEST_DEBUG(r2, 0x4048ae9b, &(0x7f0000000080)={0x20001, 0x0, [0x0, 0xfffffffffffff128, 0xffffffffffffffbb, 0x0, 0x0, 0x0, 0x0, 0x120]}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 04:41:47 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x700000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3366.620502][ T9039] binder_alloc: binder_alloc_mmap_handler: 9031 20001000-20004000 already mapped failed -16 [ 3366.723193][ T9035] binder: BINDER_SET_CONTEXT_MGR already set [ 3366.762197][ T9035] binder: 9031:9035 ioctl 40046207 0 returned -16 [ 3366.768257][ T9079] binder_alloc: 9031: binder_alloc_buf, no vma [ 3366.819248][T14003] binder: send failed reply for transaction 430 to 9031:9035 [ 3366.858389][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3366.864596][ T9079] binder: 9031:9079 transaction failed 29189/-3, size 24-8 line 3147 [ 3366.895050][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3366.915269][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:48 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe803, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:48 executing program 2: fcntl$getownex(0xffffffffffffff9c, 0x10, &(0x7f0000000580)={0x0, 0x0}) waitid(0x2, r0, 0x0, 0x1, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcs\x00', 0x0, 0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_WRITE(r1, 0xc4c85513, &(0x7f0000000080)={{0x4, 0x0, 0x541, 0xfd9, 'syz0\x00', 0x8}, 0x0, [0x6, 0x2, 0x1ff, 0x7ff, 0xf854, 0x200, 0x2, 0xff, 0x7, 0x1, 0x800, 0x3, 0x1, 0xd4, 0x7f, 0xfff, 0x6, 0x9, 0x1ff, 0x0, 0x1, 0x10001, 0x10000, 0x6, 0x80000001, 0x3, 0xfff, 0x6, 0x3, 0x8, 0xa72, 0x3ff, 0x1, 0x0, 0x100, 0x6, 0x1, 0x80, 0xcc77, 0xc0, 0x5, 0xcbbd753, 0x2e3, 0x3c9d3c28, 0x86, 0x7, 0x7fff, 0x5, 0x5, 0x9, 0x4, 0x1f, 0x2, 0x40f1, 0x7, 0x20, 0x6, 0x2e, 0x2800000, 0x40, 0x5b6, 0x2, 0x8, 0xffffffff00000000, 0x3ff, 0x100000001, 0x5c08, 0x0, 0xfffffffffffeffff, 0x3, 0x100000001, 0x4, 0x9, 0x4, 0xfa1a, 0x7, 0x7ff, 0x5, 0xffffffff00000001, 0x0, 0x400, 0x6, 0x1, 0x8000, 0x3f, 0x0, 0x5, 0x7ff, 0x7, 0x5, 0x1, 0x2, 0x3, 0xcaa8, 0x4, 0xf4, 0x0, 0x13e, 0x0, 0x9, 0x7, 0x6, 0x7, 0x40, 0xba, 0xfffffffffffffffd, 0x200, 0x6, 0x7, 0x0, 0x1, 0x9, 0x3, 0xb92a, 0x3, 0x8e, 0x101, 0x5, 0x0, 0x5, 0x4, 0x7, 0xffff, 0x8, 0xfffffffffffffff9, 0x373, 0x3ff, 0x7]}) close(r1) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c831, 0xffffffffffffffff, 0x0) r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x0, 0x0) ioctl$SNDRV_CTL_IOCTL_TLV_READ(r2, 0xc008551a, &(0x7f00000006c0)=ANY=[@ANYBLOB="08000000100000001300010004000000ffff000000e7b6589f9673ff864142f76f1e7416ebbb09b92efe9bd0634b0700b117e31964f7ae390773813d9a25272815a9e8a64965e5b9"]) write$P9_RLOPEN(r1, &(0x7f00000005c0)={0x18, 0xd, 0x2, {{0x4, 0x1}, 0x3f}}, 0x18) getsockopt$TIPC_IMPORTANCE(r2, 0x10f, 0x7f, &(0x7f0000000640), &(0x7f0000000680)=0x4) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x2, 0x0, 0x0, 0x2000000004002) setsockopt$inet6_buf(r1, 0x29, 0x0, &(0x7f0000000600)="48344969217c2c552c6af8f7f8a1b2f85ad114204a6be957bd0e7e04eab83816553e3b9319d0bed15d62e216711b5550db67fd76bee355c6", 0x38) 04:41:48 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x2000000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x3f00, 0x0}) 04:41:48 executing program 0: openat$capi20(0xffffffffffffff9c, &(0x7f0000000500)='/dev/capi20\x00', 0x0, 0x0) unshare(0x8000040) mq_open(&(0x7f000084dff0)='!selinuxselinux\x00', 0x6e93ebbbcc0884f0, 0x0, 0x0) r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero\x00', 0x4002, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'rose0\x00', 0x2}, 0x18) openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vhost-vsock\x00', 0x2, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000440)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) set_thread_area(&(0x7f0000000000)={0xbdae, 0xffffffffffffffff, 0x400, 0x7, 0x0, 0xec, 0x3f, 0x3, 0x4, 0x9}) pselect6(0x40, &(0x7f00000000c0), 0x0, &(0x7f0000000140)={0x1b9}, &(0x7f0000000200), 0x0) [ 3367.035469][ T9162] binder_alloc: binder_alloc_mmap_handler: 9156 20001000-20004000 already mapped failed -16 [ 3367.059593][ T9157] kvm: apic: phys broadcast and lowest prio [ 3367.114956][ T9158] binder: BINDER_SET_CONTEXT_MGR already set [ 3367.133447][ T9158] binder: 9156:9158 ioctl 40046207 0 returned -16 04:41:48 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x4800000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3367.173577][ T9263] binder_alloc: 9156: binder_alloc_buf, no vma [ 3367.187584][ T9263] binder: 9156:9263 transaction failed 29189/-3, size 24-8 line 3147 [ 3367.266053][ T9158] binder: 9156:9158 Release 1 refcount change on invalid ref 1 ret -22 [ 3367.266423][T11475] binder: release 9156:9158 transaction 435 out, still active [ 3367.302204][ T9327] kvm: apic: phys broadcast and lowest prio 04:41:48 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xb80b, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3367.317621][ T9366] kvm: apic: phys broadcast and lowest prio [ 3367.332375][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3367.339625][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x1000000, 0x0}) [ 3367.382517][T11475] binder: send failed reply for transaction 435, target dead 04:41:48 executing program 0: r0 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x1, 0x0) setsockopt$IP_VS_SO_SET_ZERO(r0, 0x0, 0x48f, &(0x7f0000000080)={0x3c, @remote, 0x4e22, 0x2, 'lc\x00', 0x0, 0x6, 0x15}, 0x2c) read$rfkill(r0, &(0x7f0000000040), 0x8) 04:41:48 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x2, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback, 0xaf52}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:48 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x4c00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:48 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xf401, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3367.583606][ T9467] binder_alloc: binder_alloc_mmap_handler: 9386 20001000-20004000 already mapped failed -16 [ 3367.608340][ T9437] binder: BINDER_SET_CONTEXT_MGR already set [ 3367.648207][ T9437] binder: 9386:9437 ioctl 40046207 0 returned -16 [ 3367.689743][T14003] binder: release 9386:9437 transaction 440 out, still active [ 3367.697843][ T9467] binder_alloc: 9386: binder_alloc_buf, no vma [ 3367.709693][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3367.731590][T14003] binder: send failed reply for transaction 440, target dead [ 3367.741250][ T9467] binder: 9386:9467 transaction failed 29189/-3, size 24-8 line 3147 [ 3367.759422][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:49 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xb80b, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:49 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6000000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x3f000000, 0x0}) [ 3367.945135][ T9511] kvm: apic: phys broadcast and lowest prio [ 3367.965320][ T9513] binder_alloc: binder_alloc_mmap_handler: 9510 20001000-20004000 already mapped failed -16 [ 3368.005161][ T9512] binder: BINDER_SET_CONTEXT_MGR already set [ 3368.028836][ T9512] binder: 9510:9512 ioctl 40046207 0 returned -16 [ 3368.032088][ T9513] binder_alloc: 9510: binder_alloc_buf, no vma 04:41:49 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xb80b, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:49 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6800000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3368.092622][T11475] binder: send failed reply for transaction 445 to 9510:9512 [ 3368.102646][ T9513] binder: 9510:9513 transaction failed 29189/-3, size 24-8 line 3147 [ 3368.113998][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0xfdfdffff, 0x0}) 04:41:49 executing program 0: r0 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x3, 0x2) r1 = syz_genetlink_get_family_id$tipc(&(0x7f0000000280)='TIPC\x00') sendmsg$TIPC_CMD_SET_LINK_TOL(r0, &(0x7f0000000380)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f0000000340)={&(0x7f00000002c0)={0x68, r1, 0x10, 0x70bd2c, 0x25dfdbfb, {{}, 0x0, 0x4107, 0x0, {0x4c, 0x18, {0x1, @link='broadcast-link\x00'}}}, ["", "", "", "", "", "", ""]}, 0x68}, 0x1, 0x0, 0x0, 0x4}, 0x20000000) openat$nullb(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/nullb0\x00', 0x200000, 0x0) r2 = syz_open_dev$dri(&(0x7f0000000240)='/dev/dri/card#\x00', 0xc72f, 0x0) r3 = dup(r2) ioctl$sock_bt_cmtp_CMTPCONNADD(r3, 0x400443c8, &(0x7f00000001c0)={r3}) lsetxattr$trusted_overlay_upper(&(0x7f0000000040)='./file0\x00', &(0x7f0000000080)='trusted.overlay.upper\x00', &(0x7f00000000c0)={0x0, 0xfb, 0xf9, 0xd2f154a561b00133, 0x80000000, "da78d1c48e27fa90e0f9aeb82002a0bf", "d8fcbeb0d817029d5d11a222014644b8550d289bef564847006f7e7ebc897fa2a382dfff10315669bf1d885adeb06db9624810f9eb51e3f61deb27e313bc665a01f3640d48c47fd7c421bb1d877f33dfbb0f761e49150c22de7a8c0206ad5ca1b4d1eb3418607e60c54847d4e846621ca9d9a4a964f5f31005c8f783b569dc4488720ef6f03f4d5072385b893e393d4ed9dbb947d4ab0dcc84bb35ac5cfc5d4d3bbabbef6204837f539c81d3c13bb203ea12bab4d7a95bbf3a548548b235f7ba376f667e43925159662f75ddfc03465b7266a81a2244d4426592e58ce555ea4890d38038"}, 0xf9, 0x2) [ 3368.248939][ T9718] kvm: apic: phys broadcast and lowest prio 04:41:49 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x6c00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3368.381033][ T9825] binder: BINDER_SET_CONTEXT_MGR already set [ 3368.460102][ T9825] binder: 9769:9825 ioctl 40046207 0 returned -16 04:41:49 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) r1 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x200, 0x0) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) ioctl$VIDIOC_S_AUDOUT(r1, 0x40345632, &(0x7f0000000040)={0xbc, "0c4dd69d3a566d462363a6e48c4750f7245efdafb0431af24cf98b34d7ce8bf2", 0x3, 0x1}) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) syz_open_dev$dspn(&(0x7f0000000080)='/dev/dsp#\x00', 0x2, 0x200) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3368.543905][ T9904] kvm: apic: phys broadcast and lowest prio [ 3368.579217][T11475] binder: release 9769:9825 transaction 450 out, still active [ 3368.586877][ T9837] binder_alloc: 9769: binder_alloc_buf, no vma [ 3368.594356][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3368.633092][T11475] binder: send failed reply for transaction 450, target dead [ 3368.646550][ T9837] binder: 9769:9837 transaction failed 29189/-3, size 24-8 line 3147 04:41:49 executing program 0: r0 = openat$apparmor_thread_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/attr/current\x00', 0x2, 0x0) pwritev(r0, &(0x7f0000000180)=[{&(0x7f0000000100)="f030687c7f34b80d9839b1e876d71f310f98186d71d1f0207b", 0x19}], 0x1, 0x0) 04:41:49 executing program 2: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, r0) r1 = syz_open_dev$vcsa(&(0x7f0000000140)='/dev/vcsa#\x00', 0x9de7, 0x103000) ioctl$PPPIOCGNPMODE(r1, 0xc008744c, &(0x7f0000000180)={0xc07f, 0x3}) sendmsg$inet_sctp(0xffffffffffffffff, &(0x7f00000000c0)={&(0x7f00000025c0)=@in6={0xa, 0x0, 0x0, @ipv4={[], [], @broadcast}}, 0x1c, 0x0, 0x0, &(0x7f0000000300)=[@sndinfo={0x20, 0x84, 0x2, {0x0, 0x4}}], 0x20}, 0x0) r2 = syz_open_dev$sndpcmc(&(0x7f0000000040)='/dev/snd/pcmC#D#c\x00', 0x1, 0x1e1000) sendmmsg$inet_sctp(r2, &(0x7f0000000080)=[{&(0x7f0000000100)=@in={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10, &(0x7f0000562000), 0x0, &(0x7f0000000000)=[@sndinfo={0x20, 0x84, 0x2, {0x0, 0x241}}], 0xfde6}], 0x1, 0x0) [ 3368.786372][ T26] audit: type=1400 audit(1553575310.023:90): apparmor="DENIED" operation="setprocattr" info="current" error=-22 profile="unconfined" pid=9949 comm="syz-executor.0" 04:41:50 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xff00, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0xfffffdfd, 0x0}) 04:41:50 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x7400000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:50 executing program 0: r0 = syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0x2, 0x1) write$RDMA_USER_CM_CMD_GET_EVENT(r0, &(0x7f0000000200)={0xc, 0x8, 0xfa00, {&(0x7f0000000080)}}, 0x10) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_open_procfs(0x0, &(0x7f00000004c0)='net/ip6_mr_cache\x00') sendmsg(0xffffffffffffffff, &(0x7f0000002fc8)={0x0, 0x0, 0x0, 0x0, &(0x7f00000002c0)=ANY=[]}, 0x0) preadv(r1, &(0x7f00000017c0), 0x1fe, 0x400000000000) ioctl$TUNGETSNDBUF(r1, 0x800454d3, &(0x7f0000000000)) [ 3368.934886][T10054] binder_alloc_mmap_handler: 1 callbacks suppressed [ 3368.934904][T10054] binder_alloc: binder_alloc_mmap_handler: 10037 20001000-20004000 already mapped failed -16 04:41:50 executing program 2: r0 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x1, 0x2) ioctl$KDENABIO(r0, 0x4b36) r1 = socket$inet(0x2, 0x4000000000000801, 0x0) sendto$inet(r1, 0x0, 0x0, 0x20000802, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10) recvmmsg(r1, &(0x7f0000002940)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0) [ 3368.976473][T10056] kvm: apic: phys broadcast and lowest prio [ 3368.983550][T10038] binder: BINDER_SET_CONTEXT_MGR already set [ 3369.006163][T10038] binder: 10037:10038 ioctl 40046207 0 returned -16 [ 3369.039378][T10054] binder_alloc: 10037: binder_alloc_buf, no vma [ 3369.048968][T11475] binder: send failed reply for transaction 455 to 10037:10038 [ 3369.067380][T10054] binder: 10037:10054 transaction failed 29189/-3, size 24-8 line 3147 [ 3369.087621][T11475] binder_release_work: 3 callbacks suppressed [ 3369.087629][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3369.128115][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x100000000000000, 0x0}) 04:41:50 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x7a00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3369.135541][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:50 executing program 2: r0 = creat(0x0, 0x0) setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0x7, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x2}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x156) r1 = memfd_create(&(0x7f0000000400)='queue1\x00', 0x0) ioctl$TIOCGSID(r0, 0x5429, 0x0) r2 = syz_open_dev$sndseq(&(0x7f0000000700)='/dev/snd/seq\x00', 0x0, 0x1) r3 = dup2(r2, r1) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r2, 0xc08c5332, &(0x7f0000000280)={0x0, 0x2, 0x80000000, 'queue0\x00'}) r4 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/mixer\x00', 0x86042, 0x0) setsockopt$inet_sctp6_SCTP_ADAPTATION_LAYER(r4, 0x84, 0x7, &(0x7f0000000080)={0x8}, 0x4) write$sndseq(r1, &(0x7f0000000000)=[{0x0, 0x0, 0x0, 0x0, @tick, {}, {}, @connect}], 0xffffff76) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS(r3, 0xc05c5340, &(0x7f0000000740)={0x10000, 0x0, 0x4, {0x0, 0x1c9c380}, 0x8}) [ 3369.258315][T10230] kvm: apic: phys broadcast and lowest prio [ 3369.287431][T10270] binder_alloc: binder_alloc_mmap_handler: 10240 20001000-20004000 already mapped failed -16 [ 3369.330569][T10248] binder: BINDER_SET_CONTEXT_MGR already set [ 3369.365498][T10248] binder: 10240:10248 ioctl 40046207 0 returned -16 04:41:50 executing program 0: pipe(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x10000000013, &(0x7f0000d06000)=0x1, 0xd7) socket$alg(0x26, 0x5, 0x0) ioctl$VIDIOC_G_SELECTION(r1, 0xc040565e, &(0x7f0000000080)={0xb, 0x102, 0x1, {0x8000, 0x6, 0xc141, 0x4}}) clone(0x3102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r2 = openat$vimc2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video2\x00', 0x2, 0x0) ioctl$LOOP_CHANGE_FD(r0, 0x4c06, r2) futex(0x0, 0x401000000000085, 0x2, 0x0, 0x0, 0xa1f40000) ioctl$UFFDIO_ZEROPAGE(r1, 0xc020aa04, &(0x7f0000000440)={{&(0x7f0000ffe000/0x1000)=nil, 0x1000}}) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f00000000c0)='vcan0\x00', 0x10) write$binfmt_misc(r1, &(0x7f00000000c0)=ANY=[], 0x0) [ 3369.454468][T10318] binder_alloc: 10240: binder_alloc_buf, no vma [ 3369.476328][T10352] futex_wake_op: syz-executor.0 tries to shift op by -192; fix this program [ 3369.503482][T11475] binder: release 10240:10248 transaction 460 out, still active [ 3369.513959][T10318] binder: 10240:10318 transaction failed 29189/-3, size 24-8 line 3147 [ 3369.522877][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:50 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:50 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xc0ffffff00000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x3f00000000000000, 0x0}) 04:41:50 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x1000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:50 executing program 2: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x100, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x8000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}, 0xffffffffffffffff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000080)={0x8ad0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x7f}) r1 = socket(0xa, 0x3, 0x8) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000180)={'b\x86idge>\x00\x00\x00\x04k\b\x00\x00h', 0x7b01}) ioctl$sock_SIOCGPGRP(0xffffffffffffffff, 0x8904, 0x0) semctl$GETNCNT(0x0, 0x0, 0xe, &(0x7f0000000f80)=""/4096) ioctl$ifreq_SIOCGIFINDEX_team(r1, 0x8933, &(0x7f00000034c0)={'team0\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f0000003580)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f0000003540)={&(0x7f0000003500)=@gettclass={0x24, 0x2a, 0x0, 0x70bd2d, 0x3f, {0x0, r2, {0xf, 0xf}, {0xfff7, 0xb}, {0x10, 0xa}}}, 0x24}, 0x1, 0x0, 0x0, 0x40}, 0x1) getxattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=@random={'user.', '\x00'}, &(0x7f0000000100)=""/84, 0x54) openat$ipvs(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/sys/net/ipv4/vs/expire_quiescent_template\x00', 0x2, 0x0) fcntl$F_SET_RW_HINT(r1, 0x40c, &(0x7f0000000400)) dup3(r1, r0, 0x0) [ 3369.560196][T11475] binder: send failed reply for transaction 460, target dead [ 3369.579427][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3369.711962][T10468] kvm: apic: phys broadcast and lowest prio [ 3369.739667][T10490] binder_alloc: binder_alloc_mmap_handler: 10474 20001000-20004000 already mapped failed -16 [ 3369.758623][T10482] binder: BINDER_SET_CONTEXT_MGR already set [ 3369.803663][T10482] binder: 10474:10482 ioctl 40046207 0 returned -16 [ 3369.803789][T10571] binder_alloc: 10474: binder_alloc_buf, no vma [ 3369.850510][T14003] binder: release 10474:10482 transaction 465 out, still active [ 3369.869925][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:51 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xfdfdffff00000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:51 executing program 2: madvise(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x64) r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x40000, 0x0) getsockopt$SO_COOKIE(r0, 0x1, 0x39, &(0x7f0000000040), &(0x7f0000000080)=0x8) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = socket$inet_smc(0x2b, 0x1, 0x0) accept(r1, 0x0, &(0x7f00000000c0)) 04:41:51 executing program 0: openat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x10000, 0x108) syz_open_dev$sndpcmc(&(0x7f0000000080)='/dev/snd/pcmC#D#c\x00', 0xffffffff, 0x0) r0 = syz_open_dev$cec(&(0x7f00000000c0)='/dev/cec#\x00', 0x2, 0x2) recvmsg$kcm(r0, &(0x7f0000000740)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000780)=""/4096, 0xffffffffffffff35}, 0x0) r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup\x00', 0x200002, 0x0) r2 = openat$cgroup_int(r1, &(0x7f0000000100)='memory.low\x00', 0x2, 0x0) writev(r2, &(0x7f0000000700), 0x10000000000000ed) [ 3369.897905][T14003] binder: send failed reply for transaction 465, target dead [ 3369.922126][T10571] binder: 10474:10571 transaction failed 29189/-3, size 24-8 line 3147 04:41:51 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x2, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) socket$inet_smc(0x2b, 0x1, 0x0) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) ioctl$sock_inet_SIOCRTMSG(r2, 0x890d, &(0x7f0000000040)={0x0, {0x2, 0x4e24, @rand_addr=0x4}, {0x2, 0x4e20, @initdev={0xac, 0x1e, 0x1, 0x0}}, {0x2, 0x4e24, @broadcast}, 0x9, 0x0, 0x0, 0x0, 0x6, &(0x7f0000000000)='sit0\x00', 0x77ab, 0x2}) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0xfdfdffff00000000, 0x0}) [ 3370.022881][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3370.043407][T10627] kvm: apic: phys broadcast and lowest prio 04:41:51 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0xff00000000000000]}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3370.272846][T10815] binder_alloc: binder_alloc_mmap_handler: 10760 20001000-20004000 already mapped failed -16 04:41:51 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3370.331890][T10798] binder: BINDER_SET_CONTEXT_MGR already set [ 3370.367327][T10841] kvm: apic: phys broadcast and lowest prio 04:41:51 executing program 0: syz_emit_ethernet(0x5e, &(0x7f0000000000)={@remote, @local, [{[{0x9100, 0x5, 0x0, 0x1}], {0x8100, 0x4, 0x100000001, 0x2}}], {@canfd={0xd, {{0x3, 0x7f, 0x7fffffff, 0x400}, 0x3e, 0x1, 0x0, 0x0, "b42c956acc6641c1860619a1bb72e105053c4c21ef612ec106bcaa67eeced1eedae6fb807786694134b3f332d9804cd9222a0d04bfee9cfb39695f577295767a"}}}}, 0x0) [ 3370.382176][T10798] binder: 10760:10798 ioctl 40046207 0 returned -16 [ 3370.404858][T10845] binder_alloc: 10760: binder_alloc_buf, no vma 04:41:51 executing program 0: r0 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x40, 0x0) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r0, 0xc01064b5, &(0x7f0000000080)={&(0x7f0000000040)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x8}) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000180)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$ION_IOC_ALLOC(r1, 0xc0184900, &(0x7f00000000c0)={0x6, 0x0, 0x1, r1}) ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000100)=0x0) fcntl$setownex(r2, 0xf, &(0x7f0000000140)={0x2, r3}) ioctl$SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION(r1, 0x40085112, &(0x7f0000000200)={{0xffffff92}, {0xffffffc0}}) [ 3370.429602][T11475] binder: send failed reply for transaction 470 to 10760:10798 [ 3370.440204][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3370.464080][T10845] binder: 10760:10845 transaction failed 29189/-3, size 24-8 line 3147 [ 3370.500943][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x3) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:51 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x3000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:51 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x2}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3370.814546][T10964] binder_alloc: binder_alloc_mmap_handler: 10915 20001000-20004000 already mapped failed -16 [ 3370.832442][T10937] binder: BINDER_SET_CONTEXT_MGR already set [ 3370.845721][T10937] binder: 10915:10937 ioctl 40046207 0 returned -16 [ 3370.858335][T10964] binder_alloc: 10915: binder_alloc_buf, no vma 04:41:52 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3370.896722][T10964] binder: 10915:10964 transaction failed 29189/-3, size 24-8 line 3147 [ 3370.905344][T11475] binder: send failed reply for transaction 475 to 10915:10937 [ 3370.925003][T11475] binder_release_work: 1 callbacks suppressed [ 3370.925009][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x200000, 0x0) ioctl$VT_RESIZEX(r2, 0x560a, &(0x7f0000000040)={0x0, 0x7ff, 0x5, 0x9, 0x4, 0x80000000}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3370.956070][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3370.969521][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:52 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4), 0x0) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:52 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket(0xa, 0x1, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f00000000c0)={0x87, 0x3f, 0x8, 0x6, 0xce, 0x800, 0x0, 0x0, 0x0}, 0x0) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000140)={r1}, &(0x7f0000000180)=0x8) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0x0, 'veth1_to_team\x00', 0x8}, 0x18) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(0xffffffffffffffff, 0x84, 0x6d, &(0x7f0000002bc0), 0x0) sendmsg$inet_sctp(0xffffffffffffffff, &(0x7f0000002a80)={&(0x7f0000000080)=@in={0x2, 0x4e24, @broadcast}, 0x10, &(0x7f00000027c0), 0x0, &(0x7f0000001540)}, 0x800) ioctl(r0, 0x8916, &(0x7f0000000000)) r2 = syz_open_dev$swradio(&(0x7f0000000100)='/dev/swradio#\x00', 0x0, 0x2) ioctl$ION_IOC_HEAP_QUERY(r2, 0xc0184908, &(0x7f0000000200)={0x34, 0x0, &(0x7f00000001c0)}) ioctl(r0, 0x8936, &(0x7f0000000000)) r3 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/net/pfkey\x00', 0x100, 0x0) r4 = open(&(0x7f0000000040)='./bus\x00', 0x141048, 0x0) close(r4) r5 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$EVIOCSKEYCODE(r3, 0x40084504, &(0x7f0000000400)=[0x7, 0x81]) mmap$binder(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x5, 0x30, r4, 0x0) bind$inet(r5, &(0x7f0000e5b000)={0x2, 0x2004e20}, 0x10) connect$inet(r5, &(0x7f0000ccb000)={0x2, 0x4e20}, 0x10) r6 = bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x1, 0x3, &(0x7f00009ff000)=@framed={{0x18, 0x0, 0x0, 0x0, 0x3}}, &(0x7f00002bf000)='syzkaller\x00', 0x1, 0xb7, &(0x7f0000000440)=""/183}, 0x48) r7 = socket$kcm(0x29, 0x1000000000002, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(r7, 0x89e0, &(0x7f000031aff8)={r5, r6}) ioctl$sock_kcm_SIOCKCMCLONE(r7, 0x89e2, &(0x7f00000003c0)={r4}) sendmsg$rds(r8, &(0x7f0000001c00)={&(0x7f0000000080), 0x10, &(0x7f00000002c0)=[{&(0x7f0000000500)=""/4096, 0x1000}], 0x1, &(0x7f0000001b40), 0x0, 0xffffffffffffffff}, 0x0) [ 3371.081469][T11076] binder_alloc: binder_alloc_mmap_handler: 11071 20001000-20004000 already mapped failed -16 [ 3371.135565][T11073] binder: BINDER_SET_CONTEXT_MGR already set [ 3371.143316][T11076] binder_alloc: 11071: binder_alloc_buf, no vma [ 3371.158923][T11073] binder: 11071:11073 ioctl 40046207 0 returned -16 [ 3371.194518][T14003] binder: release 11071:11073 transaction 480 out, still active [ 3371.215120][T11076] binder: 11071:11076 transaction failed 29189/-3, size 24-8 line 3147 [ 3371.229852][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3371.254410][T14003] binder: send failed reply for transaction 480, target dead [ 3371.292805][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = mmap$binder(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x8, 0x3010, r0, 0x4e) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000180)={r1}) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) setsockopt$netlink_NETLINK_CAP_ACK(r0, 0x10e, 0xa, &(0x7f0000000280)=0x4, 0x4) r3 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040)={'syz', 0x1}, &(0x7f0000000540)="4cc2699d07580b45153e2593ed5afbdbafb935755dec48dba6f7eb0929a9e1375540ba5a8a91224641d13a61fc96fd53103f7bc2c5f51903e7d372e58bc418944283f9df36bda7789174140e4061b18583455653b35cb17b41b41f77500c5794766eb8c2da359d118902816251946779aab5084edf10d3e5f74be41fc37ad7fbbfdd39d76cccf3478f93aa848017bfb0ca2d47faf61fa09812c9ca5e52a9bf73ab07fc153e68d5b43f2f30b6331c90ee94f5ae70cda384160568c18b1d9525a7f62f9357836d9d8189c62b059d9875ec56acf5d68937692361adb87e4965a8337fc2516c1e96ad8e8947930e8a4cd4bf397074d4ece783e2032026eb0ae38beb8b8fe7944d2225ad3e590a8b6889dbfd076b575a88effdfdb395ff39c4c4adaab66c0271c9fe9b33f8d5eeaedcdd851ef0caa89a0b3e806a2a27521abb39beccb8270d4c711f94c66719505edd648816734e871fa60c4f9a2f5aa6b9997fcaf72163aac6c31e50710df9bd9ffce0a7fa197c2e44f5053a091794dd6e95faaab5f45b4e2d0b94ef94f9af4580b8157c6c8a7ec381fb06341eb9ea7ca893c079d7fbc0dee1a171e1f5f268a87fc274439588c50d3abc80fc5215d2dd2a9f57a8d0189d66a6fda119cfa1289427b4b6d9fa9834a792f713107fdd2f659253aba9228bbf0c1b5641a39e4a425781629d0ea72f02f907ecc16e4c64ff90e0f66587cd3df115f1112544cff98497cc43401d3bb30c4867d79e3c5bb0cfcd6f030eb82d91dbeeda5ed9608ce7e635f13616d46c1a131d93e0f9ccf6b6d9e43e0d4a5588c55cc4db3c67f7e19ba4d41e1e54f06f1ff317bd6681996a109fd5557558a5d4d8dcec8e77b25265d955ed9313945a79b057d808b30cf9f668f902e649de18fd3bd3d6b9d6174b7bdb52f6da05934ebbf46f1d13222597d6676c95d045d1aabeef845ef93ea27ec693cef9bd094445fd1d5114923d53ec22a911e0f98b1908ba044187e7705992865596342ebe06d0528621ec46b7d087111b854858a18cb299d8d20c135eea5ba01387b3e5a9125c744fd2b9033bf6d9b56815a0aa2b2211b9af2c183770c176ae7c95b6c4fd87531cc3eb62e394963c4a38ba0fb46268e8146a4664ccd5741fc522dbd56a0879fb0eda86b27712c8fdc13a9f647e56df49532e6c7f3b298e87563e49e86f8be20a8ff83a31b1c3c049fa01c190df01a93f7cfe068764df8b2ed8c31b2b3dde5156ac403036747d75af05fad88eb158c13f10e6b3c8a1064f3ff2cc57a7dfc3cefd08c7e36de1f7568175a32d6cb114c35f06e201bc8f33b7ebffefb8ca7335cee81d0d76a405068e3cae203987923cd33b6660c818d7b08ec4fa1b66b1dcda3314223633857cecaa63a91b3204ca2869bbc4add44ff7daa66481c16106006e1df83c179b5307199309158a8f3046a523ea57352db35b751cebcc1e1094621e6eb89a7fbc66d4b86c148b8059bf551ba5586cb92a926085ae66dd72cde2c46b3b63814812d95be0e5f4fdf5876d2816b19b86cee6a209b8b56748039221c61b6486785628746cfd98dbec55ce2aded413af47800e2b43d60890437e988dd31f1fe5f389476e5e031ce6dea7908b2e4b977ee7882e0b954ede0197eb2fcac5c82d2d59230346a99bd245f6cbb095b52a1857c2658cbfaa49ef381c1a784b8a0605327efaf9bf2210cc22fc9ec40d40cbdaa2c1fafa051bb858f316030dcd9b27964decbd38d0cbe3a9852df31e4dfabbf23050f50cec5c9438263efc110d095d7624b033cbe8721c727dcced56324bd218dce7c1769592a998599ce3834d398bea2007a949bff1ae623f95defe091f7c2728bcdb06a4d62e4af26922b5877e5cebf8de8ea57049310cbf8263bb2584501dd43b53542537463c850785a96c173b7326ea5888eaddff926bcf5da33c4ce92d1e36a46f60e42d734757810c922865282f7332e3f1c0d91352c8fd8e4df03c08334f39ed1443d323e208ba7cfb93a746a6596d3ba61d5d4c9f3c364fae20a411805cc6a33f70372328833fb41f219834a84ffd963d826a93e93addaa574c3446813085815e9fae3fa4e617ca02eb922287e3f1306f8391675deeef92bf265c66a7339f86dad71a239b51849bfd10c9b8faf83462eee3b215adc96b69c321cdbc7d06b2ef5a1c2a08716c85b8ca6719ba36ea5e657b9b20e64679d66b16890dc65180d0c1216f7f735c5afc8fdbe35391495fef6183918091f40e9c277fb0e718afa5b3dd9d4af0968e80e36abb93a1495aecd7a65c3fca4f510f97b5ef113a25cb5b170ce35ffaeb5e89dff1055abba1c79df20b44185142ffc8b04062aecebe94e89dc543766e40f1c596e052b82ba0897c611249f428c720d79027a5114543cc743f10445fd3c495a2ce5816ca852b89d6843a0f3c09120f7e526a92f434487b285e28d9148bfad668d36b7e776c19390b78f4e061bc941e4c76a2f94e8310090f12fdc6bd6193ff491eb958875389bfcb37e62f75a9601967021a512729207b5f85f30c37d2eb32c742b7f4c927ff3b770071126be84c05103192f99541bc7c30e4638133f414fc4a87a3063d205ab20fb9a08d041805a05079498a96d583e13e6cdbbd18c9a6d0f120a931dd270bc8e3719b50babc6d637cd615b58eac7e311b636d3905d824ec3593e4ee7bfc5b2d74a4d7fd92c139813c88e9118281e45da2a497e2726343ab227d37bfbe99c69c238e0e0f74832dc25580bc64a3d500dbddd1874a8f31aecfa680fc3ee0856b2d25fc2aed44f13f94f2460aa4fff7a3612e46e41e3db05069908ae593f81c63bbae0b50e8b328ddc3d4f6205bba80a06973f88c37b4859e9dd8c97236a195296a774bb81b240a00cf3698ccd9fc98d4e5856f76576698d2e4591b213be95bd17078f6c37677cabc2510729a03280fa830c0f95e11c0aa8d321cda347e8bb7c8a06e6153e6129b5202ebdd47ca63a3c78e52959377a827b45625ec7759544ed07c16a15abf702e77703b5ae3cbff9aa4117bd3cbb77ac22edae835a17dcf49e2688f80de0959ec1f9ec2a1a96efb414ddcfd36c6467d061e937dcc63cc6413cb434d032828620458524849fde8a6d7496c4f012b58ff0a12aea6bf3c4f06ec2fedb2842dc715df83bd665b700e790550c74531e089e73050c973e44c6560a1bf4154398afd707faf181ad1ec9361b6b14c59744ec657f419a35ab449d9875a091ccb864181607ba6752dff6e847ce4629da9878f18efe99fa39d8eaf975f2822ab6ac07fb36079a75037c3ae166f31d7facfa1d0d70272a125f87cf011704248b3a8b4d9c0cd55c8daa9bfd382019cc1d8b26b271147a59a9b20a535ce1eec6393c538c4092109411b58403e9e8374ca300209ae92925b603eb3f24fadf2fed51c11ede536a0c6c83e0c7a2e36be8cc5124df30212fd6ee96a2566a8e78e56f45c959ec4cb5f82a76f0dc656faa2e8f409af29c140f209d44972f17bdb0fb2a02cddeb51e5156d6d8f85bc75cafc841d4b5020bd339f3acbb8514b4aeb0bd432c56c1d2f724b20b18c515cf6cee744ff62e6eb1cfc61b42bd1965291ab2d2753d4da6783c34a85b76e241618ecaf8836e7ed53d1d1b20e4b4cf62a3e4e09e812879ad475d30a2e7d92e9a833ae8f038950f14fdfbc63b1e338db1d57a732d3ed86061f8a84ffe036751c19d8ab9210abbcac35ec8e456bf3a1a31bf674182b0638236b864c1c4875d033ed7f3267f2d2e9023c8f2ba1f3ed9a377a7b28fa55e54226c580265d4f8071b04df677bc9b2f961570fea6e12ef9e41941f8baee872c3374a0da14ae4f70d5476c300b8b56e446f229166df314d9cc5c8420aa4972650aab09e8316f697a0fa456bd7a75b4c41b00a9a3cba8434855c426394414deedadcc2f291620bed88e5afbb9452d58b130fc3264ac7869b42e59b5295be1b2874c660f147e00b906731b943a37837694a2d505c083cd5d335d2d60651fd8de76e96b1b1ae6b135ccb1a76639b8545aaf57b97a5d5c035af7f077350e934f4e44de8a7b4c4f3c13cafd0ac8b1b85de41f47fa55e6e1781883902965f260069b2c7742eeb64c0aebe121a1129f72597ac8b0c0b3847535bbeb125fe385de5a899d3daa81f0efa54944255ee590eb5ad250b4e3f69c8298fe7479eda15f66ba054fd84bef30cbfcaa09a2a4ecc3fa56b060df9e9cb222ba49ea917a7d3b4ef8efe9aa7eb73237763430310c9a23a31f13a267145a9c7b8ccfa72d02f303af794ad0d608e5df4492708255cff35df8d1d9f13aa1ce4226840928fdf402e3489c21b547cec0fdc32f1fd8c2f4afb0cb43d6bc367527500688d4027865966f49ea23a3718e27ebd5f03aecb81aa22b62a3f62ac609284eb9207dee1dfcf151448d87201b75e8eda87db4e7494d6e03f5d74fb02bc9a678ad0368e5614f9b74dee0b0b8f9ae7d1830662f87a7a64252a1e83c831aca13bf685b5537d74bdf61a95a6b02638435868ea3b24ed4bb929114e1e4da8f8c893e54a188822042b58cc3bf485856d46d7b9c62ce739092c54cf17765c1fc0d377d7637ef4badbe9a61db255de9834b25e8ce6a2f1a1e7ff9afa241cbd9ece60de2d42b64ce67ac88c31df90556c92c9580f9ca0d40587af96bc04ba8e0e546078cc1728c559b96c8ad4c80fe0c65db7ce3f076f5df7069250e6e9e8067a870e52ef0d708ec3546155af93ea9e167405e58bf6f02e4a6cf2210e5fdae3fa31a31f39419398fb0de53e73f4090a4f6f6323f6e78f90b4819b6377e9d3eb71c4ed994661232e340ff76c9e5a75e9b173add25786709dc00f58ad3f75574538eff6e00e58d998db4080c612a805e25ee36e4fa719e2706df3d8598b5040ac2bbdde2928ae99ba3c60ac925e16326c2650ad9d87a676b868ce9f36eeaa7de8f53abba4ff3b5e65e9df68425528da4dd04eac48487621810ecbf5e0dba56ee0da937cf9a1d8a5542790104d80a2cdf08836dd7fd871d70892c4d3c741df049ba3ac0c91818f73e862efad96025c59a812cd477d2886b7b2efa885ac204fce0ddab018d9e9e3a61875aeda574075d882ae55fa31ca424073af9cf69b97a0de010f6c1dcd9e58e172fe79ad2d2892fce844889fa7585049c8e5fa43c4cb81832cb46c43859c478a1f6004bfcfed3a0528586dd4b9cc486ebf4d8f0af420dbb6395113e8ae3ad4d6982419765d4bd1bf8e6e1b5ea44f11f7a52a757336e0521aa252f16849e1bee8c4503d08fc9253c242537a4cb8a103fd0e5f1340dbefc3014518b0c8286dce34dccd5285ed14e9b60d83dd1c3eab5233c8d04df48250e8f10bfa717aa2ddfdc9af05ccc20086825595191dfbd5d3ecfd82afe0b9319b9ee066e950cab2b9e10a091cbe2da00336549a08ea83b657be76acf18f446cad78b87968f6352ee0a77b628ed95e936e861e56428d0e95b09cd547f07549d47b5d2367511f341774808f36fe6829287b27f64aa3d8b42d5a3f2cf70a9e005921d3210b3cb4f15bbe8115a3725285288ccb72598a6c3a829cfb9581160255a6b9d5407faf66b0b3b74cc72203bed4aa980b69dcbd570964a52b032105164a74ad26c5b9c0112a87e5e2baf2a31fb3e73ae96c6a11b6155f31714fad55eba080e6663f341731039319d422211e468fdf3665acc2b8c6931fbede6bf4dc260fc5627c3eeeed7acd2a8784fb1f196104173a66db4fef58b111bcb07e3792ee164d60c72e8142f74724746da739e34c730757cdfb16b786ee526920a962c7abe50c4a712f49c4b48", 0x1000, 0xfffffffffffffff9) r4 = request_key(&(0x7f0000000080)='keyring\x00', &(0x7f00000000c0)={'syz', 0x0}, &(0x7f0000000100)='/dev/binder#\x00', 0xfffffffffffffff9) keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, r3, 0x0, &(0x7f0000000140)=@keyring={'key_or_keyring:', r4}) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a707300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:52 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x3}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:52 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x4000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3371.572327][T11204] kvm: apic: phys broadcast and lowest prio [ 3371.584300][T11209] binder: 11206:11209 got transaction with invalid offset (0, min 0 max 24) or object. [ 3371.655894][T11209] binder: 11206:11209 transaction failed 29201/-22, size 24-8 line 3241 [ 3371.708303][T11225] binder: 11206:11225 Release 1 refcount change on invalid ref 1 ret -22 [ 3371.781146][T11209] binder: BINDER_SET_CONTEXT_MGR already set [ 3371.830755][T11209] binder: 11206:11209 ioctl 40046207 0 returned -16 04:41:53 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer\x00', 0x18901, 0x0) ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000180)=0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r3 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000000)='/dev/video35\x00', 0x2, 0x0) ioctl$VIDIOC_G_EDID(r3, 0xc0285628, &(0x7f0000000080)={0x0, 0x4, 0x101, [], &(0x7f0000000040)=0x7}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000140)=ANY=[@ANYBLOB="852a62730000aa8a12309820b9fbfe82864695", @ANYRES64=0x0, @ANYBLOB="0000000000ff0000"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$NBD_SET_SOCK(r2, 0xab00, r2) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) r4 = syz_open_dev$vbi(&(0x7f0000000200)='/dev/vbi#\x00', 0x0, 0x2) ioctl$sock_FIOGETOWN(r4, 0x8903, &(0x7f0000000280)=0x0) ioprio_get$pid(0x1, r5) syz_open_dev$binder(&(0x7f00000000c0)='/dev/binder#\x00', 0x0, 0x802) [ 3371.990563][T14003] binder: undelivered TRANSACTION_ERROR: 29201 04:41:53 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x4, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3372.050360][T11307] binder_alloc: binder_alloc_mmap_handler: 11301 20001000-20004000 already mapped failed -16 04:41:53 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x4}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3372.215465][T11306] binder: BINDER_SET_CONTEXT_MGR already set [ 3372.260558][T11306] binder: 11301:11306 ioctl 40046207 0 returned -16 [ 3372.271172][T11348] kvm: apic: phys broadcast and lowest prio 04:41:53 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket(0xa, 0x1, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f00000000c0)={0x87, 0x3f, 0x8, 0x6, 0xce, 0x800, 0x0, 0x0, 0x0}, 0x0) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000140)={r1}, &(0x7f0000000180)=0x8) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0x0, 'veth1_to_team\x00', 0x8}, 0x18) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(0xffffffffffffffff, 0x84, 0x6d, &(0x7f0000002bc0), 0x0) sendmsg$inet_sctp(0xffffffffffffffff, &(0x7f0000002a80)={&(0x7f0000000080)=@in={0x2, 0x4e24, @broadcast}, 0x10, &(0x7f00000027c0), 0x0, &(0x7f0000001540)}, 0x800) ioctl(r0, 0x8916, &(0x7f0000000000)) r2 = syz_open_dev$swradio(&(0x7f0000000100)='/dev/swradio#\x00', 0x0, 0x2) ioctl$ION_IOC_HEAP_QUERY(r2, 0xc0184908, &(0x7f0000000200)={0x34, 0x0, &(0x7f00000001c0)}) ioctl(r0, 0x8936, &(0x7f0000000000)) r3 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self/net/pfkey\x00', 0x100, 0x0) r4 = open(&(0x7f0000000040)='./bus\x00', 0x141048, 0x0) close(r4) r5 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$EVIOCSKEYCODE(r3, 0x40084504, &(0x7f0000000400)=[0x7, 0x81]) mmap$binder(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x5, 0x30, r4, 0x0) bind$inet(r5, &(0x7f0000e5b000)={0x2, 0x2004e20}, 0x10) connect$inet(r5, &(0x7f0000ccb000)={0x2, 0x4e20}, 0x10) r6 = bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x1, 0x3, &(0x7f00009ff000)=@framed={{0x18, 0x0, 0x0, 0x0, 0x3}}, &(0x7f00002bf000)='syzkaller\x00', 0x1, 0xb7, &(0x7f0000000440)=""/183}, 0x48) r7 = socket$kcm(0x29, 0x1000000000002, 0x0) ioctl$sock_kcm_SIOCKCMATTACH(r7, 0x89e0, &(0x7f000031aff8)={r5, r6}) ioctl$sock_kcm_SIOCKCMCLONE(r7, 0x89e2, &(0x7f00000003c0)={r4}) sendmsg$rds(r8, &(0x7f0000001c00)={&(0x7f0000000080), 0x10, &(0x7f00000002c0)=[{&(0x7f0000000500)=""/4096, 0x1000}], 0x1, &(0x7f0000001b40), 0x0, 0xffffffffffffffff}, 0x0) [ 3372.323905][T11334] binder: 11301:11334 Release 1 refcount change on invalid ref 1 ret -22 [ 3372.350164][T11369] binder_alloc: 11301: binder_alloc_buf, no vma [ 3372.356458][T11369] binder: 11301:11369 transaction failed 29189/-3, size 24-8 line 3147 [ 3372.443060][T14003] binder: release 11301:11306 transaction 487 out, still active [ 3372.456673][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3372.492428][T14003] binder: send failed reply for transaction 487, target dead 04:41:53 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x5}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:53 executing program 2: r0 = syz_open_dev$cec(&(0x7f0000000400)='/dev/cec#\x00', 0x1, 0x2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x401, 0x0, 0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, r0, 0x0) setsockopt$inet6_tcp_int(0xffffffffffffffff, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x1d4) connect$inet6(0xffffffffffffffff, &(0x7f0000000080), 0x1c) setsockopt$inet6_tcp_TCP_ULP(0xffffffffffffffff, 0x6, 0x1f, 0x0, 0x0) setsockopt$inet6_tcp_TLS_TX(0xffffffffffffffff, 0x11a, 0x2, &(0x7f0000000000), 0x1e1) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, &(0x7f0000000040)) shutdown(0xffffffffffffffff, 0x0) syz_open_dev$evdev(&(0x7f0000000480)='/dev/input/event#\x00', 0x0, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(0xffffffffffffffff, 0x84, 0x64, &(0x7f0000000140)=[@in6={0xa, 0x4e22, 0x1, @mcast2, 0x2}, @in6={0xa, 0x4e23, 0x4, @mcast2, 0x5}], 0x38) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) lsetxattr$trusted_overlay_origin(&(0x7f0000000180)='./file0\x00', &(0x7f0000000280)='trusted.overlay.origin\x00', &(0x7f00000002c0)='y\x00', 0x2, 0x2) sendto$inet6(r0, &(0x7f0000000300)="7af995f477289c50c148a2ca9f325d079b01d936114ca05333c875194f8f078c1f12ad217e7afa32ea07053bacbfabd54c0a897281eee26c8ede856fcc25248ca867681edcebb7d9", 0x48, 0xc804, &(0x7f00000001c0)={0xa, 0x4e22, 0x8, @initdev={0xfe, 0x88, [], 0x1, 0x0}, 0x2}, 0x1c) add_key(&(0x7f0000000100)='asymmetric\x00', 0x0, &(0x7f0000000200)="3058020af10cb8b56c96d27c44d58e96ea51a7dfc59e92e80d9482ca7839173a8f1143a711f5a939b4fd0072693a46df8df6616dd21be3453ecf73039a20f43acbc5370100a9070ae27dd847474d1e59b2697801e6ebd80f75ca", 0x5a, 0xfffffffffffffffd) 04:41:53 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) syz_genetlink_get_family_id$net_dm(&(0x7f0000000000)='NET_DM\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0x0, 0x2) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r3 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000100)='/dev/autofs\x00', 0x80, 0x0) setsockopt$inet6_tcp_int(r3, 0x6, 0xf, &(0x7f0000000140)=0x9, 0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r4 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x149402, 0x0) ioctl$KVM_GET_PIT2(r4, 0x8070ae9f, &(0x7f0000000040)) fcntl$getownex(r2, 0x10, &(0x7f00000000c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3372.656790][T11431] PKCS8: Unsupported PKCS#8 version [ 3372.712394][T11440] kvm: apic: phys broadcast and lowest prio [ 3372.741576][T11486] QAT: Invalid ioctl [ 3372.773432][T11540] binder: BINDER_SET_CONTEXT_MGR already set [ 3372.799752][T11540] binder: 11463:11540 ioctl 40046207 0 returned -16 04:41:54 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x5000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:54 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3372.837209][T11486] binder_alloc: 11463: binder_alloc_buf, no vma [ 3372.890797][T11486] binder: 11463:11486 transaction failed 29189/-3, size 24-8 line 3147 [ 3372.932516][T11540] QAT: Invalid ioctl 04:41:54 executing program 0: r0 = socket(0x2000010000000015, 0x80000000005, 0x0) mmap(&(0x7f0000000000/0xfda000)=nil, 0xfda000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = socket$inet_icmp_raw(0x2, 0x3, 0x1) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r0, 0x84, 0x66, &(0x7f0000000000)={0x0, 0x9}, &(0x7f0000000040)=0x8) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x89e0, 0x0) 04:41:54 executing program 2: mremap(&(0x7f0000ff0000/0xe000)=nil, 0xe000, 0x1000, 0x3, &(0x7f0000ffc000/0x1000)=nil) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000001e40)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) r2 = getpgrp(0x0) lstat(&(0x7f0000000080)='./file0\x00', &(0x7f0000000300)={0x0, 0x0, 0x0, 0x0, 0x0}) r4 = openat$vsock(0xffffffffffffff9c, &(0x7f0000002200)='/dev/vsock\x00', 0x101000, 0x0) getsockopt$bt_BT_VOICE(r4, 0x112, 0xb, &(0x7f0000002240)=0x7, &(0x7f0000002280)=0x2) fstat(r0, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000001980)=0x0) lstat(&(0x7f00000019c0)='./file0\x00', &(0x7f0000001a00)={0x0, 0x0, 0x0, 0x0, 0x0}) r8 = getegid() ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000001a80)=0x0) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f0000001ac0)={{{@in=@loopback, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast2}, 0x0, @in=@broadcast}}, &(0x7f0000001bc0)=0xe8) r11 = openat$snapshot(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snapshot\x00', 0x80000, 0x0) ioctl$CAPI_INSTALLED(r11, 0x80024322) r12 = getegid() r13 = openat$zero(0xffffffffffffff9c, &(0x7f0000001c00)='/dev/zero\x00', 0xa0003, 0x0) r14 = openat$apparmor_thread_exec(0xffffffffffffff9c, &(0x7f0000002080)='/proc/thread-self/attr/exec\x00', 0x2, 0x0) sendmmsg$unix(r0, &(0x7f0000002100)=[{&(0x7f0000000100)=@abs={0x0, 0x0, 0x4e21}, 0x6e, &(0x7f0000000000)=[{&(0x7f0000000180)="b764b5fca91ed93f5819e2242799044fa76448ac87fa025d1f5085b1ccde5f90f06699154fed65b72a2674ed4ce99e8fc6d986703846faf5d6a91c9e2a827c35d9f338357d64069d97140d23ac", 0x4d}, {&(0x7f0000000200)="1788fa54f87ae345bdeb240d05bb3facac633df30dc2d7f0b2b5aec6a2e5896cb8b62478679936bad5aab65c0421a83fb451833928b0ce884630228b9da873b8846b6ab05703c5551c95f72432b2fe8612d8262fba392d95d102fd410a6dde71ea2fa35e3a644bd457c122aebb0f360a0ed98bebf128834ffc299a8bd7b34117227620a5681eafeff82e9521f9bd7d311ee1115335364fa266dcae601726ec6bb775bce13f66db9c5f22d943cf151fd3485ebc34f99126497a2e08883b3188170bd71045cd065b557672dc98bb4ab6260937cf9fbb2a6d03b7e6b86d0f3ba6549f89227812e85d9d534ff8c599bbdd752b85562e0d4b719bb320f862", 0xfc}], 0x2, &(0x7f0000000400)=ANY=[@ANYBLOB="20000000000000000100000002000000", @ANYRES32=r2, @ANYRES32=r3, @ANYRES32=r5, @ANYBLOB="0000000030000000007700000100000001000000", @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r0, @ANYBLOB="0000000018000000000000000100000001000000", @ANYRES32=r0, @ANYBLOB="0000000018000000000000000100000001000000", @ANYRES32=r0, @ANYBLOB='\x00\x00\x00\x00'], 0x80, 0x20000000}, {&(0x7f0000000480)=@file={0x1, './file0\x00'}, 0x6e, &(0x7f0000001900)=[{&(0x7f0000000500)="93be1b3e462537e508844e7c283e64aa68ea500908451011f8ccb1c3ca7084f28654c923af0377e434ad4053e8d706dea7ccfb8b2693772260540cc2ab38e344ead88b455c4cc41578299263d354c543f49a9f9a09b6f534da54cccf0a87ba91630036a1c52d27d5a9d385a4cf53d3d652a8981877284de18aa61240f22c60fb34fa231bdd21d129cec8239d29795f68059ebfcce32998d5ee0a19e2fb0002b416cc4f13b5985db0449355f3ebb0401d40526dfb3dd78e1d7464e7a874d94c785bb7f010554a7779ddc9e688a0c91e8b285ece9f973080fcf04297b0ddedfd44b5efba221c566aed9910b920d46a6651bc7b3f55d9dbb40c7e7be0caf32a222e9157891d05032de9c52adc0ba766b3f09b112322dcdd3a4508b55b1f7940c65fff6164344ec530341ffd87f16f76d3c2e69317a11361b925aad692cac0a18d2a570f653145fc3e2d7f6576b4015f8a677e128859cda27ce6a016d2061b58bf2ff44c9e64f0254cec580c06ca551c5fe1c11e39633797302517b3416415b98277348c0de3edceea708f46b5494a0006ece72623a76ad94a6cb4a67c65b54bef800d6dbd6ebcdc572df6e8c796131ae114084b039eb51b750b115bba415fa225fdff80b948989cfa6761437a067cbd3709ad54481659d0787f0218fa6fa0aba02ed0f6652af40ea35c94ab8c4ed6e624cde371192826d33c225ba84b5f7573f389c9cf639df22c2bacd21736be401fb0795d9fa3fab9b924264c0b7cefc47c9268a06169fb88f6a95443b442a1b876492f1e1f219a4db6ad740fe04101f1271dfe15d6b6c82facf2e81dd63bf71368c2ac6d7a1f92b512243e870dd70474b9c51d259a51ce7f0587856bef93fa45800228194555a6a9003744b909cfd13ada0fe5368a41e967ae7b64d25706293c1b972a432f17337764f14bc49c0960822d45f0c4726c7ff32fefc29647094fb97a8fe41bad08c625b1103282c3b7d11eceab45143eedc9ccddf01edf97008995337977a597983071e67e850d74836c33dcb96c04d17026382bfa474825b623e8ff13a6cd90c248538de49167ae8e884ed99b3b993285cec0848480b6b19c360fb69134dc37caa075804aa011b9c0ab978d970b314eaff845303201ef32941cb9e307bbc66e00002c09f29997db641f8eb6bafe1ed8423df0b7a44784c800156b5878d97a552b8fa4e3b97063fda12e2136975403f6972496e2fbe96864197e6a27a9602f49bc2eacb94a903ac60e0d3b0bdf01897e7aa46bda34564240fa3f470d9df5794d2c554a20d4253b6521c6cac946ef39a8605d30b69270b13b500ac00c95c3034ccb39216f1690d9684e25a778a98431b911f9ec729e693f898d0dee7db06c634ea22460fc0207d120fb154318aaad04b27b86fe5b560ecbc3bdce6c39c8a0932778db008297afedc48a6b6fd88021148aff7e25abbadb792f45a2a230eea3879dd13aea359096dc70f3fcd934b390b4957f623d70e8abe38bbf3c68cf9644607a6509c9bdb0351aeaa134c85a11d8b22b99f50fcf66864524293b06b2839e6f380168112ddaffefd02776895fe241a8ddf21ebccf8f8b889abce24dd1aff5f4a7f050ddba0947f5e554defbfd8f4ac198454524550e8e447d67c783843afd21aa19c75a194e43368341ec66650cb2cc2f165b023d08f1fc765c352f8d76b369593b166f54f4197e883fc5c4852abb5e551b4b3fa9f5827f6c6393a5a9a0c3c9865fbaf923b757720e5ac8e8fe63e6f7a53709d3db61d55fd84a3730db42eedd1be6f3eaefa71baad42340fcb12a8c12ffa66b0bef452df7f61344e5febd9bce1d51253035dd3c9e300063704d7502e274669d18db536f2ddcfa882f53ac58284dc5f148bcf6f61f67f7f218223c9a15d1a09e34c305f85bd10e8a34db00df697574ec82f360cd35d3ac7814a1ee1dd1f407c1ed96ae90b18c07372c1a93be78737e689f066fa1454845546fe5dde043a49f368010bcf87a89020dc103b956b9c298714e16efa56aa99df67e3e8359d663e80a7ffe60d30c3799ad45de3f8607f7beba3ebbae6cef9ea57e6bc6e17aa9007dd1f86b3e5d7e9707aaec6ee659041b83c7048a3930498e7a9e9f85ab2a41432bca952e79f9986d4ea2d685f4dc3423fa8229a8019c3a819f150177ca7c973e7816a97c605856fbdfe44c91752dd9de39c7db227f1e95451cbbbc8f82ee54e0163d97ce9e1cc62c3defe121bad9518499c69a1ae2259029f23da0d901b00ba4d3c44c9fcac1badd35642be1c3cfc28dada020cb72f2bde53c7d62b4fd156a68f399973dcedafc7a754ea9034575bba32ff1f77d2d8b01a588e06ce0ab4753f8d6bbd988b1532c0484ae2305293e5aa9ad69f43145d7e21cbdca67d3dc6b8252b8a841b49d35c994e4a3a901dcf391d8ccfa385afe50a334ad220c2720e764fa167a89ce473706ac80f3501abbd5219a515b8c01b23343d27503a87cb8a8f14960a71d12197eadb155fd23da83cdd45b0b85e3e372af7dd95ab507e237c00c4a7ffcc0329afe1397b6cea3772a33d6d254e86b9e96dee096c0a469774cd383f42a7870d0a4ff8bf8d9c1645d524c75b39b10604e26112b20f426ee4407b27e898d6da2fbef42fedb602218e3c8deccf197beb4f3ba7596dd1d3116556dd5cf68f8b89066f969e9d129217c1f4fcc32bb8d24cf757a6d0afddee69c1f0527ea214047cc4aec5b68fb2db8341838d39419e91e77cf7fd1ba24f79dd15fa03e0ffb47e12cf92aa0a8f1a6f1a668b245e0f73e3b9ba282d209760cf945971faee89899b990e6eab0dcaa6bda3da0e5995be262b681f86f8c7f4c00efd82efbff79c1d0d26b48fa2dbc45df370661d3716a8abbafbd0db883274aa7d33ba6335930bd658b8443b67fe61787a09446693eb8cb04beb86e9f8a9cb816229584f1d43453a34d53a9fb1576e840ad1250d051ee06bc2e03aa00ee8d069778461087948fa07d303fd948be7f7ac2caabe2213cd6780bb716a4972ac39ef0619ae2605f1d4508413b144c107076c26ac38b8347b40830d3db10858faf058ce6b1fe0ea3ad49f825f36e92409948edbf0757f857ab84e8da62af707d845a39ce9235c9447768dd36bd429139aef089227e942f62ccbd9c68ad9eebe786e56e09a5a47d1daed491d6786a7c7f4d7fc5b6fc8b0cda51188a9036be72ec55658bd7bae8e73991319e3c3e324b9c9004fa23f5026c55a8272ac403b120dd4a7a10470be2cd55c42332fd645a4382170cee50d5189ac532fdb79de583945ab3943994c7b42ecd38cf468d8dffa5a6361cac663c505a126f85af304f06dc3fe8ecece829caf8c29b4fadda411c28ae9fe203ba52c9dd5bef9b266114b189c598da2fcaace2a32d865575cceab0a2abc17a6d93d9c4163631712e74dfd2f32ca6311a2be1105f063bde81a1a47f0f108888c7f143034b8356485959741980bd608d6edb040f0976e039f18bd651f16e58e47d51b25a1396360f26912a78b72817cb229f78ec6afecbc5762ccea608d5b8b007ea29f571b0d83cf9604cf3d7877c2b6561d502b2f6fc926056db2319dae7831dbff0f3bb7c537b50160bbe0306c087a2cb8396417c50f00856be2d52c9cef16bb7afbe28ad4d035ece9fe72d4cf9240634e7f4c6825ecbb74884d03471041e6e7734ad4e89b09b85c786fc8b25f2370b84943850d4d440571b794a349885c823f24afc3c624d57ff6be8fa9f50f846b63f6186230e185526aba5cb306fdc1f7ac31016215bf88a132d3b893b3e63d79c0218cb994a8ad5bf811ddbe76915e7de2c7cb2614e0df80d854ba56d9c171f000e01ca97db24d4789833bcd8003823581abe264bdfefecf0082f6d7cb50d4946173412b931dc3f5161a67688289fd935e52bfc331e07fb99513d5336b7da4596b8e937981ef9d161eccfde3370d069eb6db8cd5a5e7ae46cc2054ca19d342051aff4ba3733e430b10d589cf7b1f64aaa2160b2f80d39ec58b6f5a914d8ae3dfa115b2ddbd682ded9d6381c667acbbeda03bff4cf189ae85cee06f6bc89d68ff5285f1be7e0ba4ed7c4f9d2991c2aed5b0186018df8fcfe055bcd99277e12950f2ed5175200857f5464c62b7cb75de7978b57fb4b550bd0f20c2e3925e40316b341783ee35a2a3f18a02de12f725b103ed95373de08cf3a050e88f91bd05501cf08f77474fc9ebbd34fa174530d7f1ada53d7de2687764a358d4abc8170da67ed05fc6153d23465b8dab9d2193d307add20dc4a49eaa30ab3303499a32f59b90516f58b026ffd899d3dd14d64be3fa136dabb34bbef66522ad5064f9c94fe3f45f07dc2443a976c704214f7bbfa82b172030908506d430bc2dc8510c50e7d19e9230dcab1c4d2af19265dfd7ecd89b5272406ccddb3127c3f25ca0fa4e2a63120af0572ebcbaafa3e38111fd0a40cf44ee61b1b983a5b0a65e382fdd95aa4ccb8de97c87ddee90554c3881f62f66f7e4cbfecfec59f03e44df44bf37776db631c7f801e7da921c21876dc62aa2902728ee8efc7c894f5b0069f9db80622a96794d311a348b24827557e58bc92a09878f4190533d7c1539e26bb4941c54c5435593bdafbec3fdc9df5db587a2c5e90552bfe1b1ebc4c5d4792f364f4117d15cd7cf6eb7595d4c0628cd00c1b03b91638e681c857d910680a0ee9e23eea7bdd40af37a4530fe0c3dfea5d91de50d4b856590316c9a1342787749fb090acc843c9c8a716c3392dac946d69520e3864e7b2fe141f41e8b8c06c00577a93b55912206d115c9fead68474680e04fd80744c929fd97d60d065b017bc4485b3bd04c55ea343a0534f7d6b0d18be807aafd0a44fed199090d5b6cb41bb4a6d9df811336a90a8ecc7d4487eddbb8611b16e4334b566dc734f3718917eb01e6d99ec81b8f89aee04d6a782e2cd75007136d5310f04681bd49f9c44b04d822218803aa535a8a7ca3158335c41a802ede6c6f82234ebc0b1362551f80fcfa924147d5f30754497a43dff78e78b75e8bfd594676c8d54a7d069c97d650ec67114ca27eb58bae640def53d5378cb3b59b05d364c6996b7948716cbdb862af96c3519134f2a3ca55b56646a9bd59ae0622d71cacedd4221e9a4f160addc385fc5a103f53d921eecc9f49f22b1e6415da9d1a4de51f5fb48fa2846188e5029ae496f5ea0927eb392821c9bc29b67d2205ad13b40ad3fb63862ad4bf1c092882de99ece45882ce98d72fbe34154a866e4681848ec6a81c65b8f9774ca7be6c4bd038596b594157454646c4e5e1be112d0b7c23e3d3df97507deb6099c10038d48b0f8fd4b907afec8e3ffe3527e854905110a427b76aa24826794c8f6f837408f9d4ee15e3cd385506a41d0b4cf73bb27468687bfa661a2032c866b05936e9892148578dbb610d32127b973b17cc68c6445c9d15cc784d1af004611ccffa716f1f7a3f12382a09feff36e83030ab72320d4c4b04672df7f68a3767421b7f81d2cd4c6228347e3aabf17d41a86346e3fc430d1bd06ae54ca046d914b793219f050468c108e592f36aa809f7c55f8522f140cdb4eae754ad40d9599e63cf7c2ef47bf0b61e808f0087edf7970841e6d26f6973cad07a970dee8a2923dccfa1414663ce3acfd457da2336ceb365ea1ff5b2dcc07831629e1a7132ee2cc1fc4cbf8cf143c75fb420358194a7e0958197b10a5063072ad1b35caebe1748fb90949c7044f7ea83a8caa15b42a545c9c3f7614fc15aeff4fa17088ec2cde9007cc60f16c46b31f74405f5a3df1305c138876", 0x1000}, {&(0x7f0000001500)="86bc4e0dc5153b3dfc5810f62c140f865d4a0b02fd2c7979319e4529405019dfdd69e945b68b60a12a94d4fb1a87cd44e9410f76e724160de176ed09426e06eca95a89efd437518f809e98eb4334b0d9faf9a95e693a0be263cf9ff1fd554a00a4c35cf8efe7ca32966a57dc234b9c4926ee9ed9b1f03063fa03821291a3517431d52fc54b11f123d1d91e6156cdeb979a31", 0x92}, {&(0x7f00000015c0)="5da7dc42b4eeb23c72be38e0c1fdf240c69c5cb203c5afcaaea49c2aa81594dd732a30c9a4678697eb53a04f7c233bf83bbac6966fcaeba2a9fa44d575fbd904c33ce7c4b6e4626f2e301d976a13bc5205a44b9f1ed78303341781ab63946516c5ed597a3cace8df30a82e85f15d6db66738f4fbcd6d1615beec0590d14dc90b8df83b214ed7953f32261ac8d9c0b62680940d4228967c6acfed67c03ca5bdcb06f6a171de6348b742cd54cca9e87019eb509d79e6095ba2d5838b6585119ac3f65f0a03321a5f", 0xc7}, {&(0x7f00000016c0)="79aa57c12d30193a51f42fce4708ef4cedf1c745fd97dfda39b699750f00432060f96c617e581a94a7d81cba7b30be771896b51c13700b29c63d580e8ca01bfebd55a0e03f65cccb3928bce708a38cb84b486e1b2d28eb473bd908fb17dfdfba80ebd91d6069eb09c317069b2a75deab5e0238851444771a34", 0x79}, {&(0x7f0000001740)="3811994036f1dc1f6bb8ed65cf2590b0f977d56a13ca95b0915e86719082febfd6de30001f04c28d750d2af3d025990177e1af45e4a4813460c6cfb1b7fe54e6e826bbc41c783ded8293f76f6ccadb57205d4481a4c203656bcbdbabe869df670c9166e59b6710de1646b833d43279abc3392389817440ea47ca57dc81f98c6e7f96b0670a48b492d6affe335b63", 0x8e}, {&(0x7f0000001800)="73872dd7c4b65abf5aa9926cef39580e9721ce2a57db0dfc88f78104cd8a959096ce880aa208e348a26f27751dc526fdea36aa217220a4f04bc19aa965d64351c150f5f9b6feff", 0x47}, {&(0x7f0000001880)="af2e09c7ade45eed8d5d0ea5660b14f31edda631e51e627b28e06f89b2cf509a4e04c799182ccdc752dd3332fed025369beb0d567ce506fc31da68dc77e7c960c9a8831342ed6b360d4bd5c887f057fae3249347ad8a8583cd2bc719576be9385abd748d20986335509561c7bc2d9c81", 0x70}], 0x7, &(0x7f0000001c40)=[@cred={0x20, 0x1, 0x2, r6, r7, r8}, @cred={0x20, 0x1, 0x2, r9, r10, r12}, @rights={0x18, 0x1, 0x1, [r13, r0]}, @rights={0x28, 0x1, 0x1, [r1, r1, r0, r0, r1]}, @rights={0x28, 0x1, 0x1, [r0, r0, r0, r0, r1, r0]}, @rights={0x28, 0x1, 0x1, [r0, r1, r1, r1, r0]}], 0xd0}, {&(0x7f0000001d40)=@file={0x0, './file0\x00'}, 0x6e, &(0x7f0000001dc0), 0x0, &(0x7f0000002340)=ANY=[@ANYBLOB="2000000000008c5d4fde34244e83baddc9000003000000010000000b07da2908e9ca4d3ccb9ab88e33ec3a376d00", @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r0, @ANYRES32=r0, @ANYBLOB="18000000000000000100000001000000", @ANYRES32=r0, @ANYRES32=r1, @ANYBLOB="28000000000000000100000001000000dded12aec00992217342b7b4ca5ba5f7c302dc3c865dc9edc784ccb701373fa2d324df9a074d53adbfcdee99a830a853231706c013ebaa8576f435b0be19210694f0f6509dc5686c9005aaf85abb798d78c468aaba788acf28be4cd3cff506a8e2136bbfe2ea3e9c32a14dbb5de1730738b46ec9aa940f144e39b9ce60a9823539f01278e164a9ce1ae8efc16b576842", @ANYRES32=r0, @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r1, @ANYBLOB="00000000200000cfffffffff0000000001000000", @ANYRES32=r0, @ANYRES32=r1, @ANYRES32=r0, @ANYBLOB='\x00\x00\x00\x00'], 0x80, 0x8800}, {&(0x7f0000001e80)=@abs={0x1, 0x0, 0x4e21}, 0x6e, &(0x7f0000002040)=[{&(0x7f0000001f00)="811549ea45dfe99250456edb4ffdd9431be31d0004ba867b491bdcb3949af264", 0x20}, {&(0x7f0000001f40)="79248256b9f0f5b0dc9f36bc2d8f5e8d694003b804e57ac156f2fb72c310b896760f9352cde6db01a4b6b5ce62b5015022d357f176b2dfd0deab9f03c4d3a8b59cbaa12caebf661e3ee200a948c617419b41c8eb538c71831ed00337481156433a39c7f690a632747060bb492c3550c93f02a02e35c9171094d3150530025b06acfb3e64f916f0385bead720b4fc924829c320ef9f4514de903653cb6c8ef40c6f5ce596959dd244531074062dcaa5b8793a780ac4395a69661a062fb105c8a84426138e56aa3786d9f620b1ddb6e6a6d7a2d5335a31502bf56cf4f95f0dacd7b3ea8d7e2a", 0xe5}], 0x2, &(0x7f00000020c0)=[@rights={0x28, 0x1, 0x1, [r1, r1, r1, r14, r0, r1]}], 0x28, 0x4080}], 0x4, 0x24040805) r15 = syz_open_procfs$namespace(0x0, &(0x7f0000000040)='ns/pid_for_children\x00') setns(r15, 0x4e000000) utimensat(r13, &(0x7f0000001dc0)='./file0\x00', &(0x7f0000001e00)={{0x77359400}, {0x0, 0x2710}}, 0x100) setns(r15, 0x20000000) 04:41:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="64070010046ea8da"], 0x0, 0x0, 0x0}) [ 3373.072760][T11665] binder: BINDER_SET_CONTEXT_MGR already set [ 3373.096223][T11665] binder: 11663:11665 ioctl 40046207 0 returned -16 [ 3373.106607][T14003] binder: send failed reply for transaction 492 to 11463:11486 [ 3373.111606][T11665] binder: 11663:11665 transaction failed 29189/-22, size 24-8 line 2994 [ 3373.118082][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3373.139446][T11665] binder: 11663:11665 unknown command 268437348 [ 3373.154476][T11665] binder: 11663:11665 ioctl c0306201 200001c0 returned -22 04:41:54 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x7}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3373.191587][T11782] binder_alloc: binder_alloc_mmap_handler: 11663 20001000-20004000 already mapped failed -16 [ 3373.203801][T11782] binder_alloc: 11663: binder_alloc_buf, no vma [ 3373.228266][T11796] kvm: apic: phys broadcast and lowest prio 04:41:54 executing program 2: r0 = syz_open_dev$evdev(&(0x7f0000000040)='/dev/input/event#\x00', 0x0, 0x0) socketpair$unix(0x1, 0x2000000005, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x2, 0x32, 0xffffffffffffffff, 0x0) r3 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x400c2, 0x0) ioctl$SNDRV_SEQ_IOCTL_SET_PORT_INFO(r3, 0x40a85323, &(0x7f0000000280)={{0x601, 0x7fffffff}, 'port0\x00', 0x2, 0x1, 0x7fff, 0xbe2, 0x52b, 0xbe, 0x1, 0x0, 0x6, 0x5}) r4 = dup(r0) r5 = dup3(r1, r4, 0x80000) ioctl$EVIOCGKEYCODE(r4, 0x80044501, &(0x7f00000001c0)=""/145) setsockopt$bt_BT_POWER(r5, 0x112, 0x9, &(0x7f0000000000)=0x5, 0x1) 04:41:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) fcntl$F_GET_RW_HINT(r1, 0x40b, &(0x7f0000000000)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) fadvise64(r1, 0x0, 0x4, 0x1) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:54 executing program 0: r0 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000100)='/dev/snapshot\x00', 0x60000, 0x0) getsockname$packet(0xffffffffffffff9c, &(0x7f0000000140)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000180)=0x14) ioctl$sock_inet6_SIOCDELRT(r0, 0x890c, &(0x7f00000001c0)={@local, @local, @remote, 0x7, 0x111, 0x1, 0x500, 0xebc, 0x140005, r1}) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f00000000c0)="0adc1f123c123f3188b070") r3 = socket$alg(0x26, 0x5, 0x0) bind$alg(r3, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'gcm_base(ctr(des3_ede),crc32c-intel)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r3, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) r4 = accept(r3, &(0x7f00000009c0)=@in6={0xa, 0x0, 0x0, @dev}, 0x0) setsockopt$inet_tcp_TLS_TX(r4, 0x6, 0x1, &(0x7f0000000240), 0x4) 04:41:54 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x48}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3373.431111][T11877] binder_alloc: binder_alloc_mmap_handler: 11874 20001000-20004000 already mapped failed -16 [ 3373.518032][T11881] kvm: apic: phys broadcast and lowest prio [ 3373.541832][T11876] binder: BINDER_SET_CONTEXT_MGR already set [ 3373.566442][T11876] binder: 11874:11876 ioctl 40046207 0 returned -16 [ 3373.601622][T11877] binder_alloc: 11874: binder_alloc_buf, no vma [ 3373.614628][T11475] binder: release 11874:11876 transaction 500 out, still active [ 3373.637909][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:54 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @mcast1, 0xfffffffffffffffd}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:54 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x7000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:54 executing program 2: r0 = socket(0x10, 0x80803, 0x0) write(r0, &(0x7f0000000000)="120000001a002517fc85bc04fef6000d0a0d", 0x12) setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f0000000040)={'nat\x00', 0x2, [{}, {}]}, 0x48) read(r0, &(0x7f00000007c0)=""/71, 0xff19) 04:41:54 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x4c}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3373.665317][T11475] binder: send failed reply for transaction 500, target dead 04:41:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x505040, 0x0) r2 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(r2, 0x800c6613, &(0x7f0000000080)={0x0, @aes256, 0x3, "a9f6e2a8c92d99cc"}) setsockopt$inet6_tcp_TLS_TX(r1, 0x6, 0x1, &(0x7f0000000280), 0x4) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000040)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0xfffffe1d, 0x0, 0x0}) mount(&(0x7f0000000100)=@loop={'/dev/loop', 0x0}, &(0x7f0000000140)='./file0\x00', &(0x7f0000000180)='hfs\x00', 0x0, &(0x7f00000001c0)='\x00') openat$cgroup_type(r1, &(0x7f00000000c0)='cgroup.type\x00', 0x2, 0x0) [ 3373.810236][T12075] kvm: apic: phys broadcast and lowest prio 04:41:55 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) syz_genetlink_get_family_id$net_dm(&(0x7f0000000000)='NET_DM\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:41:55 executing program 0: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = socket$inet_dccp(0x2, 0x6, 0x0) pwritev(r0, &(0x7f0000000100)=[{&(0x7f0000000080)="73d6d8912d553cbab84379a9ac9926274b2f2ed04f6adbf24397", 0x1a}, {&(0x7f00000000c0)="595c5530e71e97b5457a1112fbd785c4", 0x10}], 0x2, 0x0) getsockopt$inet_int(r1, 0x10d, 0x5, &(0x7f000079bffc), &(0x7f0000000000)=0x4) setsockopt$IPT_SO_SET_ADD_COUNTERS(r1, 0x0, 0x41, &(0x7f0000000180)=ANY=[@ANYBLOB="726177000000000000000000000000000000000000000000000000e3ff000000050000000000000000000000000000001600e32a0000000000000000000000000000000000000000000066ca54c17467e5b41e0000000000200000000000000000000000000000000000000000000000000000000000000000000200000000000083272c3a419f30ab3ec4c8588a34d3a8148e"], 0x78) syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0xfffffffffffffffd, 0x0) [ 3373.866335][T12111] binder: 12109:12111 ioctl 800c6613 20000080 returned -22 04:41:55 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x60}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3373.940448][T12111] binder: 12109:12111 ioctl c0306201 20000040 returned -14 [ 3373.962461][T12115] binder_alloc: binder_alloc_mmap_handler: 12109 20001000-20004000 already mapped failed -16 [ 3374.018769][T12133] binder: BINDER_SET_CONTEXT_MGR already set [ 3374.051392][T12133] binder: 12109:12133 ioctl 40046207 0 returned -16 [ 3374.092615][T12111] binder_alloc: 12109: binder_alloc_buf, no vma [ 3374.119678][T12194] kvm: apic: phys broadcast and lowest prio [ 3374.128572][T12115] binder: 12109:12115 ioctl 800c6613 20000080 returned -22 04:41:55 executing program 2: r0 = perf_event_open$cgroup(&(0x7f0000000200)={0x5, 0x70, 0xffff, 0x1, 0x7f, 0x8000000000000, 0x0, 0x8, 0x0, 0x4, 0x0, 0x3, 0x401, 0x7fff, 0xf91, 0x5, 0x6, 0x3f, 0x2, 0x3, 0x1, 0x101, 0xae3, 0x8, 0x4, 0xfffffffffffff000, 0x6, 0x2, 0x2, 0x101, 0x8, 0xa3e, 0x0, 0x1, 0x0, 0x5, 0x4, 0x0, 0x0, 0x8, 0x1, @perf_bp={&(0x7f0000000080), 0xa}, 0x4180, 0x2, 0xc8, 0xf, 0x0, 0xffffffffffffffff, 0x8}, 0xffffffffffffffff, 0x4, 0xffffffffffffff9c, 0x2) vmsplice(r0, &(0x7f0000000440)=[{&(0x7f0000000280)="9200d36fc85fe39cfe4bee5955cf26f93de45372006d7fadebc8fa63", 0x1c}, {&(0x7f00000002c0)="1853edcf9a9c38eb2da35aedbad10f4c00e7ce28110f8c0ae6cccb6519de1331c3bf06a77d1029141bdf4bbc410d7e626af7aff3e88cf2c081bdf3030bbd9f171b94408598bd8eee10964af05689967d113c9955c6fb95f37fd1731db457656ab632e1d52b6614dd24a8b7a74f3415cf8cf01ab188af8518967f14f7fa1799d802aed529e44242776fcecb3f330a59cdb9495af5dd152557a5008982674c52a65b82642b51b8be91dfacaafbfac538cec356f4b0e650c9b958a47e1173fa81", 0xbf}, {&(0x7f0000000480)="250262ec10f0486c4f04a2534240ae90f8a27136ce8796ae5dc2d894e4fb27383a3d7f69144f8349d17f2fe99bf94d8b32c7ce52a8371866129fdb2382d1cdffe9e024d6df0cdba0297804607cbc8438f9aa022959f044880e643752987d99ac516031896f30a564e47b658832de0f717f48607b0dffffffffd2966ed9c4357a83fbf224ef1beacc83e74885b4ccdd1ff12a3c6c20f8b5ac1c0219c482827958e637362641f13fd8960d441508a9e53644c5731cf69c8399e6f18c5089c4a20f8532d3b2d7bc4dd3e6458ab52ff9bd3ab41bc4b98a4ada7a80ca1807d98459ce2677eb15da30ba34691bc6a66022cc778e7c213d8f3a4352b39325d8d0e66024a88e518bb0758e89bc7fd6fd1dac18ccb049dbc1270ea59c7081004ef10e", 0x11e}], 0x3, 0x2) r1 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0xffffffffffffffff, 0x2) ioctl$VIDIOC_S_FREQUENCY(r1, 0x402c5639, &(0x7f00000000c0)={0x2000000000000002, 0x4, 0xe}) syz_open_dev$swradio(&(0x7f0000000040)='/dev/swradio#\x00', 0x0, 0x2) r2 = semget$private(0x0, 0x2, 0x24) semctl$IPC_RMID(r2, 0x0, 0x0) r3 = semget$private(0x0, 0x2, 0x1) semctl$GETPID(r3, 0x0, 0xb, &(0x7f0000000100)=""/244) [ 3374.170083][T12111] binder_transaction: 2 callbacks suppressed [ 3374.170100][T12111] binder: 12109:12111 transaction failed 29189/-3, size 24-8 line 3147 04:41:55 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x68}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3374.284514][T12263] binder: 12109:12263 Release 1 refcount change on invalid ref 1 ret -22 [ 3374.361351][T14003] binder: release 12109:12111 transaction 505 out, still active [ 3374.372966][T12263] binder: 12109:12263 ioctl c0306201 20000040 returned -14 [ 3374.421303][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3374.463179][T14003] binder: send failed reply for transaction 505, target dead [ 3374.501143][T14003] binder_release_work: 6 callbacks suppressed [ 3374.501150][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:41:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:55 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpuset.effective_mems\x00', 0x0, 0x0) setsockopt$netlink_NETLINK_PKTINFO(r0, 0x10e, 0x3, &(0x7f0000000040)=0x800, 0x4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket(0x10, 0x20000000000003, 0x0) sendmsg$nl_generic(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000003080)={0x14, 0x1a, 0x201}, 0x14}}, 0x0) 04:41:55 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0xdd5d, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) connect(r0, &(0x7f0000000000)=@rc={0x1f, {0x200, 0x3ff, 0x5, 0xffffffffffffff81, 0xb5, 0x3}, 0x8}, 0x80) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) ioctl$PIO_FONTRESET(r3, 0x4b6d, 0x0) [ 3374.660266][T12441] binder_alloc: binder_alloc_mmap_handler: 12438 20001000-20004000 already mapped failed -16 [ 3374.697483][T12440] binder: BINDER_SET_CONTEXT_MGR already set [ 3374.715084][T12440] binder: 12438:12440 ioctl 40046207 0 returned -16 [ 3374.740441][T12441] binder_alloc: 12438: binder_alloc_buf, no vma 04:41:56 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x9000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:56 executing program 0: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$rxrpc(0x21, 0x2, 0x2) setsockopt$RXRPC_SECURITY_KEYRING(r0, 0x110, 0x2, &(0x7f0000000100)='syz', 0x3) 04:41:56 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6c}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3374.779902][T11475] binder: send failed reply for transaction 510 to 12438:12440 [ 3374.787480][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3374.793455][T12441] binder: 12438:12441 transaction failed 29189/-3, size 24-8 line 3147 04:41:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) write$FUSE_INTERRUPT(r0, &(0x7f0000000000)={0x10, 0x0, 0x2}, 0x10) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3374.843979][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3374.862211][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3374.913529][T12529] kvm: apic: phys broadcast and lowest prio 04:41:56 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x74}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:56 executing program 0: r0 = socket$kcm(0x10, 0x4000000000000082, 0x10) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-control\x00', 0x12001, 0x0) write$P9_RATTACH(r1, &(0x7f00000001c0)={0x14, 0x69, 0x2, {0x2, 0x4, 0x8}}, 0x14) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r1, 0x84, 0x72, &(0x7f0000000000)={0x0, 0x3, 0x10}, &(0x7f0000000280)=0xc) setsockopt$inet_sctp6_SCTP_AUTH_DEACTIVATE_KEY(r1, 0x84, 0x23, &(0x7f00000002c0)={r2, 0x3ff}, 0x8) sendmsg$kcm(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000240)="2e0000002a00815f00000000000000cf0800b0eba0b4d65cdbaa18b29c473da67e3d743298cbb3001be63e75c85b", 0xfffffffffffffe52}], 0x1}, 0x0) read(r0, &(0x7f00000000c0)=""/244, 0xf4) [ 3375.066255][T12563] binder: BINDER_SET_CONTEXT_MGR already set [ 3375.119193][T12563] binder: 12559:12563 ioctl 40046207 0 returned -16 [ 3375.136046][T12561] binder_alloc: 12559: binder_alloc_buf, no vma 04:41:56 executing program 2: openat$apparmor_task_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/attr/current\x00', 0x2, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x1, 0x3, &(0x7f0000000200)=@framed={{0xffffff85, 0x0, 0x0, 0x0, 0x2f, 0x6f}}, &(0x7f0000000240)='GPL\x00', 0x1, 0xc3, &(0x7f0000000480)=""/195}, 0x48) [ 3375.194507][T12561] binder: 12559:12561 transaction failed 29189/-3, size 24-8 line 3147 [ 3375.240713][T14003] binder: release 12559:12561 transaction 515 out, still active [ 3375.263575][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x8194414e8bf4b853, 0x20011, r0, 0x1000) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3375.297264][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3375.332617][T14003] binder: send failed reply for transaction 515, target dead 04:41:56 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x7a}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:56 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x0, 0x0) getpeername$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @ipv4={[], [], @local}}, &(0x7f0000000080)=0x1c) recvmmsg(0xffffffffffffffff, &(0x7f0000004900)=[{{0x0, 0x0, &(0x7f0000000640)=[{&(0x7f0000000380)=""/228, 0xe4}], 0x1}}], 0x1, 0x0, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(r0, 0x84, 0x1b, &(0x7f0000000140)={0x0, 0xcc, "1fcaef8bc675584d9b1099d7d3281082697f5557df45d1df633e0e39948c8aaaf63dcdbe0168ecb2ece840daf46fefba807396f71124943495b051dea3e4a1d1c33942d272aab2c92094cbd00a619618151daf94220cdf95aca3d7e9c081315c9304a1a3f591ff6237f1eba1e7a9f464c10012ad58146a222f8a8583d318ae00cb8242b1f38c5331f6d9e4d07ba344083b68b370c78602c97c2f075650c6718687a9405962a3c723721e17f1ab711ba66a40250b8389bfbd2198b24faed6cc288052f5a3562b278ccf2988d4"}, &(0x7f0000000000)=0xd4) setsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000240)={r2, @in={{0x2, 0x4e24, @multicast1}}}, 0x84) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r1, 0x29, 0x1b, &(0x7f0000000100)={@remote={0xfe, 0x80, [], 0xffffffffffffffff}}, 0x20) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/anycast6\x00') preadv(r3, &(0x7f0000000140), 0x2b6, 0x0) [ 3375.465271][T12680] kvm: apic: phys broadcast and lowest prio [ 3375.471700][T12681] binder_alloc: 12675: binder_alloc_buf, no vma 04:41:56 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x8000, 0x0) ioctl$TCSBRKP(r1, 0x5425, 0x5) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070") r2 = socket$inet(0x10, 0x3, 0xc) sendmsg(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000000)="24000000010a07031dfffd946fa2830020200a0009000100001d85680c1baba20400ff7e28000000110affffba010000000009b356da5a80d18be34c8546c8243929db2406b20cd37ed01cc0", 0x4c}], 0x1}, 0x0) r3 = syz_open_dev$video(&(0x7f0000000080)='/dev/video#\x00', 0x514d, 0x400) ioctl$VIDIOC_EXPBUF(r3, 0xc0405610, &(0x7f0000000100)={0x2650d3e54bea851c, 0xfffffffffffffff8, 0x40, 0x4000, 0xffffffffffffff9c}) [ 3375.505400][T12681] binder: 12675:12681 transaction failed 29189/-3, size 24-8 line 3147 [ 3375.535670][T12681] binder: 12675:12681 Release 1 refcount change on invalid ref 1 ret -22 [ 3375.555137][T12694] binder_alloc: 12675: binder_alloc_buf, no vma [ 3375.555310][T12681] binder: BINDER_SET_CONTEXT_MGR already set [ 3375.575249][T12681] binder: 12675:12681 ioctl 40046207 0 returned -16 [ 3375.583904][T12694] binder: 12675:12694 transaction failed 29189/-3, size 24-8 line 3147 [ 3375.607741][T12739] netlink: 20 bytes leftover after parsing attributes in process `syz-executor.0'. [ 3375.637625][T12681] binder: 12675:12681 Release 1 refcount change on invalid ref 1 ret -22 04:41:56 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x8, 0x400000) ioctl$VIDIOC_CREATE_BUFS(r1, 0xc100565c, &(0x7f0000000040)={0x80000000, 0xbe1, 0x4, {0x6, @sliced={0x3, [0x1ff, 0x3, 0x1, 0x7, 0x6, 0x8000, 0x1, 0x3, 0x8ef, 0x101, 0x101, 0x4, 0xfffffffffffffffa, 0x8000, 0x2, 0x7, 0x1000, 0x6, 0x3, 0x91e, 0x3, 0x4, 0x4d2afa68, 0x7, 0x3ff, 0x0, 0x40, 0xe351, 0x400, 0x3, 0xa039, 0xfffffffffffffff8, 0x3, 0x6, 0x5, 0x5, 0x2af0, 0x9, 0x74, 0x2ab8, 0x949c, 0x40, 0xffffffff, 0x8, 0x0, 0x1f, 0x0, 0xb7], 0x4}}}) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) ioctl$VIDIOC_STREAMON(r1, 0x40045612, &(0x7f0000000140)=0x8) ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8914, &(0x7f0000000180)={'veth0_to_bond\x00', 0x3200}) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3375.681889][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3375.689619][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:41:57 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xa000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:57 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x300}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:57 executing program 2: mkdir(&(0x7f00000001c0)='./file0\x00', 0x0) rename(&(0x7f0000000140)='./file0/../file0\x00', &(0x7f0000000180)='./file0/../file0/file0\x00') r0 = open(&(0x7f0000000380)='./file0/../file0/file0\x00', 0x400000, 0x12) r1 = syz_open_dev$cec(&(0x7f0000000040)='/dev/cec#\x00', 0x2, 0x2) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000001900)={0x0}, &(0x7f0000001940)=0xc) r3 = getuid() getgroups(0x4, &(0x7f0000001980)=[0x0, 0x0, 0xee01, 0xee01]) r5 = fcntl$getown(r0, 0x9) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f00000019c0)={{{@in=@remote, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6=@mcast2}}, &(0x7f0000001ac0)=0xe8) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000001b00)={0x0, 0x0, 0x0}, &(0x7f0000001b40)=0xc) sendmsg$unix(r0, &(0x7f0000001c00)={&(0x7f00000003c0)=@abs={0x1, 0x0, 0x4e22}, 0x6e, &(0x7f0000001880)=[{&(0x7f0000000440)="e9827cc862098f2a5cdc603284b198231df6269352ff38bd7a9f320267c4d2ab16834201078fe8b35d0e3a354baa553125abf379414d033f7f185335326c99d24b900e134e68d59de13d5971aa77a8fac2356d960986146deda2624c8abf35f1a7d8e2cb3501d79718a7351018ecccb77afc8d645614551428113f46046e1e07902b6a8d64c9fb833543f9ad61f521f727f7b1d6f566af680fcccef4b06f54ecfa3616dca9606695ed98b87827c017", 0x3ce}, {&(0x7f0000000500)="a1363d02fa6be8c19d4632c700403ea924d04adf402af497e03e7810146b0ea6104dc69bb3ccaf2dfa068f4c05efddcc50afa64f93f648683e8b8426abcd4d1df2b22c9ec89869153e81d7c0e114afaf5b0be100d8a90928763732d74165107f9b92e6119db1373b710cd65b9a58a54f52b998f3a22d4e79016af45365ba550ae80302193c41c8c7306abfd12d294ad4abbefb84fff7cbd249490f173d14758f984a7c01d89c23e307d6a0b2cef8c134bbf43f4ae07610b5c6d46aa2b1e063c37f4d0b5a0d5a20d76456a9cb3b7b8d47240eb74cb7ab40509e0f6f8d4360", 0xde}, {&(0x7f0000000600)="40b1a100146001688252e8ec2c5f79eb2f407d1e0d06e73a974469ca4aba7af7f2808173a74ee410c8918a99fd8e7441742236f5c7475442da765e934965a07329e9bfd2f5495a33b6e9ede13dd8b4503f08a622941a25a53f4e49bfc8b648656c262b7dcd05bacc00e13ffdf59b814127b69b27e599a9943f9a6e5a456c602f4cc14580163cab91ed74cabcd6f3f4c6e1eed37bfaccdb8daed830acdcff5db7d58e8dd41eb9ed15e73bcd3094f287c3f0d3885ebe4bb4eea06d2f9b", 0xbc}, {&(0x7f00000006c0)="7c69c432e274a4e27055b969c62697f258fb530b2c347884168b8738d6ebefe8c80ef377075b1543b82d993c4ec764a5c486ddf40e6b695b0cb000fefc612681c1665bba8b37c49385d07c08608ef033a80ba9873fe251ba7213fafbe3af61cc10f5b654ea0baf6833c5577a5a71239d452cf357188b4f84f529b45e4214f91bd89788774a1ed8879a464995652374d02dd7", 0x92}, {&(0x7f0000000780)="0739430895ab0ae509348a8a45a6b70f3160e81a56aea236bafecd240fcd8cc16b66bd32f4c0f8223ad43cb87e2ab10710a737f0c6079baf99ef9030792c017075ad1c", 0x43}, {&(0x7f0000000800)="8936ca7c03418d7ca19f2a28c7e21dfbde1f89a8500d5e2521841d87f779990de79a7eb1e53aef8e9c21c8d48a36c5604e434aeb0e9e5e699cdcec9d1a19a22dfbcfd6a532853e0df1bc6470ea90ece722917b3a42a2600296a556d517adac81fff6a3d14ca8c79f1a35d6329ac5cc812e274735d140bcea5ab1570a0ddc94e7b91dd61e897d240d812463c6599013c6c9f4a4e31dc14f4096cbfac0763d9e67085bbe35a2eb508600b23963b3da9ef4f0d9cf5c1e2990e44023010000000000000089b83110df79f3f8a409a2c65a7d9737448220bacbc2c4c515199b805ebf78edf134f6bfa4904034104f7686c37e5af6b0af15b1dab420784f65e91167249ae4153962b91939fef7b9cfe1d3d3f7dfc60f7fcc4249349f36ba4fcd063067baa6d6d20ebd338aa3ee8ad754f85ad90bdc3500f20df18bb681ba7268c9d134bb94afaa1b5a5fa4eab318982e088e6de9d2c2ca6c13731288eb893ffd98691c93fe90d9f21730edd6b55e43ebffe979b293e82a943d7c50fdd8808b213a33fb1d6adadab23b04efcdcf56397a6396feaddfb4c87685d12f39b69de7dce5184b9db4e38cab2bb5c747f2e13e78a3d7dab6d0bf63f928c844956b1b947064da9df151ff501d84844a6f77e71ef3471212341be6bc603cb967b8d54a5f7cb6c0566047981192167020accf757e4d60d7d91aea108f7922b3fca8cc8395449f3a22c06eefcb88ad3a52ff3e51d600305bfc89bd59e5663aacfd7d0530fdd8777ededce8fb990a12e80143d096a26a24b4d39d75a5a3f61d8ac04c0e54480a48b853fb45b072b87137a292c728f1622fd06ce4548440db948661145f613582390517a3b44fc50cf99015b2b21350211b94473c1da7e0e7503c5271f43d56bd850dd0143044cd6584cb1871c6ac0ac1e79b823f6855e87911a5a1ccb96c70521d9091cd8485e74eb592c3ec9e278778c8cc3adc19ef262e0b2e4b6c9dc7f8ec2525d6d159a20c0cc1c8e3796b9eb65a3ce608c43887d191da6fdffcc781f5fa872ecc300b3a703984493b8b1b9ba3ef8f7c894a042ab5d2e25607eba790ebbcebc8e034d81fb37bcaa9b3aee22f376fe3942afb90cb0df518917a758aacc86c0a04e8f213758af646b39ff6210fd3c332f41615216b1c53d5d4acc659ea3123c9e32dc08fa99b629badcaf45d5ecbcecec71249acf5c6239326571be12c1203ca536a51f98de7faf4ce8459ce2f43095630e5deb2341c08552d2f4b6c02e15652824eee12efb69e1adbe041fccb914e175e18ac493137da560f829a2c3815d4921cd616ef137043d8b58f54e4529b78e18a7a648f4ff1fac1c81aae75dd2420e1e560396df3e13d5ff90401cbe1b2f8d59fd769ba8436498811c6bbfaf7c0f08d3803729f12390c95ca3dae5200fc589085dcace4d4b1f50bb483f22902778807da1a3e2e90d5e187aa9ef9cde6088f93c67eb0f43c19db430f3e1fca76a09b4980857bfae1e8927a6301f25ca89f0f7f1c3904d8cfd6c7afad6c7441808b898489545eae32fe33c4f6817c3cd73791faa2fe17d01e23be1598569677f2a36b08f0888138787d735de526966cb72c425fc6dd28abdef421a7f24b8a89cb07ba88340dcdd94c3e2ef0577100e20f6c050b2520c494b5e6d328da27ee9544d6da066b595e5dbceaa912f9a249c31d9a44a5ff00ab9b30ee05c93ac9eeb61ad4d57ef82d2fb3555beb8ad77acdc2c5ff40b429217de14eda327ab16bf93e219e3805a6b308ae88e9bb15a1828c6805b8a78c0f776cc8888b4ab13796f71bc35319e922536131cb226687cea02119b07b405542b7332d54bfe10fd3173bc0c6d22eb46a97d7520149daa42689aabe80d1dc825245bd03cc72c2015960c87451a3273e4c4c443f49095b11eb388710e4701a060ed359886304e089cbe2280c27942259dad7d7378399ed67c94638c6ae6186ff33eb184c466d9505d85bb0423424364748b9f19e35d43bd546e96d995d8f3aae9f4a2e38f69f14029d1ecaea143235e938e5af6d30188181f2cf844d6112a4a119b4065323df7dcf6a148475d52165980f50f939822ae3d44d93981ef9232a0563d6e063cf5eb119ba23e6cfa41c52c20317336c97ecf50d5af267c5d070b6961d53fd39e66240cb973baec47dd94bc4e226677f39cb6400408c7a49b73c34a36486e3b023c6e42fa27d16ff3ed15c25b57b24260f921eda14d5e21c73bea8cd8bd4515b894bd2eb6ae283a17f715e1485c4e4d03cd8088d3e08b3c970aa33ac1af83118f03e141094dd618a886d78f5204c02ea5e458b8b27c4af0f15b628e8d78acc13515fddfda6e911af664aab0784afe6f935d8e7f807cbb759e144a453814d92c074fd84e841bb2aee25e613c303fdf8603629630a84195aa221a52cd7e750b6ce91ee2e19d8894676f0cc1b94299bed7ed0973d63f600813ca217812c7638fbd72ea3d1d51fd81d6325b4ab5f1331b02ca1fd4f088aba05f63ba92877e2c7ace9526b14d0344988ab9baa7721f07cb0b9238f75396de0fecc5fc17e4ac48dc1976d3e949fca2f42951d8cbb2dd19339380c0f51bba96f3fdcff7e858547325c7201410dcf450d1404bbabc34e819383d9454461736ef74a885a27fd6e8cf18c6d5c878a3f233623761c899456ff7c29fd3b57c6e3b1b6f71205c8c3baac547a57a93f545fa2638575e1436b9280afddcd5c2b04048650a8928042ccfd4d42b2b26cf8d94158d03f09fc0882f0a0c58cdbc9d00e6f21c9cb0f5f3fec21975c855c6517b32fecad26823644ff07afbe883a687f56f860104ff5d877cb4e8042e833eb659d16bea643b660d95fcae567d631ac697918bf8d717af260624aaa416aa7ccb500ec2655a519287193605d9235dc02d4ec069fb996e9bd3f4c90d5f6cfd499a15fe04df156d4eec45a8e9bbdc743c25112e232624d3cb848921f04b1f60996bd280bdf903ee4f85241899d7b9ff45ef64f67c2acd2e4747142e1a17ecd693c850ff9af1dbcc862a5ebe094f471c638c188cbcb9e7fdbb3502df8dde22d4dc31f866860c7b635e362ee7835d17b89e9c81a69348580f9338a11f767d10a66192f176ee709f12703df5752c13212ef8b748518490b99b0b430b59de8d2de7c19dee0a34d8353537cd7350d6e9947e4a1f0a2dbf39bbc3b395e2dd7927bd2d99a467cfde271c0b540837f4ffd663c1d0bd35ea4e1760024fa042ce01777274b2f3051bbd4e97b966106236647a3a2a0d030bf840681f7c7bf55497bb11461c6cb30eec48fe62f87b6d9d4762cc3749f6bd60455e1ce2df8ec70f1d0c69795f532ba50c673f064a8a550b4dd9706e6c6b3c6e5867a8e21c924504a64f25f72c684b14a586e8fec93325d5238f0f9b2be7cdaaee91b8ae0f0af6e568cdf04cc6052fa0d339d686f7efe8b171b395c15db2fd7a0a3b5b469e735aa92437ccbf6986076488a3ba5f7d8928beaab4faa7aa2866632924b4e014de4444e9f6f7715b3a84e6d82b6394886b51912cf1ad3dfc191594595581c3f91e162e8f0f124f650453e78119e7ea4f1ad866f492f059e4a024e8a0340f80d80cc92b019a815e515b7742180fc2d7df5cda6a453f11c3da072849ff8dad64d27bac3cdff07b8845fac312c032e0bbf5df83a394ec94522294fd5dedc07ff812754b814f6600508edc3fc24858ed14b3ad6379dc9415e61ade6bf2ccab9d353ae52e7ba5ca94d07d2ec086bffaeeb218127b6862666c64b79653d483416addc7c69282c26d19158930b6e3082d8e0e46f8c6d359a4e3017af93b4484aebe5fa8e82af8120b2f78521babf15849c08f5f285b14a86a2721b5e5a0d492cfface7d87a115854e8d4ba7452a322faf4f139e1e2d8b515d730ffe07f46ce4936076640649847609339594822590f7a79ba0ab8c7b2dd71dab93e5f84cabe714528909b597f91d5625e1c0d320c40b107204f5f42fea49fa41c9afe5ec30ed1342de31add9f85216dd0fce0eef5d7f375b10b5b95540ab1a1f85b5f5248ee673c8c3897ef740c13e80fc21f0bc195941c8b7ed125baf431023464accf39fc497f93fe2b524e5fe9f872af1c81cf3bc32bbff7b9f6f58a5b2cd90d8bd86eff32bf04359c333c174cf297b510094b6dcfeaef8152a82c9dcc92a896ae74da9c296e48d1b43623022a82e3574969e37bbc3a4f8da0df378d192698bd38e79f469012bdd11a43cf153ce515399f0fa465b7bceb3f1936cc49484d9a92374e008d3e84d5e1e84f39649519a49151db8c796bb1a58564cc7bb480bca914891fc2fcc52fe2a240635af65a3dd1519fd6cc55f9173c012326442ae180dd01a373649f8c00086d33a4919d1416bad0424dcc46c40b7db49934f06f9ff54c928e3a338b3010b543edbd7e45fbd59848a09ecb598ce6e07ee61e5fbd3c18875ac46e95c5d68c290b4a63d6d49c46e8491b21f0b9f977fd88cbd2f6a15105351321a020c8159979e7b27dc3f59214b039b9bd05712d3e7e612dd66d8ae19214c004e6e82875cf6c17d50abc22fed29a9659aa985f2afab982a8ecd3ec4488e3903e0995ae34908dfee088999337672d6baa40539ff47b343ff9d0c9f67c03318e9edd58d97c659868a84263f31bdaa62d9ea57e83651f68456d5684d3b2c53153240524d76550ab3307144e9b677841cacf49344799cd25d428f1ade198cd582fabac1ff954a6fe157b347f9812b63b515346955f947d39e9500b5aa67444159b4f891b157ccb71be18317b5003d84e95b4e749ae04ea1b6d0ba09bef20b514f7cc6b5c3d9eb4767cd865af35209b35948cd1ae47ccf6dc894d49087579b9e0e6a8de30c2ee275a17666b57170e210116011778143dc7a5d57d068774978a6f108b01ab6cadba771550a1e38073f05434cbc67c7c44004d3e3d90feee253236476592a7e2dfbdf9e5d4f74bbce5b738ff110d4459d9f48747f4d612f5bf1174b9441840865ef9b0d07335e816e814b84297ea4a27c36be6ea10d5e02f85c47054a17942a7f1aef01d7b9159af55961d7bbd0880e011b5de4c123ea168c2ff3679b26f8fc459569f3f18f707e9c6ad06f73f5011d7b63fe6184b487ec7e6ad4972a054d3d4e36a5f22398970efc019d66676dc0287c62251d68a93e5fc0dacedd8b476e40fdde68d5bd06596f62df106b3ce99c05654dbb59aa31c9091b6fe9cd808f1703a47d5640f2ddfe61d8b338a23347524f4cd6bdbf44c56dbf60c5bb3905034a2a824f20b9393fb4c834a2fd210ae575b38538e395d34b05f2099fb4b19a2618b52086e0c98a213649b340d7c5169564ca159dc45c5b7cb989cc21bca5aa032d65af253db39c4b7cca50a704a2e77498a6dc4dd5adea7e0c0c9a8fdd4bd287f12c0f73083bcf5cdf8de02205ac9ff3ad96ca2ab3199094f7e9d3739265b8453b6b5709fb3bfd4acd1d9cfef6be0ba050e84408d969910e1ee84ecf83ca5d497298e3c4ea78f5aaf3b9aa28cdae7181ed739f34cafcd78be5d23b4f16cfa6c9bb368d7725658ebd92e4d754e77bd21e9be7ddd03bbb54d7d462fc38520b25fed9314fd52f031ce22b4a347f150f01f9d5005b781bfb51b87855b61a1cfdaac508ba1c03f2af325c8a6decf5bf067789ae2a693406016332eeb6c385e279f7c0b94faecca0a11c3e3e57fbbce8fd8eb51a85749e5f85ae1aa89dd5515f4253099183ac8b4f4ab300ee2a7bec431cb7118471321982858404c2c632f7a80d53023b637283bf2ab808b6134bafd32a083a5fc57c0446ec04df4bb1d", 0x1000}, {&(0x7f0000001800)="bf5ca61db9299b910690550c635570383869c9ac8fa9f8e7a895e7a291ea44a9aff9fa8b6c7df15e09cff9f7d698a53bd3901fbfedf92339b8643bdec15e12e17c615ac6c8e8e4692b5fd16db3b9d26d2902ed7bc51db6be68978d41f14cabc8292cb0ad18d47d", 0x67}], 0xb6, &(0x7f0000001c80)=ANY=[@ANYBLOB="00007ddf2e865c19e1e1b8dbe0b73ac769741a7d737add6fa5ecdf2df27cb8a2ec64d1769315686611e0b88c832f3a34eea56a1753b59bd95306186f52f72cff0098fb74c6ebb5e78c272b787c0e1b2d65801ee41cb69cae2b38e13274e16a17afc4196a018eb6583a02", @ANYRES32=r2, @ANYRES32=r3, @ANYRES32=r4, @ANYBLOB="0000000028000000000000000100000001000000", @ANYRES32=r0, @ANYRES32=r0, @ANYRES32=r1, @ANYRES32=r1, @ANYRES32=r0, @ANYRES32=r1, @ANYBLOB="20000000000000000100000002000000", @ANYRES32=r5, @ANYRES32=r6, @ANYRES32=r7, @ANYBLOB='\x00\x00\x00\x00'], 0x68, 0x40040}, 0x20000000) ioctl$int_out(r0, 0x2, &(0x7f0000001c40)) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x2, &(0x7f00000000c0)={0xffffffffffffffff}, 0x13f}}, 0x20) write$RDMA_USER_CM_CMD_JOIN_IP_MCAST(r1, &(0x7f0000000200)={0x10, 0x30, 0xfa00, {&(0x7f0000000080), 0x2, {0xa, 0x4e20, 0x4, @ipv4={[], [], @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x37}, r8}}, 0x38) socketpair(0x9, 0x0, 0xaaed, &(0x7f0000000000)) ioctl$SNDRV_CTL_IOCTL_RAWMIDI_INFO(r0, 0xc10c5541, &(0x7f0000000240)={0x1f, 0x0, 0x5, 0x0, 0x0, [], [], [], 0x8f5, 0x28c}) 04:41:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x2, 0x0) bind$isdn(r2, &(0x7f0000000040)={0x22, 0x401, 0x0, 0x1, 0x100}, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl(r1, 0x3f, &(0x7f0000000080)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="006340400000000000000000000000000080000000180000000000000008000000000b0022000000000000000058010084d9f94c", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000480)=ANY=[@ANYBLOB="000010ca12c1000ba0d70c61c884d0048000000000000028c17ba9c5e151a51c81af006f5ef19014d2b352736327b343af30015d383130f8835e76d36ebf8670ddb89dacf2bbd2273dcbf743eb28de71d32787f334730dcf2d0dfc18506b6e6382f07ecc961827d22869060bb5623255336047781ad93be77f810d8c623fddd4a8763f340f4962f146001c76e36d8b827a99f65a538fed5d5b69b73140f0bc60af1d9d13f530e4d3022396ca9d69976b5d7f66be0a118f193f85a9894094af8abd851c11988cfff2fe86ebe3e4f78ec394f22279f9d3611c5fdbbca27d87be0e36b22e7a88463a667d8b589ec4b720cbceb25f337eb567bcc601ba0fce6e8b7877a29c314d3d9f25379318b9a2cb309e3407316d92b802e8c420f3f9bd73b3188c084c74acd507e616062256d3c82302cd804cf8032104a67f1028d1dce77b00374ac0a4ecb62a086cb51688b409a90acc63540ac9e91d0baff0e92d27f72f50095dca5073ffc8c243652005d3a547c55e2c13ca222a9d4aa7a639ad90130a6bd219e12022625d2dc233fcaf3f99c4c99aff4c54bf"]], 0x0, 0x0, 0x0}) ioctl$IMDELTIMER(r2, 0x80044941, &(0x7f00000000c0)=0x3) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000500), 0x0, 0x0, 0x0}) [ 3375.946659][T12872] kvm: apic: phys broadcast and lowest prio [ 3375.955294][T12885] binder: 12868:12885 ioctl 3f 20000080 returned -22 04:41:57 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x9000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3375.988948][T12885] binder_alloc: 12868: binder_alloc_buf size 5546703577042475048 failed, no address space 04:41:57 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = open(&(0x7f00000004c0)='./file0\x00', 0x14104a, 0x0) write$P9_RSYMLINK(r0, &(0x7f0000000140)={0x29a}, 0x14) r1 = inotify_init() inotify_add_watch(r1, &(0x7f0000000180)='.\x00', 0x40224100000b) sendfile(r0, r0, &(0x7f00000000c0), 0x2000000800004c36) getsockopt$packet_int(r0, 0x107, 0x0, 0x0, &(0x7f0000000480)) arch_prctl$ARCH_GET_GS(0x1004, 0x0) setsockopt$inet_sctp6_SCTP_AUTOCLOSE(r0, 0x84, 0x4, &(0x7f0000000000)=0x7f, 0x4) ioctl$VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL(0xffffffffffffffff, 0xc040564b, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, {0x2}, 0x1}) creat(&(0x7f0000000200)='./file0\x00', 0x0) 04:41:57 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x500}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3376.037935][T12885] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) [ 3376.102139][T12885] binder: 12868:12885 transaction failed 29201/-28, size 34-5546703577042475008 line 3147 [ 3376.146594][T13010] binder_alloc: binder_alloc_mmap_handler: 12868 20001000-20004000 already mapped failed -16 [ 3376.180499][T13021] kvm: apic: phys broadcast and lowest prio [ 3376.240684][T12885] binder: BINDER_SET_CONTEXT_MGR already set [ 3376.271468][T13010] binder: 12868:13010 ioctl 3f 20000080 returned -22 [ 3376.313126][T12885] binder: 12868:12885 ioctl 40046207 0 returned -16 [ 3376.346212][T13109] binder_alloc: 12868: binder_alloc_buf, no vma 04:41:57 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x9000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3376.391134][T13109] binder: 12868:13109 transaction failed 29189/-3, size 34-5546703577042475008 line 3147 [ 3376.414228][T14003] binder: undelivered TRANSACTION_ERROR: 29201 04:41:57 executing program 4: r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x480880, 0x0) ioctl$VIDIOC_ENCODER_CMD(r0, 0xc028564d, &(0x7f0000000040)={0x0, 0x1, [0x401, 0x3, 0x7, 0x0, 0x2, 0x401, 0x6, 0xffffffffffff4f5f]}) r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(0x0, 0x0, 0x7fc) ioctl$RTC_EPOCH_READ(r0, 0x8008700d, &(0x7f0000000080)) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x0, 0x13, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) connect$vsock_stream(r0, &(0x7f00000000c0)={0x28, 0x0, 0xffffffff, @my=0x0}, 0x10) setsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f00000002c0)={0xe01f, 0x800, 0x6, 0x80000000, 0x8}, 0x14) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000004000000000000000000000000000000018000095730000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="8663044001000000"], 0x0, 0x0, 0x0}) r3 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') sendmsg$IPVS_CMD_SET_INFO(r0, &(0x7f0000000280)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000180)={&(0x7f0000000540)={0xd4, r3, 0x0, 0x70bd2c, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0xa56}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x1}]}, @IPVS_CMD_ATTR_DAEMON={0x7c, 0x3, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'veth1_to_hsr\x00'}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'yam0\x00'}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x4}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x7fffffff}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @multicast2}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x3}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @local}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @empty}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e20}]}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1f}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xdde}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x2}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x349}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x3f}]}, 0xd4}, 0x1, 0x0, 0x0, 0x8000}, 0x4) [ 3376.631761][T13274] binder: 13263:13274 transaction failed 29189/-22, size 2305845208236949504-2305845483114856448 line 2994 04:41:57 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3376.725159][T13274] binder: 13263:13274 transaction failed 29189/-22, size 2305845208236949504-2305845483114856448 line 2994 04:41:58 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x9000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x48000, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffff9c, 0x84, 0xa, &(0x7f0000000040)={0x7fffffff, 0x6, 0x4, 0x4, 0x1, 0x401, 0x0, 0x10001, 0x0}, &(0x7f0000000080)=0x20) setsockopt$inet_sctp6_SCTP_SET_PEER_PRIMARY_ADDR(r2, 0x84, 0x5, &(0x7f00000000c0)={r3, @in6={{0xa, 0x4e20, 0x3, @mcast1}}}, 0x84) 04:41:58 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3377.006104][T13351] binder_alloc: binder_alloc_mmap_handler: 13348 20001000-20004000 already mapped failed -16 [ 3377.053539][T13349] binder: BINDER_SET_CONTEXT_MGR already set [ 3377.086487][T13349] binder: 13348:13349 ioctl 40046207 0 returned -16 [ 3377.090062][T13375] binder_alloc: 13348: binder_alloc_buf, no vma 04:41:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vsock\x00', 0x0, 0x0) openat$cgroup_ro(r1, &(0x7f0000000180)='memory.stat\x00', 0x0, 0x0) ioctl$KVM_ASSIGN_DEV_IRQ(r1, 0x4040ae70, &(0x7f0000000280)={0x6, 0xff, 0x14b, 0x106}) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) r3 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x1000, 0x80) ioctl$GIO_UNISCRNMAP(r3, 0x4b69, &(0x7f0000000040)=""/115) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r4 = syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x3, 0x2) setsockopt$inet_sctp_SCTP_EVENTS(r4, 0x84, 0xb, &(0x7f0000000100)={0xfffffffffffffffb, 0xd2, 0x8, 0x5ee4, 0x5, 0x401, 0x6, 0xc8, 0x7, 0x66f7, 0x401}, 0xb) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3377.103455][T13375] binder: 13348:13375 transaction failed 29189/-3, size 24-8 line 3147 [ 3377.112286][T13351] binder: 13348:13351 Release 1 refcount change on invalid ref 1 ret -22 [ 3377.213264][T13460] Unknown ioctl 1077980784 04:41:58 executing program 0: recvmmsg(0xffffffffffffffff, &(0x7f0000005a40)=[{{0x0, 0x0, &(0x7f0000001680)=[{0x0}, {0x0}], 0x2}, 0x5}, {{0x0, 0x0, 0x0, 0x0, &(0x7f0000003240)=""/50, 0x32}, 0x1}], 0x2, 0x0, &(0x7f0000005bc0)={0x77359400}) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(0xffffffffffffffff, 0x6, 0x14, 0x0, 0xfffffed1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x400, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x2, 0x40, 0x2, 0x81, 0x100, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$amidi(&(0x7f0000003180)='/dev/amidi#\x00', 0x0, 0x61f6a2aa6030be94) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, 0x0, 0x0) r1 = openat(0xffffffffffffff9c, 0x0, 0x22400, 0x104) mkdir(&(0x7f0000000040)='./control\x00', 0x0) r2 = open(&(0x7f0000039000)='./control\x00', 0x0, 0x0) mkdirat(r0, &(0x7f00000001c0)='./file0\x00', 0x78) mount(&(0x7f0000000100)=@filename='./control\x00', &(0x7f0000000140)='./control\x00', &(0x7f0000000180)='minix\x00', 0x1000040, &(0x7f0000000200)='\x00') tee(r2, r1, 0x4, 0x1) getsockopt$IP_VS_SO_GET_INFO(r1, 0x0, 0x481, &(0x7f00000002c0), &(0x7f0000000300)=0xc) mkdirat(r2, &(0x7f0000000000)='./file0\x00', 0x0) r3 = openat(r2, &(0x7f0000000080)='./control\x00', 0x0, 0x0) symlinkat(&(0x7f0000023ff8)='./control\x00', r3, &(0x7f0000012ff6)='./control\x00') getsockopt$inet6_IPV6_FLOWLABEL_MGR(r1, 0x29, 0x20, &(0x7f0000000240)={@dev={0xfe, 0x80, [], 0x26}, 0xffffffffffff7cc8, 0x1, 0x2, 0xf, 0x100, 0xfffffffffffff001}, &(0x7f0000000280)=0x20) renameat2(r2, &(0x7f0000bee000)='./file0\x00', r0, &(0x7f00000000c0)='./control\x00', 0x2) 04:41:58 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x600}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:58 executing program 2: r0 = syz_open_dev$amidi(&(0x7f0000000100)='/dev/amidi#\x00', 0x1f, 0x480000) r1 = syz_genetlink_get_family_id$team(&(0x7f0000000180)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000001c0)={{{@in6=@remote, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@loopback}, 0x0, @in=@broadcast}}, &(0x7f00000002c0)=0xe8) getsockopt$inet_mreqn(0xffffffffffffff9c, 0x0, 0x24, &(0x7f0000000500)={@multicast2, @broadcast, 0x0}, &(0x7f0000000540)=0xc) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f0000000740)={{{@in=@multicast1, @in6=@ipv4={[], [], @multicast2}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in=@broadcast}}, &(0x7f0000000840)=0xe8) getpeername$packet(0xffffffffffffff9c, &(0x7f0000000880)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f00000008c0)=0x14) ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffff9c, 0x8933, &(0x7f0000000900)={'team0\x00', 0x0}) getpeername$packet(0xffffffffffffff9c, &(0x7f0000000940)={0x11, 0x0, 0x0}, &(0x7f0000000980)=0x14) sendmsg$TEAM_CMD_NOOP(r0, &(0x7f0000000b80)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x200400}, 0xc, &(0x7f0000000b40)={&(0x7f0000000c00)=ANY=[@ANYBLOB="54010000", @ANYRES16=r1, @ANYBLOB="08002cbd7000fbdbdf250000000008000100", @ANYRES32=r2, @ANYBLOB="4400020040000100240001006c625f706f72745f737461747300000000000000000000000000000000000000080003000b000000080004000300000008000600", @ANYRES32=r3, @ANYBLOB="0800ea000dd32655034d66924b32458421f7f4d53a5794a896fce520bc6d4e83a63c69ab09378cc1c0f40b7f54ef921facac230b46ebb176d3560000000000000000000000d71460b8ecf7b5e78f5165806e2091a60eb460b701ba5a423f7e939856706d9839c36c5f84bbc5e177147cf7a5a7096be871d11cef342a25ff37ae88f16533c38b7f8e6cf011c576962e0d019da83b8dea4def40ad8f9cf168c2b531227cb046c5a076b270350890435e50d6274b6223de615fc253", @ANYRES32=r4, @ANYBLOB="ec0002003c00010024000100757365725f6c696e6b75705f656e61626c65640000000000000000000000000008000300060000000400040008000600", @ANYRES32=r5, @ANYBLOB="38000100240001006d636173745f72656a6f696e5f636f756e740000000000000000000000000000080003400300000008000400010000003800010024000100616374697665706f727400000000000000000000000000000000000000000000080003000300000008000400", @ANYRES32=r6, @ANYBLOB="3c00010024000100656e61626c65640000000000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r7], 0x154}, 0x1, 0x0, 0x0, 0x10}, 0x4000000) r8 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x40, 0x0) r9 = accept$packet(0xffffffffffffff9c, &(0x7f0000000400)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000080)=0x14) ioctl$sock_SIOCGIFCONF(r9, 0x8912, &(0x7f00000000c0)=@buf={0x9b, &(0x7f0000000340)="12deb232a4b9a4198de1cf4b8961654df238bb55c0e5e0fe82d6dfc72cd116f8d96d0765fc84c8ab6109e60bf18ab00b5d760f4c47e05aa440a2516c377604ff3a351bab57fe7ae960149e3e582fc75ec4215ec83c472b9787ee05499406dc16986af5e0885d714e5be13a2a5b181c59d21f1968d7ee216cd521e2a9aea2b86ded016946a572c56dcda9e60dcfef3f319a404a503d7a943308dbac"}) setsockopt$packet_drop_memb(r8, 0x107, 0x2, &(0x7f0000000300)={r5, 0x1, 0xfffffffffffffe46, @remote}, 0xfffffffffffffdaf) [ 3377.272260][T13460] binder_alloc: 13348: binder_alloc_buf, no vma [ 3377.276678][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3377.285128][T14003] binder: send failed reply for transaction 528 to 13348:13349 [ 3377.293713][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3377.299815][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3377.306228][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3377.371349][T13460] Unknown ioctl 1077980784 04:41:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffe4b, 0x0, 0x0}) geteuid() ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:58 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vsock\x00', 0x0, 0x0) openat$cgroup_ro(r1, &(0x7f0000000180)='memory.stat\x00', 0x0, 0x0) ioctl$KVM_ASSIGN_DEV_IRQ(r1, 0x4040ae70, &(0x7f0000000280)={0x6, 0xff, 0x14b, 0x106}) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) r3 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x1000, 0x80) ioctl$GIO_UNISCRNMAP(r3, 0x4b69, &(0x7f0000000040)=""/115) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r4 = syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x3, 0x2) setsockopt$inet_sctp_SCTP_EVENTS(r4, 0x84, 0xb, &(0x7f0000000100)={0xfffffffffffffffb, 0xd2, 0x8, 0x5ee4, 0x5, 0x401, 0x6, 0xc8, 0x7, 0x66f7, 0x401}, 0xb) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:41:58 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x700}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:41:58 executing program 2: mknod(&(0x7f0000000140)='./file0\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = creat(0x0, 0x0) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0xe760000000000000, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x1, 0xffffffffffffffff, 0x0, 0x4, 0x0, 0x7, 0x0, 0x100, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0xf}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = inotify_init() write$P9_RXATTRWALK(r0, &(0x7f0000000000)={0x356, 0x1f, 0x2, 0x8}, 0x191b0d2f) inotify_add_watch(r2, &(0x7f00000000c0)='./file0\x00', 0x20000000) dup2(r1, r2) [ 3377.622766][T13576] binder: 13556:13576 ioctl c0306201 20000440 returned -14 [ 3377.648252][T13581] Unknown ioctl 1077980784 [ 3377.706735][T13584] binder_alloc: binder_alloc_mmap_handler: 13556 20001000-20004000 already mapped failed -16 [ 3377.729526][T13580] kvm: apic: phys broadcast and lowest prio [ 3377.752391][T13576] binder: BINDER_SET_CONTEXT_MGR already set 04:41:59 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/qat_adf_ctl\x00', 0x400, 0x0) ioctl$sock_inet6_udp_SIOCOUTQ(r1, 0x5411, &(0x7f00000000c0)) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r2, 0x0, 0x0, 0x0) write$USERIO_CMD_SEND_INTERRUPT(r0, &(0x7f0000000000)={0x2, 0x3}, 0x2) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) fadvise64(r4, 0x0, 0x4, 0x5) syz_open_dev$dspn(0x0, 0x0, 0x0) r5 = msgget(0x3, 0x4a0) msgctl$IPC_STAT(r5, 0x2, &(0x7f0000000340)=""/4096) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) getsockopt$SO_BINDTODEVICE(r3, 0x1, 0x19, &(0x7f0000000040), 0x10) [ 3377.809198][T13576] binder: 13556:13576 ioctl 40046207 0 returned -16 [ 3377.888396][T13657] QAT: Invalid ioctl 04:41:59 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x2000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3377.940221][T13739] binder_alloc: 13556: binder_alloc_buf, no vma [ 3378.019728][T13584] binder: 13556:13584 Release 1 refcount change on invalid ref 1 ret -22 [ 3378.051905][T13739] binder: 13556:13739 ioctl c0306201 20000440 returned -14 04:41:59 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vsock\x00', 0x0, 0x0) openat$cgroup_ro(r1, &(0x7f0000000180)='memory.stat\x00', 0x0, 0x0) ioctl$KVM_ASSIGN_DEV_IRQ(r1, 0x4040ae70, &(0x7f0000000280)={0x6, 0xff, 0x14b, 0x106}) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) r3 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x1000, 0x80) ioctl$GIO_UNISCRNMAP(r3, 0x4b69, &(0x7f0000000040)=""/115) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r4 = syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x3, 0x2) setsockopt$inet_sctp_SCTP_EVENTS(r4, 0x84, 0xb, &(0x7f0000000100)={0xfffffffffffffffb, 0xd2, 0x8, 0x5ee4, 0x5, 0x401, 0x6, 0xc8, 0x7, 0x66f7, 0x401}, 0xb) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3378.073030][T13803] kvm: apic: phys broadcast and lowest prio [ 3378.095788][T11475] binder: release 13556:13576 transaction 535 out, still active [ 3378.107187][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3378.129907][T11475] binder: send failed reply for transaction 535, target dead [ 3378.152361][T13807] Unknown ioctl 1077980784 04:41:59 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x20000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:41:59 executing program 2: mkdir(&(0x7f0000000100)='./file0\x00', 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$nl_route(0x10, 0x3, 0x0) timer_settime(0x0, 0x0, &(0x7f00000003c0)={{}, {0x77359400}}, 0x0) lsetxattr$trusted_overlay_redirect(0x0, 0x0, &(0x7f00000000c0)='./file0\x00', 0x8, 0x0) getsockopt$inet_sctp6_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x1e, 0x0, 0x0) r1 = dup(r0) ioctl$TUNGETVNETHDRSZ(r1, 0x800454d7, &(0x7f0000000000)) sendto$inet6(0xffffffffffffffff, &(0x7f0000000580), 0x0, 0x800, 0x0, 0x0) mount(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f000015bffc)='nfs\x00', 0x0, &(0x7f0000000000)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket(0xa, 0x5, 0x0) ioctl$BLKFLSBUF(0xffffffffffffffff, 0x1261, 0x0) ioctl$sock_inet_SIOCSIFBRDADDR(0xffffffffffffffff, 0x891a, 0x0) sendmsg$rds(r2, &(0x7f0000000040)={&(0x7f0000000300)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x1a}}, 0x10, &(0x7f0000000480)=[{&(0x7f0000000340)=""/112, 0xfea1}], 0x1, &(0x7f00000008c0)=ANY=[@ANYBLOB="580000000000000084000000080000000000000000000000", @ANYPTR=&(0x7f0000000080)=ANY=[@ANYBLOB="5ec70fd5af55ff69ba0394408192f10000000000000000"], @ANYPTR=&(0x7f0000000580)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x58}, 0x0) 04:41:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x800) r2 = syz_open_dev$sg(&(0x7f0000000000)='/dev/sg#\x00', 0x0, 0x2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$SG_NEXT_CMD_LEN(r2, 0x2283, &(0x7f0000000200)=0x2b) r3 = dup(r2) write$FUSE_ATTR(r3, &(0x7f0000000040)={0x78}, 0xfddf) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$LOOP_SET_STATUS64(r3, 0x4c04, &(0x7f0000000480)={0x0, 0x0, 0x0, 0x7, 0x8, 0x0, 0xe, 0xb, 0x8, "4c80edae41e0e0924819eb715a78240741add0d3e158ee2a31cd6d82ab4d8058550b0003417cf0eac6c9ffe476fcf0c3249145bae3f4db1cd65cfc7847211f60", "c2a7cd2a3fc5205ca9dc2304acb2e530ef619062546904a588d83bc02a04ffbbdd7981e79d0b2a218bf165d3a7ae239f0c3bdcc88e5da6cd639345a2e7a0c56e", "dabdcffd99849bab5a36dc32e8bdcc07f0360a68c203ba135ca78f35e2aaaa09", [0x8, 0x4]}) setsockopt$packet_fanout_data(r3, 0x107, 0x16, &(0x7f0000000380)={0x2, &(0x7f00000002c0)=[{0x4, 0x31, 0x7, 0xe3}, {0x9, 0x4, 0x5648, 0x5}]}, 0x10) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="b74279c05536859a8b000000113f84cb9c68b59c9d471ded1af0d6da5d3542e118700f728b00c99da5af1b9dd4be130103ad1397176f5e3101027c9f64783e111602de7c6d76192e3ffec49b8fc2e6348cbd8e894a5d122d95ea33238a466fbe1f63d5397f92d9e3d3e6630e3737e8e1499d5597a3146abbb650b696dfd0db3a88653b09ddfecde68dbb51ee35d8fe3175923726162422ab7903874a6e94f7819690cf1a106ef46fd4160254790ae6eeae04cae1c145731d52870bf36b6ef8084cf46804f4f631bfaceb6c9e904ca88cfc3847363750e986ecb08d"], 0x0, 0x0, 0x0}) ioctl$PPPIOCGMRU(r3, 0x80047453, &(0x7f0000000280)) [ 3378.204471][T11475] binder: release 13806:13807 transaction 540 out, still active [ 3378.219557][T11475] binder: undelivered TRANSACTION_COMPLETE 04:41:59 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x4800}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3378.277334][T13813] binder: BINDER_SET_CONTEXT_MGR already set [ 3378.305680][T13813] binder: 13811:13813 ioctl 40046207 0 returned -16 04:41:59 executing program 0: capset(&(0x7f0000000080)={0x400019980330}, &(0x7f0000000200)) r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0xa2201, 0x0) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000000240)={{{@in, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast2}}, &(0x7f0000000140)=0xe8) setsockopt$inet6_mreq(r0, 0x29, 0x14, &(0x7f0000000180)={@local, r1}, 0x14) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000040)=0x0) ioctl$SNDRV_CTL_IOCTL_HWDEP_INFO(r0, 0x80dc5521, &(0x7f00000000c0)=""/74) ioprio_set$pid(0x2, r2, 0x0) [ 3378.321390][T14003] binder: send failed reply for transaction 540, target dead [ 3378.363665][T13813] binder: 13811:13813 unknown command -1065794889 [ 3378.376555][T13819] kvm: apic: phys broadcast and lowest prio [ 3378.388541][T13813] binder: 13811:13813 ioctl c0306201 200001c0 returned -22 04:41:59 executing program 2: mkdir(&(0x7f0000000100)='./file0\x00', 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$nl_route(0x10, 0x3, 0x0) timer_settime(0x0, 0x0, &(0x7f00000003c0)={{}, {0x77359400}}, 0x0) lsetxattr$trusted_overlay_redirect(0x0, 0x0, &(0x7f00000000c0)='./file0\x00', 0x8, 0x0) getsockopt$inet_sctp6_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x1e, 0x0, 0x0) r1 = dup(r0) ioctl$TUNGETVNETHDRSZ(r1, 0x800454d7, &(0x7f0000000000)) sendto$inet6(0xffffffffffffffff, &(0x7f0000000580), 0x0, 0x800, 0x0, 0x0) mount(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f000015bffc)='nfs\x00', 0x0, &(0x7f0000000000)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket(0xa, 0x5, 0x0) ioctl$BLKFLSBUF(0xffffffffffffffff, 0x1261, 0x0) ioctl$sock_inet_SIOCSIFBRDADDR(0xffffffffffffffff, 0x891a, 0x0) sendmsg$rds(r2, &(0x7f0000000040)={&(0x7f0000000300)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x1a}}, 0x10, &(0x7f0000000480)=[{&(0x7f0000000340)=""/112, 0xfea1}], 0x1, &(0x7f00000008c0)=ANY=[@ANYBLOB="580000000000000084000000080000000000000000000000", @ANYPTR=&(0x7f0000000080)=ANY=[@ANYBLOB="5ec70fd5af55ff69ba0394408192f10000000000000000"], @ANYPTR=&(0x7f0000000580)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x58}, 0x0) [ 3378.428693][T13894] binder: 13811:13894 unknown command -1065794889 [ 3378.459787][T13894] binder: 13811:13894 ioctl c0306201 200001c0 returned -22 04:41:59 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x4c00}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3378.496058][T14003] binder: release 13811:13813 transaction 545 out, still active [ 3378.513727][T14003] binder: unexpected work type, 4, not freed [ 3378.545401][T14003] binder: undelivered TRANSACTION_COMPLETE 04:41:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$vimc2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/video2\x00', 0x2, 0x0) ioctl$VIDIOC_SUBDEV_S_FMT(r2, 0xc0585605, &(0x7f0000000040)={0x0, 0x0, {0x712f01c2, 0x87b1, 0x301f, 0xf, 0x2, 0x0, 0x0, 0x7}}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3378.611190][T14003] binder: send failed reply for transaction 545, target dead 04:41:59 executing program 2: rmdir(&(0x7f0000000000)='./file0\x00') prctl$PR_SET_SECUREBITS(0x1c, 0x24) faccessat(0xffffffffffffffff, &(0x7f0000000040)='/', 0x0, 0x0) [ 3378.682083][T13785] QAT: Invalid ioctl [ 3378.730734][T14041] kvm: apic: phys broadcast and lowest prio [ 3378.748668][T14043] binder_alloc: binder_alloc_mmap_handler: 14032 20001000-20004000 already mapped failed -16 04:42:00 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x620000, 0x0) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000000040)={{{@in=@initdev, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in6}}, &(0x7f0000000140)=0xe8) stat(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f0000000340)={{{@in6=@local, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{}, 0x0, @in6=@mcast2}}, &(0x7f0000000240)=0xe8) r5 = getegid() stat(&(0x7f0000000440)='./file0\x00', &(0x7f0000000480)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000000500)='./file0\x00', &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f00000005c0)={{{@in=@broadcast, @in=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in=@initdev}}, &(0x7f00000006c0)=0xe8) lstat(&(0x7f0000000700)='./file0\x00', &(0x7f0000000740)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f00000007c0)={{{@in6=@initdev, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast2}}, &(0x7f00000008c0)=0xe8) fstat(r0, &(0x7f0000000900)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) fstat(r0, &(0x7f0000000980)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f0000000a00)={0x0, 0x0, 0x0}, &(0x7f0000000a40)=0xc) write$FUSE_DIRENTPLUS(r1, &(0x7f0000000a80)={0x3e0, 0x0, 0x4, [{{0x1, 0x3, 0x8, 0x6, 0x5, 0x4, {0x1, 0x9, 0x9, 0x2, 0x0, 0x6, 0x9, 0x5, 0x9, 0x7, 0x6, r2, r3, 0x1, 0x2}}, {0x0, 0x2, 0x8, 0xe93, 'keyring]'}}, {{0x5, 0x2, 0x100, 0x613f, 0x1, 0x1, {0x3, 0xfffffffffffffffd, 0x10001, 0x7, 0x5, 0x8, 0x7, 0x10001, 0x101, 0x400, 0xfffffffffffffff9, r4, r5, 0x4b41, 0x2}}, {0x5, 0x1f, 0x7, 0x40, '}cpuset'}}, {{0x2, 0x1, 0x10000, 0xdd5, 0x5, 0x9, {0x1, 0x9, 0x7, 0x15, 0x200, 0x3, 0xbbec, 0x2, 0x4, 0x9, 0x9, r6, r7, 0x7ff, 0xcf6}}, {0x0, 0xfffffffffffffff9, 0x2, 0x3ff, '\xab!'}}, {{0x2, 0x2, 0x401, 0x0, 0x0, 0x100, {0x2, 0x0, 0xc6, 0x8000, 0x3f, 0xffffffffffff0001, 0x1, 0x2, 0xd0c, 0x1000, 0x9, r8, r9, 0x8}}, {0x1, 0x3, 0x17, 0x1, '\xf0keyring,wlan1wlan1proc'}}, {{0x3, 0x3, 0x100, 0x80000001, 0x4, 0x6, {0x0, 0x7, 0x4, 0x4, 0x100000001, 0xfffffffffffffffc, 0x0, 0x8, 0x2, 0x401, 0x80000000, r10, r11, 0x6, 0x6}}, {0x3, 0x1, 0x8, 0x6, 'vmnet1}#'}}, {{0x1, 0x1, 0x0, 0x9, 0xc1, 0x7, {0x1, 0x3, 0x0, 0x20, 0x6, 0x0, 0x3, 0x44a6bcfa, 0x100000001, 0x2, 0x3ff, r12, r13, 0x8, 0x7f}}, {0x5, 0x7ff, 0x1, 0x40, '\xf9'}}]}, 0x3e0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r14 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r14, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r14, 0x5) r15 = socket$inet6_sctp(0xa, 0x5, 0x84) r16 = accept4(r14, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r15, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r16, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:00 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") r1 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r1, 0x6, 0xa, &(0x7f00000000c0)=0xfff, 0x4) bind$inet(r1, &(0x7f0000000000)={0x2, 0x4e23, @broadcast}, 0x10) sendto$inet(r1, 0x0, 0x0, 0x200007f9, &(0x7f0000000200)={0x2, 0x4e23, @loopback}, 0x10) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000000100), 0x4) r2 = syz_open_dev$vbi(&(0x7f0000000040)='/dev/vbi#\x00', 0x1, 0x2) setsockopt$inet6_MCAST_LEAVE_GROUP(r2, 0x29, 0x2d, &(0x7f0000000280)={0x3, {{0xa, 0x4e21, 0x8, @mcast2, 0x7ff}}}, 0x88) sendmsg(r1, &(0x7f0000002680)={0x0, 0x0, &(0x7f0000002600)=[{&(0x7f0000001480)="baac35a26b383589e3529a43567975bd1941950d57edddb71475db24c8f267a9187e587bf01daed310ee69cbeff16a34e2f78cd4a40c3bbfcb1ac1c061ca34fe5fcd8ec7fb993163adf74c9138ad2260426c9f8ea4655891b7708a72c2b2d1e79df6599a3498063cf4991028288a83164c196ff7a6ca9d991100201ec59c7887556d8d03e456a835c09a4d180eedbe886d7757483f2b1668278a38b364c4a26f5a867dee53e3c06600cb63bf7eb221ed9bc621913f266745e132e6d6d793b94d30185e65d613401a8b0dff559bf480006fc94f4ca0a42229e016469fc7cc8ad3325570ef14577b40615784b6a846d586875d1e050e85ca0a5ca0aad9ff560fd039139a5b811726a9a001d5a4ef174f53f32407937590b1f703d26c147437292e6c3794049e7a430140a937fa961517044cc49bb40ce631d039a562fb019f1e0927a5ce2af79f8abd27acc8a5980d15a3de5ce567a5cb0acf577984623e79a1cc3b7683d278ac145d1b17ab7965b64a659ff02c61425ee16ae235275d77bed825181a637a0325f6d20929d543aaa1b3e7d390805d9266bb1e211008641bf95feb7bfc8e76ec856aeb7559d4ddd61ac05b957408dd74b35c2d02e54baa20d60211dde5f9da818f2d267da4565be98d822c0510339b9a646d4a519d9558e57093d57d371179aa7611abe3b228ee9c8050420a53e617c84aed9dc64cc15a6739835858a890cf011d4fc79456123c56c4052728c9283ae667efc136397ca5e7d33f609787b72abd108440277ce0988005ad758ef574a848a3d9a248c4f98b064ef1bc5596e2499bf0ad6d102bd2e75e7fb2865dc8891ec90f543e47fe4ab3a0de39cf4f14fe50a0db54ee21f2bddadcb336bb0ed183dbc0556328d2f63b736ccc5f62e4f76c1d7ff031f1584b00174fe2f3ba1da5ee07873fe4c1eccbea360ede9f13b462587cf7c3ca68166da141113d59a2571a8a32dc4416225c00cb968fa7015e51ee0e3c757aef51c7120d7435a3ec4f2a4cdca0a41e293e269dc31cf86114d899921418f2429a2ee59eb5a446a3f9004cd48051a5c1df39351b658db33ff0abc9874239fb89b1ed692a0b3f0c88271f1f7a39cff6696331fa7b2cead01012353f872fff4e26827acf358f189967d3af29e7d357cfdf3965576d1ca8640bd9e0caffe588ffc4e33bfacd7ba1d2dcd47819749cf1ce66fa090dba04d13e6d50ec99f7230b35f0b8f43f1ca23acaef322cf457a774e051d258c18e07311105e2a3f3a2d621550357a4d20af0d18983d1ac267fab7803b0c16b97bb4602b76deb1a60eccfe5a711fc0c6eb470834323827d6f9ac9fe47019221e19bd0dfbab3099519dbed02def1a131390779304cda0da14e7d50509a56e5d286ee6f85320dc905698dc7e0c59bf03368fbe16dbdac49e7691af0a77ead61bc3eee03d19da68f74fddb4b6dd610ad549209f83ba7739a8520d164b7ed58b7b3d3b4d42c160f9a04041954ba5f238fe0d551d61677533c17467323c964bc71d318658e74882d3c50e73b617ecee08a1d17805cb829b54ee333b117aed3ec61aa87bb27e2db55352d21aa439d0e1e2e8f6020f75b96439479b5c2320a7325b1ef2ebcc18a0d0a50cab4ab8264856592fad4a1268837bf7b7199674a1fc52fa6a068cb96f61f7a3f264309c84768b11dd19669a2a58169f348e3e90a99f5fc4f440ab96710617df3d2916eea6ad99cefb4139f76ac93f16f18669cb6ad5842197427747be5fdac3cf198ba9bcf41cc483e1d8705bf6725c8e7aa57954e1faa5cdcfe5332f04c5dbffe4ac296e86a4815782adf2f150ff749e78e870d28b1ec3209545ea088e3a9d2ec742e0dda31ddaa7ec5e02809cf035ec451e1b9f9d98962b57e986ece778c2bd6aa5b8b150cfeea5672ce09d518812e8925678c063fae1ac0387d0d0ff81960186a76ea133784dacbd493fa336b027455a75a7a3906714f280a8c0bc86ca979d400e5c18030f59f8024bed45bf1e0b97ab188035144bfcae967f0498a93109f45707fef4ae3a86aa06de36d68d3f4f3599adffa97ad62ba2a8c9b3ae112d2558d3f06f54089adf18f60adf3320094aae72a39e3cbbbacf4b0421ad087b2759562ba3dbe0cb1b0e7eb7f17460469cf59637044329e7f0237dff96389bc2c524028d37a3d3d601cb6cb916fd67513ceda2f9814c0deeafd6af713fabfe9c8198d62c27c8aec19531d6c10ce8fed62f04a206ac57fa73117af316c35655b179909c75218c27e94c9bccab15f062c7ac17394f09b020ac26ebb2844769fa77ba7f52b6471d46217ec02acca31b9b483939f80e9cf2dd86bee37ad7fa9bf11430507796efb15d95c9552257ae0a2831ba9c0bf4723af253ca1c8b8e6b3325d882e31a0b61306d232cfdce269c4a9723fe2f4d3f6882dc3374552f15b95c648be08221403de7d09b5dbf11a4b83f6d124a74b0b4f721168653b9c1f4c2137003d515e5e93ad9d68304da6c85269a307472de62fca045c833b57504fb7160e667fa9f59d6d398b9a509dd4ce499c080b26209a2312de143239af60c184f98038f307a06c9d827e9a7adab17e9689a752db3831f4ff7929e32f33c844e08bb48d9a9fe2e3db0594c1737955cdb872f5cd81df80b41fe867e229f1a5bb1de35052893abfbd5687846d52d8e6e508738bae9fc48f84b2729a864e49f6570a6ab99c5d557f13aff7a95fb6156dfd8da8b28f14a1c9595b28f5ee63bf4bd0bee9af1a0f467f6b1bd338bb2327f73b86ef884adfb7b85708421946804d90155f76d3a18ca0fa5f4ae19c65471110278456c9314b335ec96f7d17837b0504fba7564c637a9d7b4cf010f2415d05bbc1dd207d29e1f6cb10e696fee228fa360eb99cf33618e67357aeba4f402ca6f8be33247ee25a7202907c67d038fd0ac7606a847d1bde7baeda2a071e9de02a3fc16e772c81cc9deecba5804d39466f8bf499671159c7709aeb31bd85db93161f475c27901d5cf30252270ea414c4ab594f31422f211fc107542e5d25c7fedfbc362af4596421646957d217656e6abdd0fae0c75d54c72c2651003d5fb3d96cb507269a581c8da875e9d82f9fda766546d933f304c9281d691c721da789b8208afc30c41529db83db6f061dddfb29df4f3bb2269704f2d5e21cc9dda5303283f95a46182b56352c21e42e77b907537fbe90d044670c3653acccc585577419cd2b7fdc4ad9670c3b5dc36f9f352fe226bda275107e055813978124ed6931b104dca0d2620e33190cba69e0dc7d86857f975353f96d3deb7c86066efa718614ef2513e46155a1c22a86fd4c3b6f84d87d4a8be3a57869d22bfc817843e97e87ed37dd5d3c6f5887ae9f64f08e41c133e466d75d6b8d0fc752916f8cb3a8f4b1987aa2eb3a4e5542bae41933438f5f775fa14030ab2c4c6bc1d106da50b1e0481b3b67838719388cf82026cb2a208ee7a2b19693da27f2bb6f8b51ef6df01254cb33ff4c28c185a9a9d18904d9ffd07a5ddba8df80179f649b4132f68a8a30d410c458ae3dd436c98159958e6364f47a29da04c500b589abb53fd0dcd8d7701dc07d4c3983d37cae00ac07f4ba73ba33649ee9688b64e8ae8ba67897a85b5956da614491fe5b5dbc106ba0c43e33e97e411a3b17a6049bd4146c044b7c41c59796a61caa1d2bb9704946f683867dec8c18ebcc6930c4d03f3e76770e3f7dcc89943f28ac60cf5a5f9e3ce21876251178bdfbf1795173873ffa054e1f3fce6e672ba29afcdc4de882c9e30ed75deca6ff79f8e42769552dd0f0950f2051e17089b7210fb85c2cf9e9598c76872889f74fd40fd5ce95e1e1a927e452e35006b4a506ea0dbd23f883e6bec2b35f9381b4beae1a64427b4ae046b0fe00e629a1feaf3694069c38e43803cdf313495cf9f5eda40aa41f0c929c63efd35ad2ed163d603030009f1d1c4232219f18ff7bb34ed6649ab0403d4cfc99181d1e259c432bdabd60ceae7db5406b89faad9674a48538a616136a29024d329f2c347d696f666c789c605442fc39c7f5f99b7c05849445562677601129620c1c150b7bdbfa96bab797c7164397d00b9c02e617436e5ff24736b4382a66276ef72060d082a8d716555ece5388848d94f964e62a9cc553edff7ff6946919386508cf510848e30095248cdc467c0a185757eee14a8fd6baedd44204b530c5fe25e5db05ba71a610e487b26c113eed688f488cd4e0251239980cde47794a33bfd6772d4e670887334c3850069e91d18c9a2bca31437589185e5077c4b1c98450fad5d4ce63fa3c4211290c8e2b38441f9584159e85f37cfee012c7c3dbc610d8b2be738e86ef8e071a0964e7d901c3f5a66ba121f8246cbe89b6653f4fc51c1adcacbbf13821a47895fdfec5513f5fcbcf8c34bb97e15de98f477d616109cca8ef07c6d5735375a155c2a260fa348ed863b8240ac6ef952efb58a1ff537b2c455bb215998e729dc53a548cc8b293882337d997e49e036b271831917574572459a101feb0626b625cea941b2913bf228a81abff53d88535701980f0f60d0a4c4a57cdcffc21c75c604e2cfcef65848b259d62c8f47cdf831fcee0782cbe85c62d639597ab13ae9379643ba6da24c632b588b98504ab53ae86ac451d776ff3bea27d2f3bea8324e513cf7f602f21ddc26ea9874b5bf6ecf28c1620fedb230d1aed4779d6f9ef8ba72105ca2084e6d34af6967471d22108a44cb6356da66323e109a6a46b874b99231cf41ebd027734fe20e7cfc0054d3117921ca0a11ed1e4dcc3bba3e707a9ae1fbe1abf481c7f7d4cfeca8e20c65126a24b05f073e29e473027f080d749a6091a70ec5b264f7d09bc97cf565fac0e32f7d66c5068f7f1b5e1bac2640d144e0d69d89fb591e5b77191ec4f9b9c7ab5e600a7b2100b7c3b3d212fa697b77a2fd21cef27b0480739a4db58e659b4e64090274ea785e1341acbabf91cbdc3987624b69a752cafccb542125a27c87bc148d8028178e3323a433efe97be580b8e4d8f5344ab392264f47a0c16f96b11857a59ded3e712841560e6dce853858c05cd9dfdd713c98d0f191176a936d34db71f01c4402ee31299cf1a92206ec4c3d8dba93bf085063b0b3834b07c3570d6affdd4b1826d6ce36ecbfc84f8f5bb9d23ff8a7428bb292ecd5715037247d1416cfa25acffd0e18323e28f56febc3e1ca7b6df2ebc5469d74ce3613cd79292a2cf6e13c7a427529a75159a2398448a4797ceb3ab8dd36b15ba375180b147f620a5f6acf7f9201c16f2ee841a81f315700fce2b88556a557105b0c91684e7cba17d69c4011747c8b09c8365ea360afcf34359dd5662a3344e94c8a2eee2d3b4a2619ce24bcfcb06a12423d99cb35b2579dd2cab35ec16940c46fa66c88043bdace31382ff6cc49b2f2f6e41c463e3c967334dd6b92d00e302e999eb0b794a1c7a08e550bdccb88cf54b95df3eda3ecd7f6166b37b297bd4bd365f02cf1bdaf4c96f2c8930e835a37eabfff7d62eac705b59d4e3e88102cd9b044c8e6a2e8041179410f2168b48b90451da71034beb1ecb31f8a247b1caf0656af72d85ed732e103eaf5a2be4f1c1103a70c56be37bfe19ed68912fbcc2e45412a914bb0b67048f95c9e546c72d7589e69e13153c542efdc953166b11b9683895703b82e50f14dbc13670768d45dd370f4ce1f10705be1448868435ed736d182da63ffdb98d69a8027550b4c2b30b2b4049a95db047e0c9f06f06bbeb845dec5995b5c5eb4ff89f2ec42c52e8fd221048841b956f17fa37db", 0x1000}], 0x1}, 0x0) recvmsg(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000001c0)=[{&(0x7f0000003ac0)=""/4096, 0x1000}], 0x1}, 0x400100) [ 3378.835173][T14040] binder: BINDER_SET_CONTEXT_MGR already set [ 3378.871825][T14040] binder: 14032:14040 ioctl 40046207 0 returned -16 04:42:00 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3378.913582][T14043] binder_alloc: 14032: binder_alloc_buf, no vma [ 3378.966175][T14003] binder: send failed reply for transaction 549 to 14032:14040 [ 3378.975973][T14003] binder: undelivered TRANSACTION_COMPLETE 04:42:00 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x3f000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:00 executing program 2: r0 = socket(0x10, 0x80002, 0x0) write(r0, &(0x7f00000000c0)="2600000022004701050000000000000005006d20002b1f00c05d080a4a71f10101c7033400b0", 0x26) 04:42:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x8a80, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r2, 0x4010640d, &(0x7f0000000040)={0xb, 0x7fff}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3379.038413][T14147] kvm: apic: phys broadcast and lowest prio 04:42:00 executing program 2: r0 = socket(0x100000010, 0x3, 0x0) ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f0000000100)={'ip6gretap0\x00', &(0x7f00000000c0)=@ethtool_sset_info={0x37, 0x0, 0x3}}) [ 3379.153060][T14168] QAT: Invalid ioctl 04:42:00 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6800}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3379.221740][T14205] binder_alloc: binder_alloc_mmap_handler: 14167 20001000-20004000 already mapped failed -16 04:42:00 executing program 2: r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000300)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f0000000000)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$inet_tcp_int(r1, 0x6, 0x2000000000000013, &(0x7f0000000180)=0x1, 0x4) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f00000001c0)=0x2, 0x4) r3 = open(&(0x7f0000000280)='./file0\x00', 0x110000141042, 0x0) ftruncate(r3, 0x10099b7) sendfile(r0, r3, 0x0, 0x88000fbfffffc) ftruncate(r3, 0x0) [ 3379.268457][T14168] binder: BINDER_SET_CONTEXT_MGR already set [ 3379.287954][T14168] binder: 14167:14168 ioctl 40046207 0 returned -16 [ 3379.307534][T14168] QAT: Invalid ioctl [ 3379.317720][T14205] binder_alloc: 14167: binder_alloc_buf, no vma [ 3379.333636][T14205] binder_transaction: 5 callbacks suppressed [ 3379.333880][T14205] binder: 14167:14205 transaction failed 29189/-3, size 24-8 line 3147 [ 3379.356739][T14168] binder: 14167:14168 Release 1 refcount change on invalid ref 1 ret -22 [ 3379.366754][T11475] binder: release 14167:14168 transaction 554 out, still active [ 3379.387477][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3379.398232][T11475] binder: send failed reply for transaction 554, target dead 04:42:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:42:00 executing program 0: perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000240)='net/ptype\x00') sendmsg(0xffffffffffffffff, &(0x7f0000002fc8)={0x0, 0x0, &(0x7f0000000540)}, 0x0) preadv(r0, &(0x7f00000017c0), 0x1fe, 0x400000000000) 04:42:00 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6c00}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3379.583604][T14378] binder_alloc: binder_alloc_mmap_handler: 14345 20001000-20004000 already mapped failed -16 [ 3379.628488][T14360] binder: BINDER_SET_CONTEXT_MGR already set [ 3379.641957][T14360] binder: 14345:14360 ioctl 40046207 0 returned -16 [ 3379.697598][T14422] kvm: apic: phys broadcast and lowest prio [ 3379.750734][T14473] binder_alloc: 14345: binder_alloc_buf, no vma [ 3379.757045][T14473] binder: 14345:14473 transaction failed 29189/-3, size 24-8 line 3147 [ 3379.785486][T15669] binder_release_work: 9 callbacks suppressed [ 3379.785494][T15669] binder: undelivered TRANSACTION_ERROR: 29189 04:42:01 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) r2 = syz_open_dev$dspn(&(0x7f0000000200)='/dev/dsp#\x00', 0x100000001, 0x40) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000000240)={0x0, @initdev, @remote}, &(0x7f00000003c0)=0xc) recvfrom$packet(r2, &(0x7f0000000340)=""/85, 0x55, 0x10000, &(0x7f0000000400)={0x11, 0x15, r3}, 0x14) listen(r1, 0x5) r4 = socket$inet6_sctp(0xa, 0x5, 0x84) r5 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) vmsplice(r0, &(0x7f00000001c0)=[{&(0x7f0000000000)="ee1a8a7e99f59bd816bda31a35ca9c36701801cb0fbbb16b5462bc67c90462ca16393c408a22de8d8ee7b022c99e57e9fa14b4b92eeb4f45f29afae582460e36d63ff7e353f502f66a7f3d6b1ae8b1e66a016e0a62ec175241e2b04f1a5c9dfc344c29da194e21eb36e52847c7d42627ab37424ab44309864c2991f44f2fc0b61dbf26a085d635d5cb54c4f62f92bc3a5a1f420967ce16a5070a", 0x9a}, {&(0x7f00000000c0)="9088c8e2973680d9876a91ae7c99ba5a465a7b87ee7846b47af15dafcdd6b252e73ea03ee2d80c313892221559", 0x2d}, {&(0x7f0000000100)="9506782a4ad5d6204764c54ecb7f75ff6d00d682a63a070994f9218015647c04299e2735445b043598216fd1ee0f6b7caf860be94f62b6d456ae6fc4a0ec4366eb0b37dbae1810898c93071db30e3e1191c9085add7e1f29804c7d0e6807fec4e1adf47facac419985511ad6c198afea9edf22238a7f440d3ebf78c6b6b46c7e1ebb96a544a610693da9f5d8d5f74cbd08d1a3aac3b9e4e2926fb2f0c22a0f6198ed1a3c949037adb7da7132d1322a57c098", 0xb2}], 0x3, 0x8) 04:42:01 executing program 2: write$nbd(0xffffffffffffffff, 0x0, 0x0) accept4(0xffffffffffffffff, 0x0, 0x0, 0x0) sendmsg$key(0xffffffffffffffff, 0x0, 0x0) r0 = socket$key(0xf, 0x3, 0x2) r1 = perf_event_open(&(0x7f0000000140)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sendmsg$key(r0, &(0x7f0000000000)={0x40000000, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x2, 0x7, 0x0, 0x0, 0x2}, 0x10}}, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x2) 04:42:01 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x40000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3379.800579][T15669] binder: send failed reply for transaction 559 to 14345:14360 04:42:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(0xffffffffffffffff, 0x84, 0x1d, &(0x7f0000000040)={0x2, [0x0, 0x0]}, &(0x7f0000000080)=0xc) getsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f00000000c0)={0x2, 0x200, 0x3ff, 0x96, r2}, &(0x7f0000000100)=0x10) r3 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:42:01 executing program 0: shmget(0xffffffffffffffff, 0x2000, 0x0, &(0x7f0000000000/0x2000)=nil) [ 3379.854076][T15669] binder: undelivered TRANSACTION_COMPLETE [ 3379.891057][T15669] binder: undelivered TRANSACTION_ERROR: 29189 04:42:01 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x7400}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3379.956834][T14581] binder_alloc: binder_alloc_mmap_handler: 14558 20001000-20004000 already mapped failed -16 [ 3380.045313][T14590] binder: BINDER_SET_CONTEXT_MGR already set [ 3380.098789][T14590] binder: 14558:14590 ioctl 40046207 0 returned -16 04:42:01 executing program 0: r0 = msgget(0xffffffffffffffff, 0x3fa) msgrcv(r0, &(0x7f0000005680)={0x0, ""/4096}, 0x4d7, 0x3, 0x0) msgsnd(r0, &(0x7f0000000040)={0x3, "d3d7254ac4723d4694dbcb1af5d41ad9b6e757098e6b185618ce8e68f4ee22c5246d1c4ed568b9dbbfc9f903f484fee5e1b3c7ffdd56473d26891694ad15d8d2355eba3f3404f3194413b8917e16c570ff543825979ce15f49939263be8828fbd87ce117490629db9230da8f563cc0d1122580838b347dd63caff6a4eba9c905010b7b41b84575f9d4373ab7667f233150c0f5d4220a3f235729aa35a1dbcd3d1ddf765aba52ee8621266db5733898062692dcd036492d484a802ffb334d411266e12d56d309c37b3ba9ee3ff861d4e1ab6c519d364cfa3f991c0318d525"}, 0xe6, 0x0) 04:42:01 executing program 2: [ 3380.226587][T14665] binder_alloc: 14558: binder_alloc_buf, no vma [ 3380.227499][T14581] binder: 14558:14581 Release 1 refcount change on invalid ref 1 ret -22 [ 3380.282792][T15669] binder: release 14558:14581 transaction 564 out, still active [ 3380.291143][T14665] binder: 14558:14665 transaction failed 29189/-3, size 24-8 line 3147 [ 3380.317599][T15669] binder: undelivered TRANSACTION_COMPLETE 04:42:01 executing program 2: 04:42:01 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x7a00}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3380.481457][T15669] binder: send failed reply for transaction 564, target dead 04:42:01 executing program 2: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0xf7c, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syslog(0x9, 0x0, 0x0) [ 3380.531850][T15669] binder: undelivered TRANSACTION_ERROR: 29189 04:42:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x5, 0x20011, r0, 0x0) pread64(r0, &(0x7f0000000000)=""/232, 0xe8, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3380.752600][T14772] binder_alloc: 14749: binder_alloc_buf, no vma [ 3380.758937][T14772] binder: 14749:14772 transaction failed 29189/-3, size 24-8 line 3147 04:42:02 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in6={{0xa, 0x4e24, 0xfffffffffffffffb, @empty, 0x7fff}}, 0x3, 0x3f00, 0x8d0e, 0x0, 0x54}, 0x98) 04:42:02 executing program 2: getsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0x0) r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000140)='/dev/null\x00', 0x400, 0x0) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000540)=@nat={'nat\x00', 0x1b, 0x5, 0x560, 0x110, 0x110, 0x110, 0x358, 0x358, 0x490, 0x490, 0x490, 0x490, 0x490, 0x5, &(0x7f0000000180), {[{{@ipv6={@local, @loopback, [], [0xffffff00, 0xffffffff, 0xff, 0xff], 'lo\x00', 'ip_vti0\x00', {0xff}, {0xff}, 0x87, 0xd6, 0x5, 0xb650d38d68083542}, 0x0, 0xc8, 0x110}, @NETMAP={0x48, 'NETMAP\x00', 0x0, {0x2, @ipv6=@dev={0xfe, 0x80, [], 0xb}, @ipv6=@dev={0xfe, 0x80, [], 0x28}, @gre_key=0x3, @icmp_id=0x64}}}, {{@uncond, 0x0, 0xc8, 0x110}, @MASQUERADE={0x48, 'MASQUERADE\x00', 0x0, {0x0, @ipv4=@rand_addr=0x8, @ipv4=@empty, @gre_key=0x100000001, @gre_key}}}, {{@uncond, 0x0, 0xf0, 0x138, 0x0, {}, [@common=@ipv6header={0x28, 'ipv6header\x00', 0x0, {0x0, 0x40}}]}, @REDIRECT={0x48, 'REDIRECT\x00', 0x0, {0xb, @ipv4=@multicast1, @ipv6=@ipv4={[], [], @broadcast}, @port=0x4e22, @icmp_id=0x66}}}, {{@ipv6={@mcast2, @remote, [], [0x0, 0xff, 0xffffff00], 'bond_slave_1\x00', 'veth1_to_hsr\x00', {0xff}, {0xff}, 0x0, 0x5, 0x1, 0x8}, 0x0, 0xf0, 0x138, 0x0, {}, [@common=@icmp6={0x28, 'icmp6\x00', 0x0, {0x8, 0x8, 0x3a635a3e}}]}, @REDIRECT={0x48, 'REDIRECT\x00', 0x0, {0xe, @ipv6=@empty, @ipv6=@ipv4={[], [], @rand_addr=0x6}, @icmp_id=0x67, @icmp_id=0x68}}}], {{[], 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x5c0) write$P9_RLCREATE(0xffffffffffffffff, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_genetlink_get_family_id$tipc(0x0) perf_event_open(&(0x7f00000000c0)={0x5, 0x70, 0x0, 0x7f, 0x81, 0x10001, 0x0, 0x73d1, 0x400, 0x0, 0x7, 0x3f, 0x10001, 0x3, 0xfffffffffffffff8, 0x3, 0x0, 0x100, 0x5, 0x4, 0x1, 0x0, 0x0, 0x0, 0x0, 0x4, 0x3, 0x6, 0x7ff, 0x7ff, 0x5, 0x0, 0x6, 0x0, 0x4, 0x3, 0xfffffffffffffffb, 0x69, 0x0, 0xb58d, 0x0, @perf_config_ext={0x7ff, 0x1}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BLKALIGNOFF(0xffffffffffffffff, 0x127a, 0x0) clone(0x70024100, &(0x7f0000000a00), 0x0, 0x0, 0x0) perf_event_open(&(0x7f00000004c0)={0x2, 0x70, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_open_procfs(0x0, &(0x7f0000000300)='oom_score_adj\x00') openat$uhid(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uhid\x00', 0x0, 0x0) [ 3380.846738][T14772] binder: 14749:14772 Release 1 refcount change on invalid ref 1 ret -22 [ 3380.871392][T14793] binder: BINDER_SET_CONTEXT_MGR already set [ 3380.877546][T14793] binder: 14749:14793 ioctl 40046207 0 returned -16 [ 3380.901559][T14772] binder_alloc: 14749: binder_alloc_buf, no vma [ 3380.925022][T14793] binder: 14749:14793 Release 1 refcount change on invalid ref 1 ret -22 04:42:02 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x54000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:02 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0xff00}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:02 executing program 0: fcntl$getown(0xffffffffffffffff, 0x9) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") bpf$BPF_PROG_QUERY(0x10, &(0x7f00000000c0)={0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0}, 0x20) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0x3c}, 0x0, @in6=@dev, 0x0, 0x0, 0x0, 0x6}}, 0xe8) creat(0x0, 0x0) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0x0) [ 3380.945059][T14772] binder: 14749:14772 transaction failed 29189/-3, size 24-8 line 3147 [ 3380.980067][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:42:02 executing program 2: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xf7d, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0xf7c, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) msgctl$MSG_STAT(0x0, 0xb, &(0x7f0000000240)=""/194) [ 3381.025394][T14901] kvm: apic: phys broadcast and lowest prio 04:42:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) lseek(r0, 0x0, 0x7) r2 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x100, 0x0) r3 = accept4$packet(0xffffffffffffffff, &(0x7f0000001dc0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001e00)=0x14, 0x800) ioctl$sock_inet6_SIOCADDRT(r2, 0x890b, &(0x7f0000001e40)={@empty, @ipv4={[], [], @multicast1}, @initdev={0xfe, 0x88, [], 0x0, 0x0}, 0x8ad, 0x0, 0xee00, 0x500, 0x8, 0x0, r4}) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="fa62044001000000"], 0x0, 0x0, 0x0}) fcntl$F_SET_FILE_RW_HINT(r3, 0x40e, &(0x7f0000000040)=0x7) [ 3381.083288][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:42:02 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x40000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3381.134070][T14919] binder: 14917:14919 unknown command 1074029306 [ 3381.199162][T14919] binder: 14917:14919 ioctl c0306201 200001c0 returned -22 [ 3381.246754][T14956] kvm: apic: phys broadcast and lowest prio [ 3381.261993][T14988] binder_alloc: binder_alloc_mmap_handler: 14917 20001000-20004000 already mapped failed -16 04:42:02 executing program 2: perf_event_open(&(0x7f0000000000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e23, @dev}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fe, &(0x7f0000e68000)={0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0x1e}}, 0x10) syz_genetlink_get_family_id$tipc2(&(0x7f0000000240)='TIPCv2\x00') setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000380)='ip_vti0\x00', 0x10) sendto$inet(r0, &(0x7f0000000180)="084a00ff02728e863898319d7b42699dd57a0ca1c9a93c9b7517e47c3449", 0x1e, 0x100000001, 0x0, 0x0) [ 3381.309320][T14957] binder_alloc: 14917: binder_alloc_buf, no vma [ 3381.349690][T14919] binder: BINDER_SET_CONTEXT_MGR already set 04:42:02 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x80ffff}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3381.398086][T14957] binder: 14917:14957 transaction failed 29189/-3, size 24-8 line 3147 [ 3381.419196][T14919] binder: 14917:14919 ioctl 40046207 0 returned -16 [ 3381.462481][T14919] binder: 14917:14919 unknown command 1074029306 [ 3381.462716][T15669] binder: release 14917:14919 transaction 572 out, still active [ 3381.480011][T14919] binder: 14917:14919 ioctl c0306201 200001c0 returned -22 [ 3381.489872][T15669] binder: unexpected work type, 4, not freed [ 3381.495895][T15669] binder: undelivered TRANSACTION_COMPLETE [ 3381.560760][T15669] binder: undelivered TRANSACTION_ERROR: 29189 [ 3381.582504][T15669] binder: send failed reply for transaction 572, target dead 04:42:02 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000280)={0x26, 'hash\x00', 0x0, 0x0, 'sha3-224-generic\x00'}, 0x58) r1 = accept$alg(r0, 0x0, 0x0) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, 0x0) write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8) 04:42:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x800) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20031, r1, 0x0) r2 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x4, 0x800) ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000040)=0x18) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3381.610526][T15113] kvm: apic: phys broadcast and lowest prio 04:42:03 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpu.stat\x00', 0x0, 0x0) ioctl$KVM_ASSIGN_DEV_IRQ(r3, 0x4040ae70, &(0x7f0000000040)={0x4, 0x3, 0xfffffffffffffffe, 0x300}) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:03 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x1000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:03 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x68000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3381.815006][T15257] binder_alloc: 15185: binder_alloc_buf, no vma 04:42:03 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000280)={0x26, 'hash\x00', 0x0, 0x0, 'sha3-224-generic\x00'}, 0x58) r1 = accept$alg(r0, 0x0, 0x0) write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8) [ 3381.869210][T15257] binder: 15185:15257 transaction failed 29189/-3, size 24-8 line 3147 [ 3381.883463][T15341] binder: 15185:15341 Release 1 refcount change on invalid ref 1 ret -22 04:42:03 executing program 2: r0 = socket$inet6(0xa, 0x2, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x14e24}, 0x1c) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000180)={{}, 0x0, 0x0, 'id0\x00', 'timer1\x00', 0x0, 0x0, 0x8, 0x2}) recvmmsg(r0, &(0x7f0000000200), 0x38c, 0x0, 0x0) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x4e24}, 0x1c) sendmmsg(r0, &(0x7f00000092c0), 0x4ff, 0x0) [ 3381.948332][T15341] binder_alloc: 15185: binder_alloc_buf, no vma [ 3381.978008][T15257] binder: BINDER_SET_CONTEXT_MGR already set 04:42:03 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x2000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3382.007697][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3382.015391][T15257] binder: 15185:15257 ioctl 40046207 0 returned -16 [ 3382.034327][T15341] binder: 15185:15341 transaction failed 29189/-3, size 24-8 line 3147 [ 3382.045919][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:42:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x8000000000000000) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) sendmsg$kcm(r0, &(0x7f0000000740)={0x0, 0x0, &(0x7f0000000640)=[{&(0x7f00000000c0)="10ccf94278aec293171ea2", 0xb}, {&(0x7f0000000200)="05cd67cff7cbd4d29160965daba8a586f6ad9da9252d7bad299b811bf702fa95193aaf8a11effadfda8575bed303e918f7913707caa6b30a5aa08bcde0eaa49b37709c448ec98cf682a577272ed05871bcb38f195d4031e315e48df75efbcdf4b7a69e9c13d8878373fe047db2f46bc3def74ab9b260dcace0f84ab95774edbdfd3fdba555374783e01718a5b86eb6e1041aa80de5cb89648de3309327491492cea91c7a9bf88154db0bbc4aa77a138ad2ffe47279324d63509d804f4ff8ae92deab967e8ce6", 0xc6}, {&(0x7f0000000100)="83ee05cb2618b181bc4aae422183c7834af4d25a6113d9b0c43d00f7c65a42a51d327d72e4f9b07ecc025d9635cb98bd2c58b4b9de55797bbd746b7eac40b2c6fc89b7660bc63be2fbccb4aae1128950018d4cb9765684a450bb69de0a6d7e54c79e8492657bfd1752c1a48bcd8c75ba2f02f04b0ad7a30c821725c539dbb0f634ae5488f78f9c2199de42b3764d9a9ff61f9c230cbb", 0x96}, {&(0x7f0000000300)="ff3e4908f1de9e8cd5b71e2c0b5c042d3273e99340f5676449023b4bd3be221b72ec5c2001fefe098bbe4aec251584cecc8beeb7f3e22fae114c6569390fa42fa390f5e2a9aefa811885716fc2ece76df6324638021b7a24de7922b1b1057829e2c32772e2a678ae34e29e4f8f71a374ca1631733e9add84149f130de7f75c37a4e12d9767ca8838941414385b6981f3f87e88c58c1b5bbc8014f1ff9488d5710fb3d31331921236f49bbebd911f389f57d497eab8d3df0f5d04d1f1f8e1b24edfe49824faea100a", 0xc8}, {&(0x7f00000005c0)="dbe62c9d7874cf3f71c66c1d1486a38602cdd7eb35b0ff0b501ba936568a05b31a78", 0x22}, {&(0x7f0000000600)="4e11673de89d430d5351580dbd956a8968d50d8748dffb3654ca45c9", 0x1c}], 0x6, &(0x7f00000006c0)=[{0x30, 0x103, 0x0, "a7cdb919c22496b3b84463e4731b7add231d062464ca4f59223d930f2b5c9e8a"}, {0x28, 0x10d, 0x7, "5b557aad7587a7d63f1cbedaf5c2334801d027"}], 0x58}, 0x4000) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) mmap$binder(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x1, 0x10, r1, 0x0) r2 = getpid() signalfd(r0, &(0x7f0000000780)={0x50f0}, 0x8) r3 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000080)='cgroup.stat\x00', 0x0, 0x0) ioctl$TUNATTACHFILTER(r3, 0x401054d5, &(0x7f0000000480)={0x3, &(0x7f0000000440)=[{0x7, 0x4d, 0x7da, 0x2}, {0x9, 0x12, 0x200, 0x8}, {0x2, 0x3f, 0x7, 0x5}]}) syz_open_procfs(r2, &(0x7f0000000000)='personality\x00') ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000040)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:42:03 executing program 2: [ 3382.196774][T15542] binder: 15527:15542 Release 1 refcount change on invalid ref 1 ret -22 [ 3382.231024][T15535] kvm: apic: phys broadcast and lowest prio 04:42:03 executing program 0: [ 3382.250754][T15564] binder_alloc: binder_alloc_mmap_handler: 15527 20001000-20004000 already mapped failed -16 04:42:03 executing program 2: unshare(0x600) eventfd(0x0) pselect6(0x40, &(0x7f0000000000)={0x8}, 0x0, 0x0, &(0x7f0000000340)={0x0, 0x1c9c380}, 0x0) 04:42:03 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x3000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3382.360197][T15568] binder: BINDER_SET_CONTEXT_MGR already set [ 3382.395977][T15568] binder: 15527:15568 ioctl 40046207 0 returned -16 04:42:03 executing program 0: clone(0x20002100, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) getrandom(&(0x7f0000000280)=""/123, 0x7b, 0x2) [ 3382.442292][T15564] binder: 15527:15564 Release 1 refcount change on invalid ref 1 ret -22 [ 3382.541521][T15595] kvm: apic: phys broadcast and lowest prio 04:42:04 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) r4 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/backup_only\x00', 0x2, 0x0) clone(0x222d0000, &(0x7f0000000140)="f96b3be44f00c84989325dbc218cb02be8b50a5d3e6341c75f297c64d8891be0f0a36700bbaaf417dc029f7b8eabe0b292b03e3e404fbd13a826fae9d67406ea3106fe5d75edf2c1fcc829c705c1f1cd8035f65bada62bc29da3f99cc41a59ad14418a2b86a33e1218e307c78b149f2341b9e7bd0d", &(0x7f00000001c0), &(0x7f0000000200), &(0x7f0000000340)="40ce05afa617d255d0efd9f59c0d7a69b19f12c7582a6f825c32c802e876ebbf69913db92417b7c179e6a3f8de6fec03b143b89a7d8be3b75a3fa93a5255d3643d7d3af7e1ee") getsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000400)={{{@in6=@dev, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast2}}}, &(0x7f0000000500)=0xe8) bind$inet6(r1, &(0x7f0000000240)={0xa, 0x4e22, 0x100000001, @dev={0xfe, 0x80, [], 0x17}, 0x1000}, 0x1c) sendmsg$xdp(r3, &(0x7f00000008c0)={&(0x7f0000000540)={0x2c, 0x3, r5, 0x3d}, 0x10, &(0x7f0000000880)=[{&(0x7f0000000580)="67d11b9f2414902d42d99daaa4bb3cfb373935895c00f46772d6be8909311a98ee80eb36204092b2918be24e09ee25da64b7eebf976b6198e4bcb206ac002b915f67a71d0164c0f65811bd97657f5a970ce86db60e7d32fd0dfabbbe81ca1871782b68c1f2", 0x65}, {&(0x7f0000000600)="0c49e7fd9459c9404ccc990c3373c1ba01bee062991f3acbb849ec110c2c1cabeed5c1b9e2b000ba6ea0aba61b2af192de9ba8d1cd1dfce8d24ea9607f4a094fc2ccd84008d7fbb6e9796c600561e61db973baabd5757324bbaba554f65c2f96be9e9aac9505ce2d2b5c8d423a5a50458ae68eeab4310195332afa29e9db76af7e94515a98ad27d2d348a0d6f2fcb40e8c3d1820587ee34b03ece040e9cf8bbfbf6ffee0ce17fb871584235391", 0xad}, {&(0x7f00000006c0)="89e05585fff4bc5160b26b58d04b185aeba7c93e67d4bdc3c97621fb81600ad05edee0ef0d77bfdee1d27384778c5193ff1e4d8af2918e75426ddd3f15734c5339882e8a5a1a021adc3795a0d4c39d217df5c509000d8760ca8b364f1a7a734c88e2288b4d989d39cb47163aed56590f6c31e83b5322740c78b4cb3b6d868104ca5e05fcb875874f05b5dd3ac8adbb3cc79133238788c0d1a2237c9dc9e9f0672b878582f1389a3bbcee8e2c1381511334", 0xb1}, {&(0x7f0000000780)="6780043dc44fa96969a38623aa82019e000edae887b7a1f79b1d4d4c0d3990216758f5117f1be48e7fcc1e24cb27f7e4ae3e2d62963e762cc5c3f81ff69368cadb9857fc81a5f27a456f2c926c52c86f1fc496a03ae68cab70ac4299a70ba67ba4958e73a9cfb2e9a3aa2e80f03092d97c6b3fcf4230d48e5f909703a1c6658e1b0feff766ffe43524e6576356ef20c1fa15f7f6465e0d0253a6a18f2dd733d3459716395411c0f2a0c92b10f73b7ecf3a1ba575e1b5c2578fac2d05d76b31317a737301f1b906aea64eee3dcb1e37943c7fb3d4731fd2cca02e7dd91587f66b7b120d9338736becb7faabc837834fb4eea0f938fc0be56e311f96fd", 0xfc}], 0x4, 0x0, 0x0, 0x10}, 0x40000) getsockopt$inet_sctp_SCTP_PR_SUPPORTED(r3, 0x84, 0x71, &(0x7f0000000040)={0x0, 0x2ab}, &(0x7f0000000080)=0x8) ioctl$SCSI_IOCTL_DOORUNLOCK(r4, 0x5381) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r4, 0x84, 0xa, &(0x7f00000000c0)={0x6a, 0x4, 0x8207, 0x5, 0xffffffff, 0x1c9c, 0x73a2, 0x1ff, r6}, &(0x7f0000000100)=0x20) 04:42:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) r2 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x9ad239d, 0x40800) bind$isdn_base(r2, &(0x7f0000000040)={0x22, 0x0, 0x1ff, 0x2, 0x5}, 0x6) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:42:04 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x8dffffff, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:04 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x4000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:04 executing program 2: r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @dev, 0x5}, 0x1c) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000280)="9e", 0x1}], 0x1) [ 3382.872445][T15731] binder_alloc: binder_alloc_mmap_handler: 15691 20001000-20004000 already mapped failed -16 [ 3382.890911][T15695] kvm: apic: phys broadcast and lowest prio [ 3382.903251][T15693] binder: BINDER_SET_CONTEXT_MGR already set [ 3382.924056][T15693] binder: 15691:15693 ioctl 40046207 0 returned -16 [ 3382.946411][T15731] binder_alloc: 15691: binder_alloc_buf, no vma [ 3382.953036][T15731] binder: 15691:15731 transaction failed 29189/-3, size 24-8 line 3147 04:42:04 executing program 2: clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) getrandom(&(0x7f0000000280)=""/123, 0x7b, 0x2) 04:42:04 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x5000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3382.983189][T11475] binder: release 15691:15693 transaction 581 out, still active [ 3382.991796][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3383.000418][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3383.022340][T11475] binder: send failed reply for transaction 581, target dead 04:42:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/loop-control\x00', 0x40000, 0x0) [ 3383.170851][T15811] kvm: apic: phys broadcast and lowest prio [ 3383.222198][T15836] binder_alloc: binder_alloc_mmap_handler: 15824 20001000-20004000 already mapped failed -16 [ 3383.267421][T15829] binder: BINDER_SET_CONTEXT_MGR already set 04:42:04 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3383.311191][T15829] binder: 15824:15829 ioctl 40046207 0 returned -16 [ 3383.376111][T15962] binder_alloc: 15824: binder_alloc_buf, no vma [ 3383.397002][T15962] binder: 15824:15962 transaction failed 29189/-3, size 24-8 line 3147 04:42:04 executing program 2: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @remote, 0xffffffff}, 0x1c) [ 3383.438995][T15836] binder: 15824:15836 Release 1 refcount change on invalid ref 1 ret -22 04:42:04 executing program 0: pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$nl_route(0xffffffffffffffff, &(0x7f000000a000)={&(0x7f0000010ff4), 0xc, &(0x7f0000012000)={0x0}}, 0x0) write(r1, &(0x7f00000001c0), 0xfffffef3) read(r0, &(0x7f0000000200)=""/250, 0x50c7e3e3) r2 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r2, &(0x7f0000000080)={0xa, 0x4e24, 0x0, @ipv4={[], [], @loopback}}, 0x1c) sendmmsg(r2, &(0x7f00000092c0), 0x622, 0x0) [ 3383.510324][T16020] kvm: apic: phys broadcast and lowest prio [ 3383.538687][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3383.559701][T11475] binder: send failed reply for transaction 586 to 15824:15829 04:42:04 executing program 2: [ 3383.621285][T11475] binder: undelivered TRANSACTION_COMPLETE 04:42:05 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r3 = syz_open_dev$dspn(0x0, 0x0, 0x0) stat(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000000140)=0x0, &(0x7f0000000180), &(0x7f00000001c0)) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='fuse\x00', 0x4, &(0x7f0000000340)={{'fd', 0x3d, r3}, 0x2c, {'rootmode'}, 0x2c, {'user_id', 0x3d, r4}, 0x2c, {'group_id', 0x3d, r5}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x8000}}, {@blksize={'blksize', 0x3d, 0xc00}}, {@blksize={'blksize', 0x3d, 0x800}}, {@allow_other='allow_other'}, {@default_permissions='default_permissions'}, {@default_permissions='default_permissions'}], [{@fsname={'fsname', 0x3d, 'GPL\\-'}}]}}) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) r2 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x9, 0x151000) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(0xffffffffffffff9c, 0x84, 0x6, &(0x7f0000000040)={0x0, @in6={{0xa, 0x4e21, 0x6, @remote, 0x8}}}, &(0x7f0000000100)=0x84) ioctl$UI_END_FF_UPLOAD(r2, 0x406855c9, &(0x7f0000000280)={0x0, 0xc00, {0x54, 0x1, 0x1f, {0x100, 0x10000}, {0xe000000000, 0xffffffff}, @ramp={0x5, 0x5, {0x7f, 0x1, 0x1000}}}, {0x55, 0x0, 0xcb, {0x4, 0x8001}, {0x40, 0x5}, @cond=[{0x24000, 0x1, 0xffffffffffffff80, 0x7, 0x5, 0x4fea3b43}, {0xdcb, 0x7fffffff, 0x6, 0x116, 0x8, 0x5}]}}) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDR_INFO(r2, 0x84, 0xf, &(0x7f0000000540)={r3, @in={{0x2, 0x4e20, @local}}, 0x5, 0x0, 0x100, 0x8, 0x8}, &(0x7f0000000140)=0x98) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$KVM_X86_GET_MCE_CAP_SUPPORTED(r2, 0x8008ae9d, &(0x7f0000000180)=""/39) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="06630440d5010000"], 0x0, 0x0, 0x0}) [ 3383.912694][T16125] binder: 16124:16125 Release 1 refcount change on invalid ref 469 ret -22 04:42:05 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x7000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:05 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xb80b0000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:05 executing program 2: [ 3383.954378][T16125] binder: BINDER_SET_CONTEXT_MGR already set 04:42:05 executing program 0: [ 3384.003064][T16152] binder: 16124:16152 Release 1 refcount change on invalid ref 469 ret -22 [ 3384.015127][T16147] kvm: apic: phys broadcast and lowest prio [ 3384.020658][T16125] binder: 16124:16125 ioctl 40046207 0 returned -16 [ 3384.028651][T15669] binder: release 16124:16125 transaction 591 out, still active 04:42:05 executing program 2: [ 3384.057155][T15669] binder: unexpected work type, 4, not freed [ 3384.086874][T15669] binder: undelivered TRANSACTION_COMPLETE 04:42:05 executing program 0: 04:42:05 executing program 2: [ 3384.105672][T15669] binder: send failed reply for transaction 591, target dead 04:42:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20015, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="cdf6315f3a704e19", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000180)={0x100, 0x0, &(0x7f0000000540)=[@increfs={0x40046304, 0x3}, @reply={0x40406301, {0x0, 0x0, 0x2, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000000), 0x0}}, @reply={0x40406301, {0x3, 0x0, 0x4, 0x0, 0x11, 0x0, 0x0, 0x48, 0x10, &(0x7f0000000080)=[@fda={0x66646185, 0x5, 0x4, 0xb}, @ptr={0x70742a85, 0x0, &(0x7f0000000040), 0x1, 0x1, 0x1e}], &(0x7f0000000100)=[0x58, 0x48]}}, @request_death={0x400c630e, 0x1, 0x1}, @exit_looper, @transaction={0x40406300, {0x3, 0x0, 0x3, 0x0, 0x1, 0x0, 0x0, 0x48, 0x50, &(0x7f0000000280)=[@fda={0x66646185, 0x5, 0x4, 0x38}, @ptr={0x70742a85, 0x1, &(0x7f0000000140), 0x1, 0x4, 0xf}], &(0x7f0000000380)=[0x78, 0x28, 0x40, 0x38, 0x78, 0x18, 0x38, 0x38, 0x38, 0x28]}}, @clear_death={0x400c630f, 0x4, 0x2}, @release], 0x1000, 0x0, &(0x7f0000000640)="323eb2bace6ca765c9b2590370b523b10e0111ed8703f9612da8d08b1436aa0199d2238a109c5037194ffb5c38f6c0276897635fbf87e04d19f7426e3396b02943aacaa2940c744101e57a7774b0b3c512385893324a684951300c0d7c088c752473e54c058d6fc1cbba1aa797313ae446acdb5a6dc0b198303092baa8ac494b32df17e2ba560b33928313fbbead385050bf19ff04bba3df1444ca887f0259ad31739a3e09fb5610614d80e1d6174c90d799e7093e722be578d74aa2202915fef98588d915365a60b4770a639109c8f2a578163b47591bdbb3e929cd90351dad0ae3cb9ea38a4a5057b0afce4845aba39b7f566137aab7daebfbc60343544009fbfaeb2855556a6b3bca4d50e0d93749e5c2c2883c4ff5474c3f40f37c57d983bd1230f68bbf70192f23d930c68484c483aa55e4fc995f2fc19f8f2b42164c8104e81d5695b93845fe4b13a279906ec29181abc7221b0db64e9dd64824b6fe9345b2e1fc2a5bec682379e27ce6db8c112c0740885064db80fe66817e5efd936dfb3e2ccb972d3d4132d96934cd852dd03b71f34679ba0c5a039a4785fa5ebd54dcb870b1f0d06b438fa4b6ca3db2cba7c5ba36987783ed7d0f545177ae63f902f56ac86a8fb68ea9e12aad431ff2356089d5adb70b09bedbe345b9aca0189199db4006ac4b048f6cc0a784dccf4390c373dd809ebfa10a981ff6a89c616a36d0d4dba5d7db4b845799a5c2eee61f98b66acbab9d8b990159b8ecbaefbf6c15b45055e052a2a2da12dcfad7565ab3e7ee9164e32495861625da8e5049a3b715e376e5435ab2aebc70464e9d3aaa56cce64dc3814784fee8008327d4884695dca100433c7934c980d669a7a147fd48680d9557a0680024bd1910f404f6b290dd25e350925125a09cf4d0fac3ba741f24fb045e9dec53777a563975489ccb7eaf717b05148752eefc0e3f7e11bc36ad24cf8d354ba2fc591abd749cb132d3c927ef1aaa073c25e744b83729fce9a8e84740afd0c5352a414fbeda74e455f0693d6740a0b7670d173c515ff740775ad969e158f43f0b67eee3a4b08b3003df29f0c2370e1b899a15b16be6a0d77eb3aefb0d6abbe4e44a0730fd2ee347e318fc1d913bf3a4c1d3e5fab5d0c3504bf8875fbb2c669128abbd7d8efc05c8678b7861f2d15d0387afdfd66ed5895c998e4f5bb163cd477b046a88a86b0d52e08feb60c7e139ecd69cee6924cad077b5627edfc264c3cb78c82911cc16a99b1e9fd7cb251fc64e2b28703eed3dea24cb7b365561cf38358eea85d05e94602505d0c1a128e321b432a58cbc79a14d17c12d3a4040f326cd36a260a44aac16c63672344169826e3275fee8c13d365618970e5fdb54f65b3257a10167421fb8a85ae63b55427edb9c5c626782819843a9b2db1e3979d933e631211a7140eca77c3ad6172d4599c8a52fdbd332734866566db5aad1b57c6da6930c8792c0c0381786e1acb0f0783226739ad8b01227db2767d54d5ca767e9aab0ca92c1defa8970f06389213afb3312dc2d3a2a3e3581e298ab1b3cd5cf51fcc229b978f6647d25be04c51f2f8c08a422c689c1224d2efc39ff27a1cb928dd677709e48221185bf362277332f1845166e1ba33cedc7edfff5d286c55c8a03ebe3b23e95187b8e33c882901acc461393e73da6f517ac319ad05c9ca8efec656839318e8c3fa076d55e5709db41832f9f010023370ef14e5dc47edb41d7c123d73299bc02d2313b4dca28eb84bea588ac58f73df5383de2731d790a365aa01bc7efd3ddbdbbf7e0e074308a8fb57eedbb391f1d29b1bffd63b2e8fae7ba7be46ba289f590a60ff9992937dd99eb6083a9cc7a5040caeabc21c06e29ed5fc13d6750b4e9978a860c3117d013b59d471e50b8c807e320d53b01cacacd6b792e3a3e7aca11dfdaca6684c1c19bde73e4ebdb96d8da255e963cfcd96cffd289eb70ecef29f786ef06951114351db9dcbf374ea95c6a5419e561d0b8be81326095a96dc12c993139f290558b6e347897ba8e8a9ac288ac6ba2d827c217de417d998d8e9852c64f6124ff112abbbd648928d83b05289ab3570f182b37dc36cc3f054fa8682a11ef4db78c6cfd9b4a00619d104fffa3d7a940bc5606c8017d4c53f6da1796ddc89b8a9862e843df1b331a7c554e6d7b90565f080ea20dae71ca83db4c245d99c468d6c88634d6e72a646a29ad5a6a8a4a33c6fd2891a78812318f4793db4bcde2935f82921607fbc46b6b3b5d9ac9b8376b2fce2fbe0c350a8d8fd12e5072d33947cfc75175d8e2f8120442d46a1a4dfd84274120d43a6b93515be18a7ee71d6b9ae596aec2de861df04bbb11e487c7da09aecb2dfde76292c420c569e8193c1e484ea356523442dfbb2e93a8869bfc56d867bad42800a6ab0a47e9b651b3543a7e11e9c7972c87360dcd853eb0542113e89d8f213911525d89f616fe4faca471bdc4dccf4f4daf0f66e5841bbec40b67ffb73bb7823f8361a68b6488f3013e39f025cef01e89581c4993668ac2543dd2df48bb333244e0870a1f7fe58f7ffc08cff7d5de6dfa178ab24eb27a4d2580d0d25a25264ab3b12901268d00e0f4268d1d64024af2ba930dd1d718f3ebd388c31ad042f6af9011321e0b86024d6ea675f36210aea3ef96c5bf0c7d8c677090fdea07cd2a045ed3c9b38de9ae76f410dda39420da4a0b17047fb1df8b57f9385d3584a1b86e3107737db289226299705e648fbafc45cdfb18300c3f1621b0201f3e1d89a4201c01ad59ea69d22351acdb31a2cd3e96ea9c851fee32c44c298e7a99154ee6a1032c5abff83e712dda4ba803ef32a1366f2e0b3a482e65a8ac16f88aa325ac870dcee26ffc8ff2ddea5d3da0f2479042f173fcf8601aef23b689eba592fdf6b336679a99e321f522141b8c330447cd5eee02441032f7bbebb71aaf5fdf0f00164931e4c9b89d5ae37837701e8ae69223e6fdb28a9f36dc0083cccfcdd9bb0812f438e060c7b1308ac89b234db3332a3a8eab454d9a60d570c8fefdd4fc71b2bc526161489a58a2ea0134f8d3b28d0200ec883733dc3b4318013e43a4a1bcb282d31e4994c645bad624dbccbdb817b8bf6af573deb80f23ec1ad1dc8d33bf79097ad888a7023b9088f5e968ef066fff7d031514b19cbed3ed704e300272c3a179017deee00078b1ac6a95295f30c310c527211da67b0a23f8f4b55556ce1c2f899901f32c00b1167ee4ca5f472df978e1c9ed8a1003a5158dd94036a45ac76f91e99c7d43e2176ba377f108fc8e5a95233b6c75681f21d2494328042ac32681deb04c8b3b263047688f29d7743caf5e4ec55997c94ed35c1eeedf3628594269d1a647a43def272add3ebdbcf59ccada926b108173c7517485c79b7b6b09e7666f1a16b564cd80f0546cd1cef4aadadeadd3dc14affa15a5c76bd10752f9d8d8b5b2168a5ec1dd1b383e8e5ba8a6ebaf6c15e0ef20adba308d5ee8f69dffaec748d19c147e65bb5d919290c43f9de16369a0409794248ea20019f2d46fbd31745d50ccc8a19a4a35c7fd4ef2c5234d0dad9005fca0bf8cd0aae5c8caae01e83241cd9a9ecf2f9d6cbc695319e410cb62fd85b132ff6c16d3c69e04097dd1d21a94e276467579d6c86639b571d872995d5a2d6ebb6c76a7639531f18b1d4a75fb984f952c6ea6904eac95eb2bf35d655cf00dbb86d3698bd9f37f88b37a9ae9376c1da8c9935840b0467c2c7f2870e9855a45a3400558de4be06729624ff3937d10f905aa6494bc7489a054cf7fb3d64655725f26e75b886ba76e1c30ae03abf128deb7a5cc4d55f81efedcef92398bfcbeb264a129949ddd9f050e5c3563affda4a4f540b7d2dd44f9298235aad02ae856f416e9aedf3a2b25908f64c0b1509db5ca028832ecc778a33511c687fdbf3260e68800a5ddde62360641f29381d6d0e0cbd99ac2e57963f485b18583c5baa89c37407956df5289878e46e14da48ad5dcd50d59343afc9fc9b007f30fedd04f1daaf628e3344dc338b46ab8e49c14125ed71b4ebce52753cd2b5a51bce15b3a23b96c3ba778c9894261ea41fa108ceef6f200e886857f09bebedecfe17312ca0159a8b8cd386dce8a86b2d0daefe07b6ef7c2e6231cc481c3d26f26f1a988b6b87c6e6dc9866605b7b1a47e93a634b5f6a1fd9a4d18a3f1fad046906d5d62f9b7827580f49fa974e7fd340449d5a25ca30656a29051be7a1b5cc104f9ff3e4169b52668080946620b94a4ed3f92379a036ca97ab62fcf8e98f65e840f9b90fd7191dfb18348928ee4753d63bf60d574e47670e6c182f917a1c562e9997e3142e5c1bbfa477c1507c2dc7c4f85318d0279384bbfde123ce41c1752857f2e07f4761d6da27ec3ddfcb8bb8576b141612e9fea7298c32d6915c186a62fdb32a9c2a364d3bb0e49b5d23895f50853a4139d07bd573b6b45e586f3967bcf52c6728a73a72400549d5946a8c2c85ca0b38ea7ad78a01d32a301d4073ff88b43744c3aa8ddb32f5dca7f59b2b45e8d7166a521064ea9dc145ad4139ba3dd98dbf80224c2b227d103d8f297708284c02a5694ce175f4b09d93450eff1137d5d74325afda146475bfa6e9c9fe145bf11f78d7c4e3b6e5f8bfdc47dcf03606424a115d88c0c629291d63f9a77fdb4270c88ba8cb8db2837abffd941b08dc065cf9d4a5c93274817997a5f5f981caf22984d497cd6e7db0172cc24c10f3044122620b01ae3f79022fa9e193e6274ac7c1336cfccbcbe78a5a08f453c8131ca810d737073c21427ea1776a28fa01c02793ab1b2028a8e7dfe96a187aca958ea1b78ce0d4dafd44737ae1abdcf6c143977c873dd9b4f608101593b503d22f6afb6d7497002ab51a3a083517f67398871f7dd275887ab11c42c7014851d4d840d061a6ecca0c8da728a5055dee3177485e5d7a868e7f817c29aae5783e2b0554e5265343c219628bf1818424703da76a4e4584c55aec9f4642c6a77bef05f72516cb0ba7f4435cbaadc281164ca3481a8dff7cad5cbce2d0afddfaa793095484345956aeab4433a51a92b4ba84e28aec1c4aea53fa7ff9a7deaa8ea39d97bf5deb31b978b8ae58b0e440a7b1287cda4d53251b9574a1e50a10bd9296ea7d658d2308baec7cd3d4e9e2929e922d420f76e2e416d49e55738840dac996fb931657fec13b8e2f4e84b49774613b78f6e86d43aa0aa5b10c7e81f0615c057a1eb8367bff6f77bd1116cce24801c184df5dd7c266718aa9fa295c33c63b1ba9528c02fa1d30fd11a2a0fe5803ab9c95756e37a155abf8169a88632aef5963b65d7adf054389e1af35ba03cc2ef4bb0ca8b731dabf218c2e4ce0ec9dc4abc431b0a196e2f28cc998f56a7a8938a34f718a314d0dedd165fa04a837487f082e57766d85f40bbf0cdfa8d8155db00b89d10a017cc0470ebffb9cba3865b83609b983f3c2c1f39e1ff3d4945e1d9e41787d8bbc1b4efaba814dac654ea9941cff8e28a2d08f9d36791e45680e333e119c3e6a58b80dfb8463b7fa966854928032ad361e05c3ecb8ccadc0c9f501e880bf907d5e18717395c35b8dcc34dbb436ad4c6bfb399fb5a50c43e07570a1aa52efeb91597ff7af6c6c3379089126eb3c5589a7fc05f899ad88c6cb3ca80dbb205415ab12b3a695285125ca8a70e7b21c26673af41fef3e3670c303eefbde1c9b265a77a1024b9c815396a53dca295fd3f88d3c13b2af5f4631b6d3572ae4c2dca237da47c104c57805344a11bd318a80f52459db01bea4caab7277bbd0dc5dccf66"}) 04:42:05 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x20000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3384.240949][T16165] binder: 16163:16165 Release 1 refcount change on invalid ref 1 ret -22 04:42:05 executing program 2: [ 3384.301596][T16169] binder: 16163:16169 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 3384.341064][T16168] kvm: apic: phys broadcast and lowest prio [ 3384.351944][T16169] binder: 16163:16169 got reply transaction with no transaction stack [ 3384.365233][T16169] binder_transaction: 2 callbacks suppressed [ 3384.365251][T16169] binder: 16163:16169 transaction failed 29201/-71, size 0-0 line 2899 [ 3384.452411][T16169] binder: BINDER_SET_CONTEXT_MGR already set [ 3384.492799][T16169] binder: 16163:16169 ioctl 40046207 0 returned -16 [ 3384.532212][T16165] binder: 16163:16165 Release 1 refcount change on invalid ref 1 ret -22 [ 3384.556474][T16175] binder_alloc_new_buf_locked: 2 callbacks suppressed [ 3384.556484][T16175] binder_alloc: 16163: binder_alloc_buf, no vma [ 3384.563188][T16178] binder: 16163:16178 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 3384.576160][T16175] binder: 16163:16175 transaction failed 29189/-3, size 24-8 line 3147 [ 3384.601272][T16178] binder: 16163:16178 got reply transaction with no transaction stack [ 3384.612454][T16178] binder: 16163:16178 transaction failed 29201/-71, size 0-0 line 2899 04:42:06 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x80) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) r1 = getpid() perf_event_open(&(0x7f0000000080)={0x7, 0x70, 0x9, 0x7, 0x5, 0xd62, 0x0, 0x1, 0x40000, 0x0, 0x7, 0x0, 0x40, 0x5, 0x7, 0x58, 0x8, 0x6, 0xfbba, 0x7, 0xfffffffffffffe00, 0x6, 0x2, 0x0, 0xa, 0x7, 0x80000001, 0x0, 0x2, 0x3, 0x4, 0x6, 0x3, 0x6, 0xf3, 0x0, 0x100000000, 0x1000, 0x0, 0x7ff, 0x1, @perf_bp={&(0x7f0000000040), 0x3}, 0x20001, 0x40, 0x5, 0x7, 0x80000001, 0x7, 0x3}, r1, 0x3, 0xffffffffffffffff, 0x1) listen(r0, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) ioctl$sock_bt_bnep_BNEPCONNADD(r3, 0x400442c8, &(0x7f0000000100)=ANY=[@ANYRES32=r3, @ANYBLOB="0700000009003969b406d4518e0fcc8a843395b7aa83c35664fbdc98d6c1d33d324212699ac4efb46f96d6f4431d731968f839dca731929e1dcd1a352c71aba7f31913353f3b6d2895194d56d275209a90f5df04a7881d247372dfd739065374a98b14ff9586a0120ba92d8dad6cb399dc2a3ca405ef667ae60cec32ebc8e059d012a341651cfd6d2ff21cd5dc236fbf49d5d8e52bc94284fbe450"]) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:06 executing program 0: 04:42:06 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x48000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:06 executing program 2: 04:42:06 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe8030000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) prctl$PR_SET_TSC(0x1a, 0x3) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:42:06 executing program 2: [ 3384.811612][T16191] binder_alloc: binder_alloc_mmap_handler: 16186 20001000-20004000 already mapped failed -16 04:42:06 executing program 0: [ 3384.852418][T16187] binder: BINDER_SET_CONTEXT_MGR already set 04:42:06 executing program 2: [ 3384.915506][T16202] binder: 16186:16202 Release 1 refcount change on invalid ref 1 ret -22 [ 3384.924523][T16191] binder_alloc: 16186: binder_alloc_buf, no vma [ 3384.974516][T11475] binder: release 16186:16187 transaction 601 out, still active [ 3384.990097][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3385.009730][T16187] binder: 16186:16187 ioctl 40046207 0 returned -16 04:42:06 executing program 0: [ 3385.024160][T11475] binder: send failed reply for transaction 601, target dead 04:42:06 executing program 2: 04:42:06 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) mprotect(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x0) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback, 0x3}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3385.069682][T16191] binder: 16186:16191 transaction failed 29189/-3, size 24-8 line 3147 [ 3385.084296][T15669] binder_release_work: 4 callbacks suppressed [ 3385.084304][T15669] binder: undelivered TRANSACTION_ERROR: 29189 04:42:06 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x4c000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="006340400000000000000000000000000000000000000000007cc8a7859d780eda00000018200000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:42:06 executing program 2: 04:42:06 executing program 0: [ 3385.320602][T16223] binder: 16221:16223 got transaction with invalid data ptr [ 3385.368717][T16223] binder: 16221:16223 transaction failed 29201/-14, size 8216-8 line 3179 [ 3385.422726][T16229] binder_alloc: binder_alloc_mmap_handler: 16221 20001000-20004000 already mapped failed -16 [ 3385.456252][T16223] binder: BINDER_SET_CONTEXT_MGR already set [ 3385.472253][T16223] binder: 16221:16223 ioctl 40046207 0 returned -16 [ 3385.492124][T16229] binder_alloc: 16221: binder_alloc_buf, no vma [ 3385.508638][T15669] binder: undelivered TRANSACTION_ERROR: 29201 [ 3385.515936][T16229] binder: 16221:16229 transaction failed 29189/-3, size 8216-8 line 3147 [ 3385.555782][T15669] binder: undelivered TRANSACTION_ERROR: 29189 04:42:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xf4010000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:07 executing program 2: 04:42:07 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x60000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:07 executing program 0: 04:42:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x48001, 0x0) ioctl$KVM_CHECK_EXTENSION_VM(r2, 0xae03, 0x8000) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) ioctl$UI_SET_KEYBIT(r2, 0x40045565, 0x278) 04:42:07 executing program 0: 04:42:07 executing program 2: [ 3385.812671][T16243] binder_alloc: binder_alloc_mmap_handler: 16239 20001000-20004000 already mapped failed -16 [ 3385.879586][T16241] binder: BINDER_SET_CONTEXT_MGR already set [ 3385.930388][T16241] binder: 16239:16241 ioctl 40046207 0 returned -16 [ 3385.952700][T16250] binder_alloc: 16239: binder_alloc_buf, no vma [ 3385.975698][T11475] binder: release 16239:16241 transaction 609 out, still active [ 3385.985045][T16250] binder: 16239:16250 transaction failed 29189/-3, size 24-8 line 3147 [ 3386.011358][T11475] binder: undelivered TRANSACTION_COMPLETE 04:42:07 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x101, &(0x7f0000000000)) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x2) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) r3 = syz_open_dev$amidi(&(0x7f0000000180)='/dev/amidi#\x00', 0xdc00000000000000, 0x2) ioctl$KVM_SET_PIT2(r3, 0x4070aea0, &(0x7f00000001c0)={[{0x100, 0x6, 0x6, 0x8, 0x1f, 0x3, 0x80000001, 0x8, 0x200, 0x7ff, 0xa6bd, 0x1}, {0xfffffffffffffff8, 0x2, 0x80000001, 0x6, 0x10001, 0x3, 0x0, 0x5, 0x3f, 0x3, 0x677, 0x7, 0xfffffffffffffffa}, {0x5, 0x6, 0x4, 0x1, 0x5, 0xfffffffffffffd06, 0x4, 0x20, 0x7, 0xffffffff, 0x7, 0x4, 0x7}], 0x6}) io_setup(0x0, &(0x7f0000000040)) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000000080)={0x0}, &(0x7f00000000c0)=0x8) getsockopt$inet_sctp_SCTP_ASSOCINFO(r2, 0x84, 0x1, &(0x7f0000000100)={r4, 0x8fe5, 0x10, 0x20, 0x9, 0x3}, &(0x7f0000000140)=0x14) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:07 executing program 0: 04:42:07 executing program 2: 04:42:07 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x68000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3386.036013][T11475] binder: send failed reply for transaction 609, target dead 04:42:07 executing program 2: [ 3386.103218][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3386.206671][T16261] kvm: apic: phys broadcast and lowest prio 04:42:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xff000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x2) ioctl$int_out(r0, 0x5462, &(0x7f0000000040)) mmap(&(0x7f0000003000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000000c0)={0x2ff, 0x0, &(0x7f0000000100), 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="60d5f9847b9f9d3f78d3185efed2a12054102be1"], 0x0, 0x0, 0x0}) r2 = syz_open_dev$mice(&(0x7f0000000080)='/dev/input/mice\x00', 0x0, 0x80000) ioctl$BLKPG(r2, 0x1269, &(0x7f0000000200)={0x800, 0x7, 0xab, &(0x7f0000000100)="67055be1e66e8f7d134851041ee670da42fd8048bbaafb1bea0a7b09cb37cd1af72194901d0006c373c8f091a3c0e1673c7e7b7b6cea70fbec4001495dc622405693123069908fae42deede3487d1058636e0f909aa035b1a3404cc49fad6f2e83492730397dce738eb8534696f16372dc43fd06fa7c6092c881d1653d3d670c77dc3f82a9fb58ed2cb92dc1c0ca83f65760386e299453484850a957ed56bef5ae61bf639e1188937fd6ef"}) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, r1) 04:42:07 executing program 2: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000004, &(0x7f0000b63fe4), 0x1c) 04:42:07 executing program 0: 04:42:07 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6c000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:07 executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x10000000013, &(0x7f0000d06000)=0x1, 0x32a) connect$inet(r0, &(0x7f0000000180)={0x2, 0x0, @local}, 0x10) setsockopt$sock_int(r0, 0x1, 0x25, &(0x7f00000001c0)=0x80000000, 0x4) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000040)=0x1, 0x4) sendto$inet(r0, &(0x7f0000000200)="af", 0x1, 0x0, 0x0, 0x0) sendmsg(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000100)='+', 0x1}], 0x1}, 0x0) [ 3386.635786][T16277] binder: 16270:16277 ioctl 5462 20000040 returned -22 [ 3386.645388][T16276] kvm: apic: phys broadcast and lowest prio [ 3386.671950][T16277] binder: 16270:16277 unknown command 0 04:42:07 executing program 2: r0 = creat(0x0, 0x1fe) setsockopt$netlink_NETLINK_BROADCAST_ERROR(r0, 0x10e, 0x4, &(0x7f0000000180)=0x1ff, 0x4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) pipe(&(0x7f0000000500)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) write$binfmt_misc(r2, &(0x7f0000000140)=ANY=[], 0x4240a2a0) socket$inet(0x2, 0x3, 0x1) setsockopt$inet_mreqn(r3, 0x0, 0x20, &(0x7f00000000c0)={@multicast1, @dev={0xac, 0x14, 0x14, 0x1e}}, 0xc) sched_setscheduler(0x0, 0x1, &(0x7f00000002c0)=0x5) getsockopt$inet_opts(0xffffffffffffffff, 0x0, 0xd, 0x0, &(0x7f0000000240)) connect$inet(r3, &(0x7f0000000040)={0x2, 0x0, @multicast1}, 0x10) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) splice(r1, 0x0, r3, 0x0, 0x810005, 0x0) sendmsg$TIPC_CMD_SET_NETID(0xffffffffffffffff, 0x0, 0x0) sendmsg$nl_xfrm(r1, &(0x7f0000000140)={&(0x7f0000000080), 0xc, 0x0, 0x1, 0x0, 0x0, 0x20000000}, 0x0) getsockopt$SO_COOKIE(0xffffffffffffffff, 0x1, 0x39, &(0x7f0000000000), &(0x7f0000000040)=0x8) sendmmsg$inet_sctp(0xffffffffffffffff, &(0x7f0000002bc0)=[{&(0x7f0000000000)=@in={0x2, 0x0, @local}, 0x10, &(0x7f0000000500)=[{&(0x7f00000001c0)}], 0x1}], 0x1, 0x0) ioctl$UI_DEV_CREATE(0xffffffffffffffff, 0x5501) [ 3386.679995][T16277] binder: 16270:16277 ioctl c0306201 200000c0 returned -22 [ 3386.702619][T16280] kvm: apic: phys broadcast and lowest prio [ 3386.741215][T16287] binder: 16270:16287 unknown command -2064001696 [ 3386.764709][T16287] binder: 16270:16287 ioctl c0306201 200001c0 returned -22 [ 3386.793635][T16287] binder: 16270:16287 ioctl 5462 20000040 returned -22 [ 3386.843919][T16362] binder: 16270:16362 unknown command -514128537 [ 3386.873682][T16362] binder: 16270:16362 ioctl c0306201 200000c0 returned -22 [ 3386.903356][T16277] binder: 16270:16277 unknown command -2064001696 [ 3386.941525][T16277] binder: 16270:16277 ioctl c0306201 200001c0 returned -22 04:42:08 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0xffffffffffffb07e, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, @perf_config_ext, 0xfffffffffffffffe}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) openat$cuse(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/cuse\x00', 0x2, 0x0) r1 = socket$inet6(0xa, 0x0, 0x8) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000200)='/dev/null\x00', 0x400, 0x0) ioctl$RTC_PLL_GET(r2, 0x80207011, &(0x7f0000000240)) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r1, 0x0, 0x0, 0x0) poll(&(0x7f0000000080)=[{r0, 0x400}, {r4}], 0x2, 0xfffffffffffffffd) getsockopt$inet6_IPV6_FLOWLABEL_MGR(r3, 0x29, 0x20, &(0x7f0000000000)={@loopback, 0x65, 0x2, 0xff, 0xc, 0x10000000, 0x8}, &(0x7f0000000040)=0x20) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r5 = syz_open_dev$dspn(0x0, 0x6, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000340)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x58}, 0x98) ioctl$EVIOCSMASK(r5, 0x40104593, &(0x7f0000000180)={0x17, 0x8d, &(0x7f00000000c0)="14f66f2fd818401021da796cb0f0e2c6abbbbfa0991f6815273a9a14da818218e53545f952216eb394cf2f80b89cbad9e67d4efc4e5429f97fdbb5b642f50d670cf2ae47abf4413a72c1ad97ba4a73d144db7e312400d42842bb1a2aae050c0a1cadf84fa6fd7a6df7e325152ce9fef1af1ec342feb306aea8f99a29f3224777ff4f22a701a9714e1819ba640e"}) 04:42:08 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x74000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:08 executing program 2: syz_open_dev$video4linux(0x0, 0x0, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f0000003140)=[{{&(0x7f0000001400)=@ipx, 0x80, 0x0, 0x0, 0x0, 0x2b5}}], 0x1, 0x0, 0x0) getpgrp(0xffffffffffffffff) r0 = creat(&(0x7f0000000580)='./bus\x00', 0x8) setsockopt$RDS_GET_MR_FOR_DEST(r0, 0x114, 0x7, &(0x7f00000009c0)={@nfc_llcp={0x27, 0x0, 0x2, 0x1, 0x0, 0x1000, "15e94d0eb4876d6f4be23c60b905a71618376a964fbe1342970dca1972114c235e92968fc2cf013aaf932b592bf6349504d7f1637d4d355208bff3c510a428", 0x7}, {0x0}, 0x0, 0x1c}, 0xa0) r1 = syz_open_dev$loop(&(0x7f0000000180)='/dev/loop#\x00', 0x0, 0x0) memfd_create(0x0, 0x0) write$binfmt_aout(r1, 0x0, 0x306) ioctl$TIOCNXCL(r0, 0x540d) perf_event_open(&(0x7f00000004c0)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000, @perf_bp={0x0}, 0x0, 0x0, 0x8000000000000000}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000100)='/dev/loop-control\x00', 0x0, 0x0) prlimit64(0x0, 0xf, &(0x7f0000000340)={0x0, 0xff}, 0x0) readv(r2, &(0x7f0000000740)=[{&(0x7f00000003c0)=""/94, 0x5e}, {&(0x7f0000000000)=""/4, 0x4}, {&(0x7f0000000440)=""/86, 0x56}, {&(0x7f0000000080)=""/54, 0x36}, {&(0x7f0000000600)=""/98, 0x62}, {&(0x7f00000006c0)=""/90, 0x5a}], 0x6) ioctl(r2, 0x2, &(0x7f00000007c0)="50410db84c8e96880afc9a8381d074f51bc62e8404fd97c964ca9f68b6247f2be66f64c6abdbfe0e8435d067fc24d515cec266c1ed5e7dc10dc00f01c478cbee683b1bb378a7c74d13cbb0c7df48286206045b6f5dc579c1d08ebaded73ebf9f73cfd294f58c44f891423f43945e4f1076dbe75899ea04f9b79ab06e") clock_gettime(0x0, &(0x7f0000000280)) creat(&(0x7f0000000200)='./bus\x00', 0xb7f773a81c4bb4f) pselect6(0x40, &(0x7f0000000140)={0x80000001, 0x0, 0xd9, 0x2, 0x0, 0x3, 0x3, 0x1}, 0x0, &(0x7f0000000240)={0xcf86, 0xffff, 0x0, 0x5, 0x0, 0x100000001, 0x1, 0xff}, 0x0, 0x0) socket$inet6_tcp(0xa, 0x1, 0x0) r3 = creat(&(0x7f0000000040)='./bus\x00', 0x0) clone(0x10002102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) ioctl$EXT4_IOC_GROUP_ADD(r3, 0x40286608, &(0x7f00000000c0)={0x10}) 04:42:08 executing program 0: pipe(&(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) close(r0) poll(&(0x7f00000002c0)=[{r1}], 0x1, 0x0) [ 3387.119533][T16498] kvm: apic: phys broadcast and lowest prio 04:42:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x2) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3387.313296][T16632] binder_alloc: binder_alloc_mmap_handler: 16612 20001000-20004000 already mapped failed -16 [ 3387.328718][T16628] binder: BINDER_SET_CONTEXT_MGR already set [ 3387.337511][T16628] binder: 16612:16628 ioctl 40046207 0 returned -16 [ 3387.397008][T16632] binder_alloc: 16612: binder_alloc_buf, no vma [ 3387.405777][T11475] binder: send failed reply for transaction 614 to 16612:16628 [ 3387.437456][T16632] binder: 16612:16632 transaction failed 29189/-3, size 24-8 line 3147 [ 3387.448535][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3387.466919][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3387.486587][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:42:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xffffff8d, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:08 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x7a000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:08 executing program 2: syz_open_dev$video4linux(0x0, 0x0, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f0000003140)=[{{&(0x7f0000001400)=@ipx, 0x80, 0x0, 0x0, 0x0, 0x2b5}}], 0x1, 0x0, 0x0) getpgrp(0xffffffffffffffff) r0 = creat(&(0x7f0000000580)='./bus\x00', 0x8) setsockopt$RDS_GET_MR_FOR_DEST(r0, 0x114, 0x7, &(0x7f00000009c0)={@nfc_llcp={0x27, 0x0, 0x2, 0x1, 0x0, 0x1000, "15e94d0eb4876d6f4be23c60b905a71618376a964fbe1342970dca1972114c235e92968fc2cf013aaf932b592bf6349504d7f1637d4d355208bff3c510a428", 0x7}, {0x0}, 0x0, 0x1c}, 0xa0) r1 = syz_open_dev$loop(&(0x7f0000000180)='/dev/loop#\x00', 0x0, 0x0) memfd_create(0x0, 0x0) write$binfmt_aout(r1, 0x0, 0x306) ioctl$TIOCNXCL(r0, 0x540d) perf_event_open(&(0x7f00000004c0)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000, @perf_bp={0x0}, 0x0, 0x0, 0x8000000000000000}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000100)='/dev/loop-control\x00', 0x0, 0x0) prlimit64(0x0, 0xf, &(0x7f0000000340)={0x0, 0xff}, 0x0) readv(r2, &(0x7f0000000740)=[{&(0x7f00000003c0)=""/94, 0x5e}, {&(0x7f0000000000)=""/4, 0x4}, {&(0x7f0000000440)=""/86, 0x56}, {&(0x7f0000000080)=""/54, 0x36}, {&(0x7f0000000600)=""/98, 0x62}, {&(0x7f00000006c0)=""/90, 0x5a}], 0x6) ioctl(r2, 0x2, &(0x7f00000007c0)="50410db84c8e96880afc9a8381d074f51bc62e8404fd97c964ca9f68b6247f2be66f64c6abdbfe0e8435d067fc24d515cec266c1ed5e7dc10dc00f01c478cbee683b1bb378a7c74d13cbb0c7df48286206045b6f5dc579c1d08ebaded73ebf9f73cfd294f58c44f891423f43945e4f1076dbe75899ea04f9b79ab06e") clock_gettime(0x0, &(0x7f0000000280)) creat(&(0x7f0000000200)='./bus\x00', 0xb7f773a81c4bb4f) pselect6(0x40, &(0x7f0000000140)={0x80000001, 0x0, 0xd9, 0x2, 0x0, 0x3, 0x3, 0x1}, 0x0, &(0x7f0000000240)={0xcf86, 0xffff, 0x0, 0x5, 0x0, 0x100000001, 0x1, 0xff}, 0x0, 0x0) socket$inet6_tcp(0xa, 0x1, 0x0) r3 = creat(&(0x7f0000000040)='./bus\x00', 0x0) clone(0x10002102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) ioctl$EXT4_IOC_GROUP_ADD(r3, 0x40286608, &(0x7f00000000c0)={0x10}) 04:42:08 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x200000, 0x0) openat$cgroup(r0, &(0x7f00000000c0)='syz0\x00', 0x200002, 0x0) io_setup(0x0, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) ioctl$NBD_DISCONNECT(r0, 0xab08) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback, 0x2}, 0x1c) r2 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x80, 0x0) setsockopt$IP_VS_SO_SET_ADD(r2, 0x0, 0x482, &(0x7f0000000040)={0x3a, @remote, 0x4e20, 0x2, 'rr\x00', 0x0, 0x10000000000, 0x33}, 0x2c) listen(r1, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) getsockopt$inet_sctp_SCTP_AUTO_ASCONF(r2, 0x84, 0x1e, &(0x7f0000000100), &(0x7f0000000140)=0x4) syz_open_dev$dspn(0x0, 0x5, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:08 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe8030000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) mmap$binder(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x1050, r0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000), 0x0, 0x0, 0x0}) [ 3387.618926][T16734] binder_alloc: binder_alloc_mmap_handler: 16725 20001000-20004000 already mapped failed -16 [ 3387.680213][T16734] binder: BINDER_SET_CONTEXT_MGR already set [ 3387.686469][T16734] binder: 16725:16734 ioctl 40046207 0 returned -16 [ 3387.696934][T16738] binder_alloc: 16725: binder_alloc_buf, no vma [ 3387.696968][T16732] kvm: apic: phys broadcast and lowest prio [ 3387.704011][T16738] binder: 16725:16738 transaction failed 29189/-3, size 24-8 line 3147 [ 3387.719528][T11475] binder: release 16725:16734 transaction 619 out, still active 04:42:09 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x40000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f00000002c0)='cpuacct.usage_sys\x00', 0x0, 0x0) fchmodat(r2, &(0x7f0000000380)='./file0\x00', 0x2) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="2e18044001000000"], 0x0, 0x0, 0x0}) r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x509000, 0x0) getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffff9c, 0x84, 0x75, &(0x7f0000000040)={0x0, 0x4}, &(0x7f0000000080)=0x8) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(r3, 0x84, 0x6d, &(0x7f00000000c0)={r4, 0xf4, "dbe0d4f0fb8d09ebc3fa5becc757b510fd6a6f0317c8d3dada2d25ed0edf3f51dddff35d76a67774af32ae6d7dac7a2b83a4b4111777e4ad63164e6b390e451da0402eefc15e9db0db73526185a6a852e135ba9f475f286431a81225cce4f73877bd0cad90d52a1efef90fc4618b37540def60221ee32649e8ebf81690733141c64de5b8b20409a66e7e33888b450d298d08bbafd875ec52b1b78684767601a58924e88a828241f92cb2bddf287eb2ef60b04982d7b103428ec660a5e2692c3543b89096220ede9b66c5a9e9558a17b0453d31550a12ea901eea464bf25a438c102b9526d755684cc37d882ec2246cbffc64f67c"}, &(0x7f0000000280)=0xfc) [ 3387.767578][T11475] binder: unexpected work type, 4, not freed [ 3387.786964][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3387.838916][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3387.876129][T11475] binder: send failed reply for transaction 619, target dead 04:42:09 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0xc0ffffff}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3387.913620][T16842] binder: 16825:16842 unknown command 1074010158 04:42:09 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe8030000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3387.957314][T16842] binder: 16825:16842 ioctl c0306201 200001c0 returned -22 [ 3388.019855][T16942] binder_alloc: binder_alloc_mmap_handler: 16825 20001000-20004000 already mapped failed -16 [ 3388.049491][T16842] binder: BINDER_SET_CONTEXT_MGR already set 04:42:09 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x40000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3388.089228][T16842] binder: 16825:16842 ioctl 40046207 0 returned -16 [ 3388.104793][T16942] binder_alloc: 16825: binder_alloc_buf, no vma [ 3388.142536][T16957] binder: 16825:16957 unknown command 1074010158 [ 3388.172451][T15669] binder: release 16825:16842 transaction 624 out, still active [ 3388.183052][T16942] binder: 16825:16942 transaction failed 29189/-3, size 24-8 line 3147 04:42:09 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0xfdfdffff}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3388.198824][T15669] binder: unexpected work type, 4, not freed [ 3388.235038][T16957] binder: 16825:16957 ioctl c0306201 200001c0 returned -22 [ 3388.244217][T15669] binder: undelivered TRANSACTION_COMPLETE [ 3388.265116][T15669] binder: send failed reply for transaction 624, target dead [ 3388.310942][T15669] binder: undelivered TRANSACTION_ERROR: 29189 [ 3388.357807][T17141] kvm: apic: phys broadcast and lowest prio 04:42:09 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x100000000000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:09 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe8030000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x801) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x414080, 0x0) ioctl$DRM_IOCTL_ADD_MAP(r2, 0xc0286415, &(0x7f0000000080)={&(0x7f0000002000/0x3000)=nil, 0x0, 0x4, 0x80, &(0x7f0000004000/0x400000)=nil, 0xde}) getsockopt$ARPT_SO_GET_REVISION_TARGET(r2, 0x0, 0x63, &(0x7f0000000100)={'ah\x00'}, &(0x7f0000000140)=0x1e) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) r3 = socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$SCSI_IOCTL_START_UNIT(r2, 0x5) setsockopt$bt_BT_RCVMTU(r3, 0x112, 0xd, &(0x7f0000000000)=0x9, 0x2) openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uinput\x00', 0x802, 0x0) 04:42:09 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x40000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:09 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) openat$vim2m(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/video35\x00', 0x2, 0x0) r0 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x101000) ioctl$DRM_IOCTL_ADD_CTX(0xffffffffffffffff, 0xc0086420, &(0x7f0000000040)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r0, 0xc0086421, &(0x7f0000000080)={r1, 0x3}) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000340)={0x0, @in6={{0xa, 0x4e23, 0x5, @mcast2, 0x4}}, 0x4, 0xffffffffffff0f8a, 0x2, 0xff, 0x8e}, &(0x7f0000000240)=0x98) setsockopt$inet_sctp_SCTP_MAXSEG(r0, 0x84, 0xd, &(0x7f0000000400)=@assoc_value={r3, 0x7ff}, 0x8) bind$inet6(r2, &(0x7f0000000100)={0xa, 0x4e23, 0x0, @loopback, 0xffff}, 0xffffffffffffff69) ioctl$GIO_FONT(r0, 0x4b60, &(0x7f0000000140)=""/207) listen(r2, 0x5) r4 = socket$inet6_sctp(0xa, 0x5, 0x84) r5 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x4000000000000000, 0x90000000000000) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:09 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0xff000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3388.810814][T17185] kvm: apic: phys broadcast and lowest prio [ 3388.829623][T17188] binder_alloc: binder_alloc_mmap_handler: 17180 20001000-20004000 already mapped failed -16 [ 3388.869208][T17183] binder: BINDER_SET_CONTEXT_MGR already set [ 3388.902706][T17183] binder: 17180:17183 ioctl 40046207 0 returned -16 04:42:10 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0xffff8000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3388.919316][T17188] binder_alloc: 17180: binder_alloc_buf, no vma 04:42:10 executing program 0: symlink(&(0x7f0000000640)='./file0\x00', &(0x7f0000000680)='./file0\x00') r0 = syz_open_dev$amidi(&(0x7f0000000040)='/dev/amidi#\x00', 0x75, 0x109000) setsockopt$inet6_mtu(r0, 0x29, 0x17, &(0x7f0000000280)=0x5, 0x4) setsockopt$inet_sctp6_SCTP_AUTOCLOSE(r0, 0x84, 0x4, &(0x7f0000000180)=0x80000000007ffd, 0x4) r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x2, 0x2) ioctl$SCSI_IOCTL_STOP_UNIT(r1, 0x6) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000140)={r0, &(0x7f00000000c0)="40ff3dbbae68b2c1185b3a8743c2a332aa54b1ddd8a1ae26a503b2e559fd383b7bc6264d2c9e701c4816b3c3616657729997869c53737ab2b77b2fdd2b888c52b0", &(0x7f00000001c0)="e32f6e12aa46f3c9255dc2fbc19f6ee546cffac1f42dc348d6b4100e941dba742ce11d48acb16d0545424098e763c467c5a22f2a37b12f4ff3acb38e09942133a78098e938f8630fefe2fad5a611e9974b8fd7829857ac68bfa8e52e403757a28cbec9510a530e982972ac2d137f228abea51f0ded0f27e9e3", 0x3}, 0x20) setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)={'nat\x00', 0x3, [{}, {}, {}]}, 0x58) [ 3388.976449][T17183] binder_thread_write: 1 callbacks suppressed [ 3388.976466][T17183] binder: 17180:17183 Release 1 refcount change on invalid ref 1 ret -22 04:42:10 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$vicodec0(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/video36\x00', 0x2, 0x0) getresuid(&(0x7f0000000340), &(0x7f0000000380), &(0x7f00000003c0)=0x0) setfsuid(r1) r2 = syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0x100000005, 0x4001) r3 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000100)='SEG6\x00') sendmsg$SEG6_CMD_DUMPHMAC(r2, &(0x7f0000000200)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000140)={0x44, r3, 0x0, 0x70bd28, 0x1f, {}, [@SEG6_ATTR_DST={0x14, 0x1, @empty}, @SEG6_ATTR_SECRETLEN={0x8, 0x5, 0x3}, @SEG6_ATTR_ALGID={0x8, 0x6, 0x3}, @SEG6_ATTR_SECRET={0xc, 0x4, [0x400, 0x0]}]}, 0x44}, 0x1, 0x0, 0x0, 0x40000}, 0x4000800) r4 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x2200, 0x0) ioctl$UI_SET_PROPBIT(r4, 0x4004556e, 0xf) ioctl$VIDIOC_S_FMT(r0, 0xc0d05605, &(0x7f0000000240)={0x2, @sdr}) [ 3389.041684][T17403] kvm: apic: phys broadcast and lowest prio 04:42:10 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0xfffffdfd}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3389.086761][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:42:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0xfffffffffffffffa, 0x20011, r0, 0x3) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x40, 0x0) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r0, &(0x7f0000000040)={0x60002002}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3389.127708][T11475] binder: send failed reply for transaction 629 to 17180:17183 [ 3389.160447][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3389.188105][T17423] QAT: Invalid ioctl [ 3389.197643][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3389.236456][T17461] kvm: apic: phys broadcast and lowest prio [ 3389.262628][T17500] binder_alloc: 17478: binder_alloc_buf, no vma [ 3389.287133][T17500] binder: 17478:17500 Release 1 refcount change on invalid ref 1 ret -22 04:42:10 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0xffffffc0}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3389.335429][T17569] binder: BINDER_SET_CONTEXT_MGR already set [ 3389.397739][T17569] binder: 17478:17569 ioctl 40046207 0 returned -16 [ 3389.431782][T17574] binder_alloc: 17478: binder_alloc_buf, no vma [ 3389.440753][T17574] binder_transaction: 2 callbacks suppressed 04:42:10 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x300000000000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:10 executing program 0: r0 = syz_open_dev$sndseq(&(0x7f00000002c0)='/dev/snd/seq\x00', 0x0, 0x1000000000008080) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000300)='/dev/dlm-monitor\x00', 0x228000, 0x0) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(r1, 0x84, 0x13, &(0x7f0000000000)={0x0, 0x42e3}, &(0x7f0000000200)=0x8) lstat(&(0x7f0000000040)='./file0\x00', &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0, 0x0}) ioprio_get$uid(0x3, r3) setsockopt$inet_sctp_SCTP_RESET_ASSOC(r1, 0x84, 0x78, &(0x7f0000000240)=r2, 0x4) r4 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/conntrack\x00', 0x2, 0x0) syz_kvm_setup_cpu$x86(r1, r4, &(0x7f0000fe6000/0x18000)=nil, &(0x7f0000000140)=[@text16={0x10, &(0x7f00000000c0)="0f20d86635080000000f22d80f01c8b806010f00d82667eacf9902000f01d166b8150000000f23d80f21f86635c00000600f23f8d22d3e0f2935baa100b00aee66b99b0000400f32", 0x48}], 0x1, 0x2, &(0x7f0000000180)=[@vmwrite={0x8, 0x0, 0x3, 0x0, 0x100000000, 0x0, 0x7ce2, 0x0, 0x1f}, @dstype3={0x7, 0x7}], 0x2) ioctl$PERF_EVENT_IOC_ID(r1, 0x80082407, &(0x7f0000000280)) ioctl$SNDRV_SEQ_IOCTL_CLIENT_ID(r0, 0x80045301, 0x0) [ 3389.440770][T17574] binder: 17478:17574 transaction failed 29189/-3, size 24-8 line 3147 [ 3389.486987][T17630] kvm: apic: phys broadcast and lowest prio 04:42:10 executing program 2: r0 = socket$inet6(0xa, 0x6, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c) r1 = socket$inet_dccp(0x2, 0x6, 0x0) connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4e20, 0x3, @dev={0xfe, 0x80, [], 0x20}, 0xbca}, 0x1c) getsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0), 0x10) socket$inet_udplite(0x2, 0x2, 0x88) listen(r0, 0x6) connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10) dup3(r1, r0, 0x0) poll(&(0x7f0000000040)=[{r1}], 0x1, 0x0) 04:42:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) mmap$binder(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x300000c, 0x10, r1, 0x0) r2 = mmap$binder(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x3000000, 0x14031, r0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x14, 0x0, &(0x7f0000000080)=[@increfs_done={0x40106308, r2, 0x4}], 0x0, 0x0, 0x0}) [ 3389.644650][T17701] binder: 17693:17701 ioctl c0306201 200001c0 returned -14 [ 3389.658690][T17728] binder_alloc: binder_alloc_mmap_handler: 17693 20001000-20004000 already mapped failed -16 04:42:11 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x10003, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/dsp\x00', 0x391300, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000200)='/dev/snd/pcmC#D#c\x00', 0x8, 0x400) openat$vfio(0xffffffffffffff9c, &(0x7f0000000240)='/dev/vfio/vfio\x00', 0x20000, 0x0) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000340)='/proc/sys/net/ipv4/vs/schedule_icmp\x00', 0x2, 0x0) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, 0x0) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) setxattr$trusted_overlay_upper(&(0x7f0000000040)='./file0\x00', &(0x7f0000000080)='trusted.overlay.upper\x00', &(0x7f00000000c0)={0x0, 0xfb, 0xa0, 0x3, 0x6, "ce90b6366deba54ccfb64bf9f5985fea", "ccde9ee1c2cf7161dd34f88acdad64d270f0f43e9e15f76a893bc039dabe5b0d53a531fd87cf18ba91b5c160b53b3c6df2b0626cabcb02e53a3664e7ed990a9b665140d43a73e1ee688b6aad87fe78578cc67e72dd0788f753e1a6578d7087f8f3eb45fff89765da2b08b9620f119890d21cc7a5d1212b1d525bfa0ca5d5ad4f0623cf136ca1fd916bcf86"}, 0xa0, 0x2) bind$inet6(r2, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = socket$inet6_sctp(0xa, 0x1, 0x84) r4 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) io_setup(0x0, &(0x7f0000000000)) io_getevents(0x0, 0x5, 0x6, &(0x7f0000000400)=[{}, {}, {}, {}, {}, {}], &(0x7f0000000180)={0x0, 0x1c9c380}) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:11 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x40000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:11 executing program 0: ioctl$PPPIOCSNPMODE(0xffffffffffffffff, 0x4008744b, &(0x7f0000000040)={0x0, 0x3}) r0 = syz_open_dev$sndpcmc(&(0x7f0000000100)='/dev/snd/pcmC#D#c\x00', 0x100000000, 0x20002) r1 = syz_open_dev$media(&(0x7f0000002600)='/dev/media#\x00', 0x0, 0x0) ioctl$EVIOCGKEY(r1, 0xc0487c04, &(0x7f0000000000)=""/226) write$binfmt_aout(r0, &(0x7f0000000140)={{0x107, 0xfff, 0x8, 0x1f2, 0xa2, 0x5, 0x211, 0x9a2}, "36ed98b4b5617e89653ec777eaf9c3ec91b741689be8be296dcfe324e06dd6a025b0d298873ecc019ae550dbcdd48a11aea36a407b54347de3dd83bcc1e33b6f6c265c368e1cb05d9adf6e91f0d2d21ad9990109ad5f010734ec9c7699b8", [[], [], [], [], []]}, 0x57e) [ 3389.723659][T17701] binder: BINDER_SET_CONTEXT_MGR already set [ 3389.742176][T17701] binder: 17693:17701 ioctl 40046207 0 returned -16 [ 3389.743674][T17786] binder: 17693:17786 ioctl c0306201 20000440 returned -14 [ 3389.817735][T17728] binder: 17693:17728 ioctl c0306201 200001c0 returned -14 [ 3389.864645][T17819] kvm: apic: phys broadcast and lowest prio 04:42:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="0063404000000000000000000000000000000000000000000000000000000000000000001800000000001d000800000000000000251c8a05ce23c5897d65b740e9b2d04d16ac285b7e902b3bba55867bfe63c8fedf0caa51775fb83cc2e4e518826946e38e95130b0e4a639f870a1f336c8e1668a16c7cee3b9371cbfb5b83a0f30036748fdfafef87895720c8cf8bb4c0704d21", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) 04:42:11 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x4000000001, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = memfd_create(&(0x7f0000000600)='\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00v\x8e\x05\xf7\xc1U\xad}\xc6\x94|W>Zi$Nv8,\n\xa6=W^\xa3Y\x7f\x8b\x17(\'~\xf7k0TM{\xa9-\xcf\x97\x8f\xf1\xdd\xcc\x8bRA\xda\x89Efn\x00s\xc2Zb\x01\x00M\xbe\xa3z\xab\xd3\xeb\x98\x88\xc4\xc6)A\x9fP\x93zhH\xe0\xd2\x81\xdb\xeeV\x8cM\xe9\xa06\xc2o\x19\"\xf6Iqv\xdf\x97\xfb\xab\x04\xe8\xceI8\xb3\x1d\xcf%\x9bK\xc6\t\x01\xe1\x86a\xfa\xb8\xfb)\x88\xcd+\xc2`\xc2\xf5r5>k\xb0\xa0\x02\xfc\x16MO\x18\x9b\x06\x80b\xd1\x01\x00\x00\x00\x00\x00\x00\x00@\f\fL\xa5{Tk\x940\x17.\xa56.\xe0\x14\x00\x00\x00\x00\x00\x00\x00\xae\xd8\x9e\xea\xd3\xd9G4\t\xc0\x9c.\'\xa9R3z$\xf2\x01\x88\xc0\x13\x12<\xc01j3\xd8\xb4CE7s\xe4\xa0\x9e\xdd\x801\x12M\xee\x13\xce\x9cu(\x8f.\xc83\xc7\xe6j\xf5\xb1\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.g\x10H\xa8\xc9\x1f\xfc\x1e\xdfF\x16K\a@\x8c7\x1d!\xfd\xb0\xefW\x8f\xb8\x19\x8dS\xcer\x00SE\xdcD\xd2\x98\fy\x8dQ?7m\x9a\xe3\xca\xb0~\xdb*\xa7\xbf\xeftV\xa1\x94\x911\xa7\x8cYiY\xd2\xecF\xec\xb4/\xca\x97~^o\xd74\x11\'\xe1\xce\x06\xe1\xebV\xfd\xaa\x19\xd3\x14\xad\xea=o\xf2\x15g\xa9\xca\xa7\xc6\xd6\xaa\x86\xcc\x03\xcfD\xfe\x0f\xd4\xa7\x9f\xd8\n\x13T\x83\xdb\x19}\xf1\xa9\xac\x9eV\xb9\x15\x852\xfd\xaea\xff\xcb\x86d:\n\x85\x807]\x96\xb4\x96\xbc\xa6\xe6\x86\x80Gy\xfe\x8c\x1aV\xce\xb2h\xfd\xee*\xf0\xb3\xc38o\xac\x96Y\xa6\x81~\x8e\x8b@k\x7f\x88\xdd<}\x91\x83\xb0[\xff\xe3\xb9\xc6P\xd7\xc9\x87 \xef\xc9M\xa7\xbc\x1c\xa4~\x9b\xee\x94\x02&\x980\x10\x96\x96\\\x00\x00\x00\x00\x00', 0x0) pwritev(r2, &(0x7f0000000340)=[{&(0x7f0000000200)=',', 0x1}], 0x1, 0x4081806) sendfile(r0, r2, 0x0, 0x20020102000007) ioctl$TIOCGPGRP(0xffffffffffffff9c, 0x540f, &(0x7f0000000000)=0x0) fcntl$setown(r1, 0x8, r3) [ 3389.915603][T15669] binder: send failed reply for transaction 637 to 17693:17701 [ 3389.953616][T15669] binder: undelivered TRANSACTION_COMPLETE 04:42:11 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x80ffff00000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3390.088926][T17912] binder_alloc: 17905: binder_alloc_buf size 8162774324609056 failed, no address space 04:42:11 executing program 0: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000140)={0x26, 'aead\x00', 0x0, 0x0, 'morus640\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000100)="71e67a15cdf0319fa22748f9a91c66b3", 0x10) setsockopt$ALG_SET_AEAD_AUTHSIZE(r0, 0x117, 0x5, 0x0, 0x1) r1 = accept4$alg(r0, 0x0, 0x0, 0x0) recvmmsg(r1, &(0x7f0000000000)=[{{0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f00000017c0)=""/4096, 0x1000}], 0x1, 0x0, 0xf0ffffff}}], 0x1, 0x0, 0x0) [ 3390.168482][T17912] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) [ 3390.185830][T17950] kvm: apic: phys broadcast and lowest prio [ 3390.192145][T17963] binder: 17905:17963 Release 1 refcount change on invalid ref 1 ret -22 [ 3390.229255][T17912] binder: 17905:17912 transaction failed 29201/-28, size 8162774324609048-8 line 3147 04:42:11 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x100000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3390.301656][T17963] binder_alloc: binder_alloc_mmap_handler: 17905 20001000-20004000 already mapped failed -16 [ 3390.373935][T18089] kvm: apic: phys broadcast and lowest prio [ 3390.406160][T17912] binder: BINDER_SET_CONTEXT_MGR already set [ 3390.429325][T17912] binder: 17905:17912 ioctl 40046207 0 returned -16 [ 3390.462473][T11475] binder_release_work: 3 callbacks suppressed [ 3390.462481][T11475] binder: undelivered TRANSACTION_ERROR: 29201 [ 3390.497795][T17963] binder: 17905:17963 transaction failed 29189/-22, size 8162774324609048-8 line 2994 [ 3390.535245][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:42:11 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x400000000000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:11 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x200000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="06630440f4405e5d9bd9280000d0ed"], 0x0, 0x0, 0x0}) 04:42:12 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) mremap(&(0x7f00007c0000/0x1000)=nil, 0x1000, 0x2000, 0x3, &(0x7f0000054000/0x2000)=nil) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2, 0x5c831, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_GET_SREGS(0xffffffffffffffff, 0x8138ae83, 0x0) getsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f00000005c0)) ioctl(0xffffffffffffffff, 0x0, 0x0) syz_open_dev$vcsn(&(0x7f0000000200)='/dev/vcs#\x00', 0x2000000000000002, 0x20000) openat$audio(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/audio\x00', 0x400, 0x0) syz_open_dev$adsp(&(0x7f00000000c0)='/dev/adsp#\x00', 0x6, 0x4480) r3 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm-control\x00', 0x0, 0x0) ioctl$UFFDIO_API(r3, 0xc018aa3f, 0x0) r4 = epoll_create1(0x0) fsync(0xffffffffffffffff) ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, 0x0) r5 = dup3(r4, 0xffffffffffffffff, 0x0) getsockopt$ARPT_SO_GET_INFO(r5, 0x0, 0x60, 0x0, &(0x7f0000000240)) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f00009b2000/0x18000)=nil, &(0x7f0000001580)=[@text16={0x10, &(0x7f0000000140)="360f303e0f01df6766c7442400090000006766c7442404020000006766c744240600000200670f011c240f20c066352000000a0f22c0263356470f0764f30f2a342e260f0f970a008e0f08660f5808", 0x4f}], 0x1, 0x0, 0x0, 0x0) write$FUSE_POLL(r4, 0x0, 0x0) 04:42:12 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f00000000c0)='TIPCv2\x00') r2 = syz_open_dev$usb(&(0x7f00000003c0)='/dev/bus/usb/00#/00#\x00', 0x8, 0x200) ioctl$VT_RELDISP(r2, 0x5605) sendmsg$TIPC_NL_MON_GET(r0, &(0x7f0000000200)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x10200}, 0xc, &(0x7f00000001c0)={&(0x7f0000000100)={0x98, r1, 0x0, 0x70bd27, 0x25dfdbfb, {}, [@TIPC_NLA_LINK={0x84, 0x4, [@TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3f}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xd}]}, @TIPC_NLA_LINK_PROP={0xc, 0x7, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0x24, 0x7, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x57f441bd}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x101}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}]}]}, 0x98}, 0x1, 0x0, 0x0, 0x40080}, 0x4) listen(r0, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r0, 0x0, 0x0, 0x0) r5 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x1, 0x0) setxattr$trusted_overlay_opaque(&(0x7f0000000240)='./file0\x00', &(0x7f0000000340)='trusted.overlay.opaque\x00', &(0x7f0000000380)='y\x00', 0x2, 0x2) ioctl$VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL(r5, 0xc040564b, &(0x7f0000000040)={0x0, 0x0, 0x1003, 0x1, 0xfffffffffffffff9, {0x200, 0x401}}) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0xa) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) 04:42:12 executing program 0: sched_setaffinity(0x0, 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f00000000c0)={0xffffffffffffffff}, 0x80000) r1 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r1, &(0x7f0000000100)={0xa, 0x0, 0x0, @local, 0x2000000008}, 0x1c) setsockopt$SO_TIMESTAMPING(r1, 0x1, 0x25, &(0x7f00000001c0)=0x181, 0x4) ioctl$EVIOCGPROP(r0, 0x80404509, &(0x7f0000000200)=""/140) sendmmsg(r1, &(0x7f00000002c0), 0x400000000000027, 0x0) [ 3390.783442][T18183] binder: 18182:18183 Release 1 refcount change on invalid ref 1566458100 ret -22 [ 3390.814446][T18188] kvm: apic: phys broadcast and lowest prio [ 3390.885634][T18199] binder_alloc: binder_alloc_mmap_handler: 18182 20001000-20004000 already mapped failed -16 [ 3390.944510][T18183] binder: BINDER_SET_CONTEXT_MGR already set [ 3390.983110][T18183] binder: 18182:18183 ioctl 40046207 0 returned -16 04:42:12 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x300000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3390.983207][T18352] binder_alloc: 18182: binder_alloc_buf, no vma 04:42:12 executing program 2: r0 = socket$kcm(0x29, 0x5, 0x0) getsockopt$kcm_KCM_RECV_DISABLE(r0, 0x119, 0x2, 0x0, 0x0) [ 3391.030558][T11475] binder: send failed reply for transaction 644 to 18182:18183 [ 3391.059399][T11475] binder: undelivered TRANSACTION_COMPLETE 04:42:12 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070") r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.cpu\x00', 0x200002, 0x0) r2 = openat$cgroup_procs(r1, &(0x7f00000002c0)='tasks\x00', 0x2, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f00000000c0)=""/148, 0x94}], 0x1, 0x0) preadv(r2, &(0x7f0000000480), 0x10000000000000f3, 0x0) fremovexattr(r2, &(0x7f00000001c0)=ANY=[@ANYBLOB="6f73322e7461736b738014549724268ac2b5c084b806a7ccd867f680d07e99ad3711940537d05ada193469808d52685a8e1b8bcc6223831efaa7043d6005fdca24309dc70f7219d0d20800"]) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup/syz1\x00', 0x1ff) r3 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer\x00', 0x480000, 0x0) setsockopt$inet_tcp_TCP_REPAIR(r3, 0x6, 0x13, &(0x7f0000000240)=0xffffffffffffffff, 0x4) ioctl$FS_IOC_ENABLE_VERITY(r2, 0x6685) ioctl$KVM_SET_MP_STATE(r2, 0x4004ae99, &(0x7f0000000000)=0x7) [ 3391.088778][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3391.102194][T18365] kvm: apic: phys broadcast and lowest prio [ 3391.123341][T18352] binder: 18182:18352 transaction failed 29189/-3, size 24-8 line 3147 [ 3391.137553][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:42:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000180)='/dev/vsock\x00', 0x200, 0x0) ioctl$UI_SET_KEYBIT(r2, 0x40045565, 0x2d3) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) r3 = msgget$private(0x0, 0xfffffffffffffffd) r4 = openat(r0, &(0x7f0000000100)='./file0\x00', 0x800, 0x20) setsockopt$inet6_tcp_TCP_CONGESTION(r4, 0x6, 0xd, &(0x7f0000000140)='bic\x00', 0x4) r5 = openat$ipvs(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/sys/net/ipv4/vs/am_droprate\x00', 0x2, 0x0) ioctl$TIOCCONS(r5, 0x541d) msgctl$MSG_INFO(r3, 0xc, &(0x7f0000000000)=""/181) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="004f9563404000000000000000000000000010000000000000a90000007079000800000000000000000000000000000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="630440ff000000"], 0x0, 0x0, 0x0}) 04:42:12 executing program 0: r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x8000, 0x0) write$P9_RREADLINK(r0, &(0x7f0000000040)={0x10, 0x17, 0x1, {0x7, './file0'}}, 0x10) ioctl$EVIOCGABS0(r0, 0x80184540, &(0x7f0000000080)=""/88) write$binfmt_elf64(r0, &(0x7f0000000100)={{0x7f, 0x45, 0x4c, 0x46, 0xfffc000000000000, 0x8, 0x80, 0x1ff, 0xb0, 0x3, 0x7, 0x2, 0x2fb3, 0x40, 0x37a, 0x200, 0xe7, 0x38, 0x1, 0x3f, 0x7, 0x9}, [{0x70000003, 0x1, 0x1ff, 0x3, 0x1, 0x7, 0x5}, {0x4, 0x6, 0xd668, 0x9, 0x3, 0x4, 0x4}], "9a2696a7ef31ac8bb7ff9b1eaca164489940722097292808167b5cd7ba6dd916db170f6ed88a785be3121683b341ceb55a05dd83bedd441df6346062a8527eefd7ac89699a9df554c4c2b6dd528694cc3db939ce12bc9414808589373f92e9e3189d7ae50c362071bbdb3d41140b94b12fa9faba225bc82fac24afa96fcf046d8fe7343c1586d767e148a9dba435880f4a8d62f62f55c39ac33d363702dff6e17e83622ce5111d100c2a5df1f88320522c2f3dba3c268f7abae198c60cda30930145f677089bea8dbef265d9dfe8ee244e198ce6fb22ec6d22ffa5f310c4473c92c513dcaa486f596a89e309723cdd2320ab3a3c9a7d498d9b0ac1228cc47d3a40a5eded4df8b3af173428426f498fc45e07f579ccd09e822bddb06db634e031493426c2fc64fdb319c41ec61835c20d94bff5922b9a6db3cb4f3873b9415d7e12f5e54b14aeb01738d0ce626b56b27ff70c9926df3456ea20fccc7372d2bf6ab4a9d1ba0a7941b31ccb89034330fcbd0751517596735fc4a637dd8de7f81e6bc818f0e85c938c0ed5f8e9c9841a6e86f9f0cd5f0d98d3858fee64cc4e9a14bde597acc74c59d4f25b5d91a58f0357c8c37791354c517b2caed7ab4a5b465a8bf2671410bc5f702709ecb5b92be8dfd7ae576e7a311ff2af6bd3097cd3fe149d5a45c1ed399e9ee0890f99358abd77d04bc2c8798f3c9707d8191d741bb9419b0c2340f6fc75a868cbfa8b01c34b90b6b93a365a473f776ab83ed27d394e08e29c0fbd9028d9d1dc9d6ecb0ea33ffa42773e9280a1382dd68ecba51267b5c6e0485d633eae9dd642875527478f76f89d2c38caf40500d8538839d77b08718b4ca68db489578bc00de9bb1b7915d61b59ab27ca69e33381572f79a243711c46d8d416c029000ece43d7bcba91ceb5ad7871a59baec6a1b08343365a921c020a4533825967fc03ed984846ccb652e36752771e66be84e16e5578e495d03879e770663e5c9e6b6cc23707ec18bf56f0f78a35ec22376c848f1c4cb895258830556ebee29483000987d4f815aeaeb25b0d5e2bbd3cf042fc38621dc0469c14819ef554aeefad8aac4da432360a15f83c0c6eca4add7c1d8bf0634a63c097dcf4de92fcafb23ef631cd365d1e17b166277257fb29f6b9b31447f3db4361dcd3eb7b8c078b1b3cc81191976072d4184e45d8e68c839afdbcf72a724d4878b30c0cb13943192518ecb8aff087b07c47c49736e9539b078059f50eebeb9a28d2adf508658dd1e9c6cee1e69b1c4e40bb79342adb97c9a9ebc36ec29993102f74d32b33c06d57f1af5c76b8e9531198c6e9ce820152cca8399c52ed0d9514b93f89124e1cfb48d97038c5958a2001e8d8003536eec2b7b4f211cb31696ee57900b8745bbfa225d57ecaf893641536821a40f6b64f5f8c41a21cd48e16c35ce1fd48c719f3f6d785884a17ef93bfaf65d69f6c49626ce5e33bfe06d9fc7cdd80655b53c7ffd5df5b99dc8db2f94f001ceb80bbcb8cea6b29e45de8e13909669aeab07ac5cd9dbc172f5751f4d0027579eb994abbc74fd005ab7860196ab07ee7f0d290e0e509cc7996726460f56cd84a3cff9cc36a7479746c576423672e5a2eb595cd79d3f8112c2f592ad1ac5ab7a9cc11a7387fa320528bfffbb77466c160a7713f147239fa0857889ab049eeba58bfeaccc960f8384bf6b035ca40222a8da138741a288f065500c55c60d7c8b08dcf16a46cf943c6b2bca3ba1dc404c3455af5470d0b0482e1b401df0f0925287747b566edcd653dd39b207b7bd79b6fc89e1c4a3cead2b9f43ea5096cd65d901334e1b01990115c960969b86d6778547f9d5086ddb0a0c9844fa8c13de1e8949dd65552defcecf716c71d6baaffb2e525a51cd52a8a6f7eee2aede5bdd94eb8154d46bdd9f08ad9ad5a2c8fb3129149118e6c374010753e7d8f58c5054ca0ba93e02cdefeab2fe648962263c8aa592c702730de2fc01926b86a9e259a8086460c94dd082575fceecbdf43a11eadf0bb937cb78d343f0bbe5c1b9c909218e73ad9afed4926a0f5d3f7c44fb30cfd92666e65cb9b050c791e5038af5f2552f19e7251396e5d6ec49686aff5d4484c71f1823bc51e09f9cb2d8c809d89553912447fbe8e1f23a5d4ae6ea523c378a21a559c4a73e9265a2456ed3012d964cee93435b16c9f4c8fb67bf29091921601eb17cf9d472fcc15d9ebcdcecffe438e69602c80d286749f6855bc951bd92aabc76195564ab1128022c176e1c0b1d0c03534ff659cd3258a17b1200afe7cfb803630b55d145fb0cfc80f62f7711b2373c1f61fb1fab69aadf559797c9631c2812a201fef33f4ded38a8a802524d55c17aa7618f1e3fc6a192b430a15537f5ea3e72131bc0ea2d5c231131e22313872202369a72cc77354830f1069d47cb6fb4396ce2aac3fcd2f2f6c6f6a6a28afa979d6dca26e018f067985ee8aa89cd3c754ac1f54081fb342567ff0c6e0d9c781a2031abe93e2fd9ead1a1db88c7b55febbfa72ecf0fea2915c9fdc05f740d40c675d731487163c491f93704d9d65dc1987f976d56e2586c7db950c7bb8edf26adfb179e6e641b32910db8ba77088ecc34752aebb21c8e0927922490abd752ae350d43ea94abc377f77bef65d965c3b886b2ffdd21cb0d9bdf7430befc5146a5259104964960e2df0c22c5f19ccb0df839bc741946f37d7663b7679a9213ed413aa16c7f7754211f0cacaa1529e90cfd40efdcf1c34c70d87da971a6df7fb1058ac5cfc6e7779e793609cdf6e4ab2e44a036a34f713640883cac18da0c19a81029cfd2aae578a3d795f16b5058ccdf05903a54704d34c304f20a03d5829cd36544d9bb8b3311044283f454ad00981f874715e96977521173da96c7638541d0e6de5f5d421d93a2443873097a054ab4cd29ececbd8e0221c48c33de4a8fdfd8b2f0b256cc80edc83f48c721cbb718c363edbd133b4ab044badf43d680c45fadd25d58cd16d4941eb85672790ee2d80eeccfda570891c33e392a4ceac26706fc10a719f65af3fbcfc687473369c80582b6c3e70e0e6acc6db42caadf92de8cbf36decfcf4c267f6ac76ce90330fc5fb6980da0cab1e41265592138c4082124f608f0943fd35b807ec989e8bb8256c74f6918edc115a82d72ab75c70fed6e066d5570cfa8ae5f2cafeb579243b0a37f35c032cbd1d19e24b691103ea96da2a612a08037abd38e7cfb74a7b63aa53aca82bda3c6fcc74c2d4e6065a53636d0142f31897da05c35fe9759a4cbad64bb40a185103b4208061a76954b0f69b02c90354c6a87b713ada702996ceb1c88d45d0c4e0db2a7a74e7c21fd9747d38fd95380dd842f68fc797a8a2f9c712f5f4879af998204879c16cecd34825432c882f018d562971baf7a0597d0226141b4a8c4d894804e875d3d5c584d7fd81eeee8973c20a1db757c6285fefeb1d56556ab6d58e3bc09bb7168a48882599189af085efdeb95419b5f6da79a5cc5109e9d7df4ed8ccbf06151ae591c5e4dba97a7e39d6c750a2d841a869afc7ede4bb8acb87bfea711f4d8ef91dc9313a2cf3ce5c480b060719f3b4935cf33c33dca43c356bfa363906d396f2fff55691e195d1a24ebd00d83639dd44eeaa6846a339c1ae1fe68df783ccd21927676d405cda5a97e5360db44f2d62770b9f20c86a66fc28d0ba5c586bf07f44860abf49360c0af15a7b25127b94deab842cea5e1fbf4d427e8dad7f37d98d05e9aee64c653d4b4a119508de8ef56a53fb902f5a79bce481337cd42b24f5499a1abda140400abc1947187c946e70b184b059ba104a1a3c607bbfb19edc516c02ca740ce42886629a6494fa64c89108015776cdf04d2907c87173bcdc5fc5a3d22abe0c499afd305946a0594a6c25b655d6e1f939571245fbd7644305c082bfed6f44f1919bdee973967a2dd66e130ff6f0c94000ca5f039357b18be114c512f6b9b1864fc01d264f84cc8a3f7c04084efaec8df41c9aba3e16454e8fb548935f1b1962c4b7a110a114f53d99f10db2c4e3261ce66497e4918b423939726d4744c374b024b20141268afac360d2292966133d553bade160b699865661814809a1806b3344b1822d4e8472a6455a3d9cecee5f4933063b8800552ae70b93af76cbfa65e5e05014beae8588427da7952f230a445370f1089701ea0bf858bfe8e59946cf322f8d8217d2988998f4956b1903ab6d6dd3f71e7aea355d2d1bac415374ed2abff2347ab236cafec9e64d19bc432ba7c0325db648bda6d0e95d32e1f88b1a5bb9f7bb4601cf6f996f60bd1748e74d5f2f0fe8f1489f4825b6ed7226299a3e79efd918654f8882366ae0fbc9bbec6f5f7ed759aaf4069e5d984a45921eeee0c0d0699e9718f315de95f167f6f1fd0fe307467f416d9760fe675de68007cf8e156149da32f32c9d924a532d2600a438ffa88dc8ef36ac21c033c933681c295c6ace36d07f84af749a5e8d9a5e8cf84be8b1d67d72314c34126929112c57c4545c9fa50d61d36e3662de3639f627816a1b2e50464d3c8e69e1e0ad6d26dab62eca8d8a7cfcfaf27d0f1d73ec9d946ac5312e52efdbc496604608d0cd227102b291b9d21142688c7f3d3cbc1016954f051d8438ae18fbe5b29e2aeedb96b3d701cde7013d1acf8fd5236458cee365a9e4d56b0311f7a67c8e21384bb22a1a135c594358954a8cad3343897e7f7a2781110b693c031f2dc0fb3e12c9a59e9ce5ab7ba818d589043ba7f7a7046ffce7f5cfd9fa287be393ef5858e3567326e460410175a32468b403118ed5d571f676f798ce152ca8ddc64bde28745e183f1cb956bf4e69aaef3fbb78abffafcd3cb71615e95eebd18bbd9af5c22a13d52ebea812adac69788d14454272ab5a37c4f13aeb7043043df2f35eb1709b51a3813beaf61b3fe1518774c6892c42b3d7978deef383053a6bddb29478d4719ebcf63e14d5f875dfd41c294908068b630d690f6061fbc4c00d9942bdb66749d06b86e290b4eafdd54d6dc7806ef41bd1840bbabe1b543dd90ad41cb99bcd7b2340b47cac791705f98628ca3f062715cdb7cc2ec680c92d3a761034c10a605e35c0d2ef15abd0fe9db6b556f8bfc52460e362e2c88c6cae06cf1e46ab0b9055dae66787025089d1b56e7cb30289c7b9a16dbc0e31bf71105d946d08fc28c87c47fb9b90b47188a82d91f866488149096f28d32c8c18d496a7139ff5dd1810f54542ec2b97d6e552fc82e97ed2788ab4920ac62bcd8c19f42caae5257544a9d092da3e937f504cba1d37301e90f1fbc3c877a32573e99fa808d088339586bcf6761cf3c0e958c1bad6baef8c262fd7610bfd48ee8afc87cff35206695e5b72309d90642d63bc01a1d222e008791f959d83c693084cabe23a432289fc30624ea288f85ec1e889a9dfbad604c69ac9b94168c1d51e42dda769f4d44bbf2a850ff7e2f028cfe0583a9c3e7dde9cb4ff471c6f4b5522f5323009adb6b29b0896e9b300f79739e395746deb219ead1cce70e824be4c116cd7bc8de2ad15f84123c2136bcb88cf6b8b03c9a6a7201a3c40b246fbc2221ca1c0dbc4ac4dbfb962879413ae0ec4b8d708c1ec6c3117da9cd5c015654129e1fb71d00dcde015d9d72a5ce127b8ef266cce01bc19955fe936031a7e418951362c4e657862fbfd7cfdb9655adb07945d7b32380853f71044ab41856cc3b3d309d5d3b6ac8b61778a81e959ea363abbf10038a9f04781664bacd107cd6761819f18d4ff06dec4153fb9e9bae64104017eff68ebc38ccb", [[], [], [], [], []]}, 0x15b0) ioctl$IMADDTIMER(r0, 0x80044940, &(0x7f00000016c0)) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000001700)='/dev/btrfs-control\x00', 0x40000, 0x0) fstat(r1, &(0x7f0000001800)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000001880)='./file1\x00', &(0x7f00000018c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000001940)={0x0, 0x0}, &(0x7f0000001980)=0xc) getsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f00000019c0)={{{@in=@multicast1, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@empty}, 0x0, @in=@dev}}, &(0x7f0000001ac0)=0xe8) getresuid(&(0x7f0000001b00), &(0x7f0000001b40)=0x0, &(0x7f0000001b80)) mount$fuseblk(&(0x7f0000001740)='/dev/loop0\x00', &(0x7f0000001780)='./file0\x00', &(0x7f00000017c0)='fuseblk\x00', 0x800, &(0x7f0000001bc0)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x2000}, 0x2c, {'user_id', 0x3d, r2}, 0x2c, {'group_id', 0x3d, r3}, 0x2c, {[{@default_permissions='default_permissions'}, {@blksize={'blksize', 0x3d, 0x1000}}, {@blksize={'blksize', 0x3d, 0x1e00}}, {@blksize={'blksize', 0x3d, 0x1000}}, {@blksize={'blksize', 0x3d, 0x400}}, {@blksize={'blksize', 0x3d, 0x400}}, {@blksize={'blksize', 0x3d, 0x400}}], [{@obj_type={'obj_type', 0x3d, '/dev/btrfs-control\x00'}}, {@pcr={'pcr', 0x3d, 0x35}}, {@uid_lt={'uid<', r4}}, {@obj_type={'obj_type', 0x3d, 'wlan0em1%'}}, {@func={'func', 0x3d, 'FILE_MMAP'}}, {@appraise='appraise'}, {@smackfsdef={'smackfsdef'}}, {@fowner_gt={'fowner>', r6}}, {@fsmagic={'fsmagic', 0x3d, 0x8}}, {@euid_lt={'euid<', r7}}]}}) getsockopt$inet_sctp_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f0000001dc0)={0x0, 0xff, 0xa45, 0x7}, &(0x7f0000001e00)=0x10) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r1, 0x84, 0x6, &(0x7f0000001e40)={r8, @in={{0x2, 0x4e23, @multicast1}}}, &(0x7f0000001f00)=0x84) ioctl$IMCTRLREQ(r0, 0x80044945, &(0x7f0000001f40)={0x0, 0x8, 0x1, 0x8a0}) r9 = syz_genetlink_get_family_id$team(&(0x7f0000001fc0)='team\x00') sendmsg$TEAM_CMD_PORT_LIST_GET(r1, &(0x7f00000020c0)={&(0x7f0000001f80)={0x10, 0x0, 0x0, 0x3010000}, 0xc, &(0x7f0000002080)={&(0x7f0000002000)={0x5c, r9, 0x300, 0x70bd2d, 0x25dfdbfd, {}, [{{0x8, 0x1, r5}, {0x40, 0x2, [{0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r5}}}]}}]}, 0x5c}, 0x1, 0x0, 0x0, 0x800}, 0x4) ioctl$KVM_GET_MSR_INDEX_LIST(r0, 0xc004ae02, &(0x7f0000002100)={0x9, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) getsockopt$inet_sctp_SCTP_AUTO_ASCONF(r1, 0x84, 0x1e, &(0x7f0000002140), &(0x7f0000002180)=0x4) ioctl$LOOP_SET_BLOCK_SIZE(r1, 0x4c09, 0x3) sendmsg$TEAM_CMD_NOOP(r1, &(0x7f00000024c0)={&(0x7f00000021c0)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f0000002480)={&(0x7f0000002200)={0x248, r9, 0x20, 0x70bd2c, 0x25dfdbfe, {}, [{{0x8, 0x1, r5}, {0x48, 0x2, [{0x44, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x14, 0x4, 'activebackup\x00'}}}]}}, {{0x8, 0x1, r5}, {0x1dc, 0x2, [{0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x7}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x9558}}, {0x8, 0x6, r5}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x400}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x9}}, {0x8}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x3}}, {0x8, 0x6, r5}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0xca6}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x8}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r5}}}]}}]}, 0x248}, 0x1, 0x0, 0x0, 0x20004000}, 0x40) setsockopt$RDS_GET_MR(r1, 0x114, 0x2, &(0x7f00000025c0)={{&(0x7f0000002500)=""/108, 0x6c}, &(0x7f0000002580)}, 0x20) ioctl$KVM_SET_IDENTITY_MAP_ADDR(r0, 0x4008ae48, &(0x7f0000002600)=0x2) getpeername$packet(r0, &(0x7f0000002640)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000002680)=0x14) ioctl$KVM_HAS_DEVICE_ATTR(r1, 0x4018aee3, &(0x7f0000002700)={0x0, 0x3, 0x2, &(0x7f00000026c0)=0x6}) ioctl$IMADDTIMER(r1, 0x80044940, &(0x7f0000002740)) open_by_handle_at(r0, &(0x7f0000002780)={0x1008, 0x10001, "6142c7879bffd186ae6107aaff1d13b99de29f0df508286226b3817edbea3f27944168b8e0a52531aae6413e74b47d88c32603676527e83ce355c5763bab4d49d7d5c02d86fcf50583818deb7a874f81d6d4ae4ee0fff9c18af7b3b7eeb8ce69d403c45d1f36453c275db156585e3da96b050ab036de28cc085728dc5f0d4ebe3c0083d647e7e74d7a818a26226c9138bf13b8f57180c456d993b667a5275dc7ac5d577067105328a760c9b3370cf603e599b568f065077e6f1c217ccf91b0700585f8f8c762766c97d8fb4ecffa2bdffb53029ef47011bc3ded07dd5f5679863aa889fa2ed2819e4a5ddcdd16a1af6e5de0cf65c27091715ee6e3cd369a83cfe1e5c16b35b3a205afb3778d64f8615f05dcd380a20e28b29d5df75f4939d0a98737c19e25832ca3e9fed483a88d3f3e1d11179aa6b33083fc4cc0509f9035708f9ecd8d385de207907337312f4adfa9397e40b9a9f22c230330cff0c62772dccbabf668ff82e754f91e8809cd3d1116480907b36f4569d77ffc99d608a828145c9eb1f358bce59a6ce1f3ed22da33ebb7f8c7074feac7b1623e4f1c809351d9a1ca3cf032a792f8236357d43941333559853a08395aa498765ed52aa1fdb0da28b7f0353f36d002954cfbcc50b1b4aa4c26d54dd5b97bb1f87838925d58851d21a1fba346585cb716e85a648c76246cfdefebe51ee1999864f1f6fdde1d21c0a6aba45fd21438d1018514dbd400aa07d8741e06a49167d4d049d6ed5b5fca40f904bf50fd494de9e2396932ba6394098d0b3e2e8289a9dab8b04430ded09e952608ca4052d396b9768f20acd105f7b5ecc8559112b32c5dc2361f63b5725040ec0105dbb87b78da850adace0ddae10fbf6bb9ec7027e50d077b9d64f40d64a557b0c2e859947713bec03b0e8a8530ec3b5f06171b40f8c8ef31572f996f230ac078264d0345f04b32f02acaa4cf1527ad4f191cef2b681defd61b468c08ab08391ee35a3e7f97cbf528b42d88dfa61cdf326826146702d859be295ada9f70f1aad0fd1c34bd06f633829f5bfeef914430da976c240baf364acd4f008ce93dd1c9546053f5710940f82ea52e0ad521065a5c1494c4d993a8ee2302e36c8570b08dd16de5681afdffadcb98a6e7863ec594fca3b4c10f068bd6ea17c88834eaceb216056c010327f337958d5bd28d3ffc76f56e8db1e444f59f5a5c574655d4d99aae338a44b5b9dc1039c3845c17d1551dbf81a8eae12d16377c6a2408dd836947810ade6f9dcbcf0cdcff45f1334b82b76f4a699b891773607e11da9ebff6c08a08ed3e74fd47893b2762877978195d890031cf3f2f68f37c01e0f1f116ace0d2a4b7189fd67f623c78e0e9839d1ef31240d253a0a85716c88efebdd6b1f403bb9126c0e2f9016eb94dab4c340d8a27e971d74d07fc6e6934839f1fef4fc9320f6dcac913b703d29aa2a18941bf1f9657045d9aae9909809fcd59472bbab049be4a9153ca94dc29f4e9ef5394212fbdd7621e429fe3ccf677e65df6ff6da4606690a0e90c1ec71c73314ea33eada0e7be9efb234d9a9b8ce52d936c78f34ee5a81a5440a1eab5467ab3363158f15dac4eb8b4d81cac898926e7271ee32657cb59dc107ff138cb104fa0ae25889ce7117485af8c6818778480500ddd1690c9728b81b09d3c31428e02812be3df9675e288df9900f1a15a09bf5b8b17fac9b9055e8fdbea4ab809edfe56d0edcbd3266c4c8b91284085e487ddd9dcd4f6e84376a4d4282be717bc15d7039c8842079d2f62c1a94100dbc1f19f117c44bc58184b9f0fbeda92f848a0595e4d43ef05777781288abaf57cd4f2a9b6e82d92edc858b43a5f9c194565fea854fbe126d1d7907b2671a5bacd6c36e71e44caf20512d98dd47f5300a6d9007816425ce690b1d43bfefcc5f4bc5511e9c331db8d7b7e6a3c1ef1f19457db94bb8a5b9d4299faa841bcaf191a3592a4697c97a3b6c8a1ea7ebb9e1cf31aab3754be8d0fa522ececc8fc91d28ff8c3a1fa67683759726b9a277af2b0908f0cae190eacdf6b558c4068f90e61818027e1e95fd87138b36f1091bc69ddb5aa7d6b4383e0e72ecb1fd6c5e037c5cc78ce416a687bd9cb4e3c6eed566a00c50b55f063dc1fcd08426bfae5ef3ec3b4ff8a1c93e8de3b4838c727374fff1e3e4865fd180298f6bdd6b5a14bd1dffe0afbecc4a2394f3f5a9be6491c3841299075de116a8a9f6bcbb1e0da98868dff44705c2d8da611d2931ad59222a2e7549fbc3b2684936b79d87d2cfc4a642187506e0f0e83173532acafc3c14106c7107cf88fefb48b4d739aad12d56e99b99f8b9ed77b6114d18758f2e3b9f3d30f7aaef65e878e59d02cc4e585784d9dfe3e00bf10231db2b58c7c4982537c68e69df1571537d3490ba7e4fa592938239d404b2c1cf1dcac7a24d2ba3a345abd39b04b37c6a1951f9030629660bec94594868a3f33a4526aa2c30e869778b3d66029fe98881ee2198e0375b35fb1f49de3d2193d90d54170ba355dd2b5f67c968c7af5f68e8d9ebeccbdd1be1b5007d050f1bf99522459a31993c076db143127bc2ab614e9ea1b72261a12810832d5ad6082af75fcbcea475f96540e2784afc1b27516008533312a2f54d930493753cbe3e73061addb3701d827d1f0c8cc0b093fb37f980f686dd15b2537232644e9cbc0bd8c51eb38a59cb8df606205c710ce35d2e5f09d7fcf5df6f7592f825edf6579ca471a2d45a5d223c231d6be134cccf1fee4d9c08839600e9b1d2e1ebd51792ddb594669fffb04249922626496482a15329727c0d87b3849bdbecd627cf10ad653e5dddb301e2cc246f90480df79686288a035768862e07947e6fa735f7544a8f021c13983854a50e775e14d872be64e736225eca9e3ed4f258bea121df08bf70dfb1cd877ed7630047141cfac0d71ae059c3d0495a7398b485ee04ca1f568ed89a285555353964bf1694feff5893fae268e04666099091568d9bf090d74ed856674a11d191c0f65778ca157808753e92230955ec5ddd0f795fd8792149eeb074aaf6b5db1a1bd11b6c01d6c427d2bf550326a6256c345088390403d9e4e9ecd7a43411e2a25e12f89122ec2a400c7b918868341b1d9114cfc3f5ed209786e53416cf4e844a06f92ba4be0ef60c41989aad3e8351d8a4877bf463538d33001caa0d16ea222ec4dbfa1afa186564f0084844a43646989ee58862c7f7cce7c78a66247b058943a186df691684df0c85be2994736f90dcc90f234e2cf0a86aac927999f7e17c8565e1222dfc61e6dda293b4244c2be6e967da7939bd2ff98f1a2f73844d0e157004afd9acff55800775591eb212ba3376ce19ac1a5c901e3926c11c7631edaa7d0533f723a8eb685a300687b5d022ebbd8e8cc3636a8f15e51d745a9bb82b9b869f763b80bd99bc33b5b15be5e98557824c8d82437c94f41f0deada5c62f264c9d22db5c92b8c5ec600013e37ac9754f55543508b95c65166fe4afe979335e78b2b1391eec082bde12b721d3da7b5c5515fc94c9de7125d92b84d615fbbe21dbb94228d7224cfc48a165d4af916eed7280e34518d1310066bbc8cbcc9f77890a3cadb1895dea92c99a6d768b3c083992f449b48a24af269f69f5363cdfb035f411f12a1596466653b1bffcbfc1605793009f1bd1f042421077b17d201f20f2dd9b59c4a1971bb17901532a976dba5844377991e3954355cd441f46b2ad5bae2982bcc910a2f2502dcae0e074ed4fc7bd952079ca5d4caba6109b0d6398367a1c3208ed3e770554ffd0ffdde1e6c01761f1f540c298587a902b29e4b843b4eba90f70ba427326bed9819e053ca92c8fbf56b28bb51c9bc639dae566888598e2915fbacbc2aa11dced6a5906df7ed8f93b49aa4637a57f1cc9ca1a01d13e372dfe1327b255e64bb4a20521d509805d15e520c1c6b9185feb4ae76fe017f1b0991354af6c574694d6012d74e0514fe029621b88a9f0e830f40b37eeaee37f244cd9028703ff6b130feab8f2a00a2415cdbf3d89b0704acf1a96547b60cd2d648343e0c041ca7276999210fc35c86484897bccf3e0f12113ea2df1a7b67247c64f925ca470224ce3331d2826b98de9a6687aba75f0abdfad79fbf6f27a80f304181d1ba74359917cba86d04bdd522556a41199da9c8810779d46a1c73721b1c71717abee8f0fb8f158f2e6bd1506e3e7eb588ba9325f0b750a51469365685a83d460139525c543d3216a3a4260c48bb353ba7a2cf1026a9b702ec5af02c26138906332ad62511041425824dfd8606994b052c6eb4be91e368da481b2c69b38a7aab208fc1e5871de4c4b4afb525be06700ee6789b826b3acaa46e5dc5e5a85ae59db1454a696f8130f07c359c1895fdc7a62d69750e27190ec3b6f8f079bc946f087026561d3bc4618bbfb282bf13c1bd7032626d813fc73dc545bdcc9d540ee8ec5297d7d3ddbb4dc849b6733f27a805943db102f94d272829c135f62983e1e9b7a6ce48a87f245002abaf3b13ce14a9819bd3778339cd48c31374e6cfd721834406a5e7b33a4c2f09f9acb5ea5db090b4e913dd124530dbf9d112c70c26191116e1555b9d4525ca2d532260753b8224169808c608212ef79310548a6f8fa06cf85c3686a6907bf9a402da290e98278998159726ffbaa8bd26e8109981c14553dbfc2802dbf10dd0f0e4286ee70c8c767006493b13bf437182631b183d8f3c3f85fa9334b6237909a149fecbbdc327feaa3855a8c4c1515dcd921c42a00c08cda8d8988ec362d2533f15c449888f9de2b1149c81e7933a790ff2adc401ca2d52e2bb3937d1fa7d27409c93b2d19b66951aa4ed36d666ed0bf1473494ab317c75a5ccadf0f9ba7e15d3a8eb36987ae0cded8031c55d4570cdb55a51bc0dfa0648e78d9ff02eba935669d2e6d16d182fc9400344a4f9c478eefe247513ea66c2b9c68f301601e08862be8c3cbba5969c90ccbe306009982cb5799c7ada7fb57d1405d11c4e6f1fecc754a7de39acc4f9f1769605ff07be0a5063c0764c342b09a904570e88228ed027db82b970f7b0300adc969f4df39341b2f55a1a8ef49f49c277a958a58f50e15a2526992750f8b467e738b9a35b6fea8be5fc3a2af1d15c2e31c50e8ac9d8d586d01b9fa25939470dea079d5720b6cbacab5a423dfd12fa390340e682190587ff3dbfa7d372083a2c496b46cb931cb52185ae62796b3c70f4465fff46966797ed7826d35d3a98f912a30f31bc1812c941dccc9964f32ce9e93e03e64f0111b6fc8d77dd10dfcfa7767b49eb212ff5e8689c279f74257bf10c1bd7db1882b5124138a4a7a43b826c56f7879239532908a223f472664f978044378b06d8df3df82f6128c78e98845efeafd9489f782c68bfead98eae00de483df82c8db93953dd144a00766099f4bbce82282420dd536ac9f8fe59c59710c156ec21e23c93295d7f0617ba9fba76b3605a807f60c6be48847a79a108b70155bcc42dbf6033c7599e9ec02548b3295ae433c8fc0e356295fc6ef0b511739e8d230a121a69482e97cc80d3b9394a89996a3f5c7bfa315c870a6248c7e552ae47c026ec900cef1c16566b847a104c833b1b3c9c08b417f7c5557f94797359336691fb4b9e052efa75f867911621e4811fab0dda95cde23b9ac6ef2b3bdedafd229a31b481cd1bad1d29053fda711f9c010ba1090eb17f7fb103887d4942d5a8081213a5889be3d14eec5b1f3b1ae120557dc47950542e5ffbbd79c2d4d5789ecd368c3fd9675a1b72d282d"}, 0x200c00) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f00000037c0)={'vcan0\x00', 0x1000}) tee(r1, r0, 0x7ff, 0x1) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000003800)={0x4, 0x8, 0x8, 'queue1\x00', 0x4}) 04:42:12 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x400000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3391.341160][T18470] Unknown ioctl 1074025829 [ 3391.410814][T18470] Unknown ioctl 1074029063 [ 3391.449706][T18470] binder: 18418:18470 unknown command 1670729472 [ 3391.488405][T18579] kvm: apic: phys broadcast and lowest prio [ 3391.500346][T18543] binder: 18418:18543 unknown command -12581789 [ 3391.523776][T18470] binder: 18418:18470 ioctl c0306201 20000440 returned -22 [ 3391.543457][T18543] binder: 18418:18543 ioctl c0306201 200001c0 returned -22 [ 3391.543525][T18627] kvm: apic: phys broadcast and lowest prio [ 3391.574411][T18543] Unknown ioctl 1074025829 [ 3391.576471][T18628] binder_alloc: binder_alloc_mmap_handler: 18418 20001000-20004000 already mapped failed -16 [ 3391.634923][T18470] Unknown ioctl 1074029063 [ 3391.642004][T18543] binder: 18418:18543 unknown command 1670729472 [ 3391.648478][T18543] binder: 18418:18543 ioctl c0306201 20000440 returned -22 [ 3391.676240][T18470] binder: 18418:18470 unknown command -12581789 [ 3391.683903][T18470] binder: 18418:18470 ioctl c0306201 200001c0 returned -22 04:42:13 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x500000000000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:13 executing program 2: ioctl$DRM_IOCTL_GET_STATS(0xffffffffffffffff, 0x80f86406, &(0x7f0000000100)=""/4096) ioctl$KVM_SET_XCRS(0xffffffffffffffff, 0x4188aea7, &(0x7f0000001180)=ANY=[@ANYBLOB="f6a600f4"]) fcntl$addseals(0xffffffffffffffff, 0x409, 0x8) ioctl$DRM_IOCTL_GET_MAP(0xffffffffffffffff, 0xc0286404, &(0x7f0000001340)={&(0x7f0000ffd000/0x1000)=nil, 0x8, 0x1, 0x18, &(0x7f0000ffd000/0x3000)=nil, 0x1}) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)}, 0x0) r0 = fcntl$getown(0xffffffffffffffff, 0x9) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, r0, 0xffffffffffffffff, 0xffffffffffffffff, 0x1) r1 = socket$inet6(0xa, 0x40000080806, 0x0) io_setup(0xffffffffffff0000, 0x0) pipe(&(0x7f0000001140)={0xffffffffffffffff, 0xffffffffffffffff}) io_getevents(0x0, 0x8001, 0x1, &(0x7f0000000240)=[{}], &(0x7f0000000280)={0x0, 0x989680}) setsockopt$inet_buf(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000380), 0x0) bind$inet6(r1, &(0x7f000047b000)={0xa, 0x4e20}, 0x1c) listen(r2, 0x20000000) connect$inet6(r1, &(0x7f0000001200)={0xa, 0x4e21, 0x8, @mcast2}, 0x8f7) r4 = socket$inet6(0xa, 0x6, 0x0) r5 = add_key(&(0x7f0000001440)='big_key\x00', &(0x7f0000001480)={'syz', 0x1}, 0x0, 0x0, 0x0) keyctl$revoke(0x3, r5) mq_open(&(0x7f00000000c0)='bdev\\\x00', 0x40, 0x40, &(0x7f0000000100)={0x9, 0xfff, 0x0, 0x100, 0x6, 0x3, 0xb555, 0x3}) ioctl$KVM_SET_CPUID(r3, 0x4008ae8a, &(0x7f0000001240)={0x8, 0x0, [{0x40000000, 0x1, 0x101, 0x9, 0x9}, {0xc0000008, 0x100000001, 0x7, 0x3, 0x800}, {0xc0000000, 0x100, 0x80000001, 0x65b, 0xff}, {0x80000019, 0x9, 0x7, 0x8001, 0x10000}, {0x40000001, 0x0, 0x98, 0x1000, 0x7}, {0xa, 0x3, 0x6, 0x100000000, 0x2}, {0xd, 0x3, 0xffff, 0x0, 0x5cb}, {0x80000007, 0x7, 0x0, 0x6, 0x2}]}) ioctl$PPPIOCSCOMPRESS(r2, 0x4010744d) connect$inet6(r4, &(0x7f0000419000)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) r6 = accept4(r1, 0x0, &(0x7f0000000000), 0x0) setsockopt$inet6_int(r6, 0x29, 0xb, &(0x7f0000000040)=0x100000000001f, 0x4) sendmmsg(r6, &(0x7f0000003d40)=[{{&(0x7f0000001b00)=@l2={0x1f, 0x2a, {0x700, 0x0, 0xea010000}}, 0x80, &(0x7f0000001d00), 0x0, &(0x7f0000001d40)}, 0x2000000}, {{&(0x7f0000002300)=@nl, 0x80, &(0x7f0000003740), 0x0, &(0x7f00000037c0)}}], 0x4000000000001eb, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000001400)={&(0x7f0000001100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f00000011c0)=[0x0, 0x0], &(0x7f0000001380)=[0x0, 0x0, 0x0, 0x0], &(0x7f00000013c0)=[0x0, 0x0], 0x5, 0x2, 0x4, 0x2}) 04:42:13 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x500000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:13 executing program 0: socket$inet6(0xa, 0x805, 0x0) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x0, 0x0) ioctl$BLKBSZSET(0xffffffffffffffff, 0x40081271, 0x0) clock_gettime(0x0, &(0x7f0000000200)) futex(&(0x7f0000000080), 0x0, 0x0, &(0x7f0000000240)={0x0, 0x1c9c380}, &(0x7f00000003c0)=0x1, 0x0) r2 = add_key(&(0x7f0000000040)='syzkaller\x00', &(0x7f0000000540)={'syz', 0x0}, &(0x7f0000000580)="faf9f971763c070dee75e1a6feb25ad07d58fe33448d40d5d7edadac9ca7fef85c4939b27cc8abb71f70bd93bbda363843943e3a587c3947dbd32ea380cfbe28b25048c7e0f3adcebb09ad48dc03745df8d6884bfe014e68", 0x58, 0xffffffffffffffff) keyctl$assume_authority(0x10, r2) syz_open_dev$ndb(&(0x7f00000002c0)='/dev/nbd#\x00', 0x0, 0x200) flistxattr(r0, 0x0, 0xfffffffffffffe63) fremovexattr(r1, 0x0) epoll_wait(r1, &(0x7f0000000180)=[{}, {}], 0x2, 0xd) ioctl$VT_SETMODE(r1, 0x5602, &(0x7f00000001c0)={0x1, 0xff, 0x1, 0xffffffffffffff07, 0x8}) unshare(0x40000000) bpf$MAP_DELETE_ELEM(0x3, 0x0, 0x0) r3 = openat$null(0xffffffffffffff9c, 0x0, 0x84, 0x0) semctl$SEM_STAT(0x0, 0x3, 0x12, &(0x7f0000000300)=""/208) unshare(0x4000000) getsockopt$bt_rfcomm_RFCOMM_CONNINFO(r1, 0x12, 0x2, 0x0, &(0x7f0000000640)) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) stat(&(0x7f0000000400)='./file0\x00', &(0x7f0000000980)={0x0, 0x0, 0x0, 0x0, 0x0}) r5 = geteuid() setsockopt$inet_sctp_SCTP_I_WANT_MAPPED_V4_ADDR(r1, 0x84, 0xc, &(0x7f0000000140), 0x4) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000480)={0x0, 0x0}, &(0x7f0000000500)=0xc) setresuid(r4, r5, r6) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r3, 0xc01064b5, &(0x7f0000000100)={&(0x7f00000000c0)=[0x0, 0x0, 0x0, 0x0, 0x0], 0x5}) dup2(0xffffffffffffffff, 0xffffffffffffffff) setresuid(r4, r5, r5) ioctl$TIOCGLCKTRMIOS(0xffffffffffffffff, 0x5456, &(0x7f0000000040)={0x0, 0x0, 0x0, 0xfffffff7ffffffc0, 0x0, 0x0, 0x0, 0x0, 0x6, 0xfffffffffffffffd}) ioctl$RTC_EPOCH_SET(r3, 0x4008700e, 0x7) 04:42:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) r2 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0xfffffffffffffffa, 0x200000) ioctl$NBD_SET_FLAGS(r2, 0xab0a, 0x1) 04:42:13 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000000)='net/if_inet6\x00') close(r0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3391.911583][T18647] binder_alloc: binder_alloc_mmap_handler: 18640 20001000-20004000 already mapped failed -16 [ 3391.946669][T18639] QAT: Invalid ioctl [ 3391.958181][T18642] binder: BINDER_SET_CONTEXT_MGR already set [ 3391.986457][T18642] binder: 18640:18642 ioctl 40046207 0 returned -16 [ 3392.027909][T18659] binder_alloc: 18640: binder_alloc_buf, no vma [ 3392.031594][T11475] binder: send failed reply for transaction 649 to 18640:18642 [ 3392.067205][T11475] binder: undelivered TRANSACTION_COMPLETE [ 3392.079790][T18659] binder: 18640:18659 transaction failed 29189/-3, size 24-8 line 3147 04:42:13 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f3188b070") clone(0x41fc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = getpid() r2 = syz_open_dev$cec(&(0x7f00000000c0)='/dev/cec#\x00', 0x3, 0x2) ioctl$KVM_SET_VAPIC_ADDR(r2, 0x4008ae93, &(0x7f0000000100)) rt_tgsigqueueinfo(r1, r1, 0x16, &(0x7f0000000000)) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000140)='./cgroup.net/syz1\x00', 0x1ff) syz_open_dev$rtc(&(0x7f0000000080)='/dev/rtc#\x00', 0x0, 0x0) ptrace(0x10, r1) setpgid(r1, r1) ptrace$setregs(0xd, r1, 0x0, &(0x7f0000000000)) ioctl$VHOST_SET_OWNER(r2, 0xaf01, 0x0) ptrace$getregset(0x4205, r1, 0x200, &(0x7f0000003500)={&(0x7f0000004540)=""/4096, 0x1000}) [ 3392.129874][T11475] binder: undelivered TRANSACTION_ERROR: 29189 [ 3392.180557][T11475] binder: undelivered TRANSACTION_ERROR: 29189 04:42:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x800) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) close(r0) 04:42:13 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x600000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3392.224622][T18639] IPVS: ftp: loaded support on port[0] = 21 [ 3392.329398][T18883] kvm: apic: phys broadcast and lowest prio [ 3392.357688][T15669] binder: release 18888:18889 transaction 654 out, still active 04:42:13 executing program 2: r0 = add_key(&(0x7f0000000080)='big_key\x00', &(0x7f00000000c0)={'\xff\xff\xff'}, &(0x7f0000000340)="46ac5128da090e4899c38028efeb85968ead969e21e33725a7edc030260cdb3ca79964a6e93ce51185f005b7dac052cb797af438c32c29b736fb12c63dd0e504445044a1ae9c10fd8171232ed7dcb08e9acaf4c569c4c16c5c47994118fc35ff7f03407dc7093fa7d3132d276a10768b2711cd1c6ecd3545692431856b6e0651412ff7b73711097f061a1b67f6c3d7605eab3b675b6c061e6ef32b7ea8847b6f84da1334d35322b94447bfaca74b152eb64cfa54cb63126c2cc662e7898e6459ed40c4566403f303d341c9c34c6049d9f8e1c2a9483f003c20e66886d0e1629f498668c202f183de294d03da07c9f5feb65bc196554a79a2f255828c1f1cf9a09654f9df849443e8d290debcc78efbdca391a348b33f18ef618011273faa1f095298dd71db08a90e177a1e9a0c771deca3b51670a26850b89d4439574328c19d9e91766dd52169e0ad5011e4acc005861b3b3146d67445e6f6c75ce4af9d8db6963887d79113613267c5bc42fb0aca828590fb291ce8836d3cd391d364efdbb7015d8ec643d83b623380c21c6ebbf774498c94e60838a45d4692bfe73aaea2bbcecb6dcec20e5aa48a950428e2372009212f2f6be608cdec5ff84108f3f3d2e42c99a6d4cd4577ec9f39a51533efe71d494ccadb66eddd4cc0e56b33eefb0ada68ae36c905a977d9042a63299d2130f4e85357b0078c31bc45b00f5ccd879a6735d85882bfddbc6f2cff4a2b976b29e5a8adc74893c748b297a660ba0f64ad8a6ac6fcf180b6a4357ad6733cb75035cd58631142bd720cf52bcd1438647cbe1058e32d33c38f1327bef3f6b1c815ab4f2d47366473ae37c65a2d1df88823dd4c326d640c50e5bddfa976f04cd034331b632cd7a8bbc838081f28f6e24ed646721cea36e56501f9085e428a6c94b7ba5431f59651f36c8f715e4547ffed53c03cc58d2d4382193625cf69c197c4eb3c3c86c291d693837ab7eb23d61d2518379f0c61acf67425afa1ff8d1fac196a7ef9f6f9b514a2028ae010d1bf10833940294c400401ec706ce366dc4c62f6c55c6985a31592360cc7e6cc30a90cae1891b4cffb882b0329457503055db6a8e3b651b3302c24e6d149e8368ee6d3bafbc417256d042b4b87cb1bf46169ad1a593da66b2c6f453180f2c51be35c431e1af07e54c1251334415135422fa81b015a7a746c1979827e3d32057d408016cdc2b641a42626bbf8b7970a5638e9e48783ff80ded5b5184b69d41e60ba9e2ff7ef3e85b4419db2b064d64f833dc2035a6cc3ea28335ad94eb5ba974d9799ce94565559e6a7636b725c4c3dc1702af3c0f3d9dc77f6d404b7c8ff2cec2b4e703451a1d2750d9a22e9f4b5e27da765d228f09bbd30088ac9dff793ec759161849cf4217f5684bff8eddd65be61d3ed2dcc7bae8ab5e1260c3a90cdb37626c4871098802b34f271d8a091b0517bd1588b43cf21b2e3fe676e34d115a56d450d50a97ac7e2ea5904f9695dbde822dba41ac3a1190d63ef486a1829d38b005f9458a82533a555a2f674eea95af7ef7f0cf9654e0ed8d2ab722ca065fd97e6518b76a39cc1b04dc49c395f3aad5e05c76c1881f6a85fee6c6fba8340692eb0b7f3f948350e6947dac635cfef9e4ff4d3f756802cbd97e8c5845b25bc5a021d9875277f197d1bce55661e6961dd788a444962e33fa582a01d0bd61aaa22a76adf68b3169d3f0b49", 0x4c1, 0xfffffffffffffffd) recvmsg(0xffffffffffffff9c, &(0x7f0000002a40)={&(0x7f0000001600)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev}}}, 0x80, &(0x7f00000028c0)=[{&(0x7f0000001680)=""/108, 0x6c}, {&(0x7f0000001700)=""/112, 0x70}, {0x0}], 0x3, &(0x7f0000002940)=""/220, 0xdc}, 0x0) r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000240)='/proc/capi/capi20ncci\x00', 0x200000, 0x0) ioctl$VIDIOC_DBG_G_CHIP_INFO(0xffffffffffffffff, 0xc0c85666, 0x0) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffff9c, 0x0, 0x11, &(0x7f00000030c0)={{{@in=@multicast2, @in=@local}}, {{@in6=@mcast2}}}, &(0x7f00000031c0)=0xe8) setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(0xffffffffffffffff, 0x6, 0x16, 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000003400)={{{@in6=@ipv4, @in=@remote}}, {{@in=@local}, 0x0, @in=@local}}, &(0x7f0000003500)=0xe8) openat$vimc0(0xffffffffffffff9c, &(0x7f0000000580)='/dev/video0\x00', 0x2, 0x0) sendmsg$unix(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, 0x0}, 0x0) unshare(0x8020000) restart_syscall() ioctl$sock_bt_cmtp_CMTPGETCONNLIST(0xffffffffffffffff, 0x800443d2, &(0x7f0000000200)={0x2, &(0x7f0000000040)=[{}, {}]}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_LOCAL_AUTH_CHUNKS(r1, 0x84, 0x1b, &(0x7f0000000840)={0x0, 0x81, "2c32141e8da3cf836558a954f3fae76f80ace902d030d25fd9551aac7cf0bc29e9e12fd7a91b507b5bc86ee0e71ae2f09898eb7483169ea33d2e2089bfb72a060ebe1da6be631ce367d33abaff870c371a2d87e851f8bb3d195a263f2ef7d75774d6231ab2080861932578aa226d7ddba595dd114dccf71e46cdbde14887899244"}, &(0x7f0000000000)=0x89) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000180)={r3, 0x1ff}, &(0x7f00000001c0)=0x8) openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000380)='/dev/qat_adf_ctl\x00', 0x0, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) r4 = syz_open_procfs$namespace(0x0, &(0x7f0000000140)='ns/mnt\x00') openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer2\x00', 0x200000, 0x0) ioctl$VHOST_SET_VRING_BUSYLOOP_TIMEOUT(0xffffffffffffffff, 0x4008af23, &(0x7f00000004c0)={0x2, 0x100000000}) connect$unix(0xffffffffffffffff, 0x0, 0x0) setns(r4, 0x0) nanosleep(&(0x7f0000000280)={0x0, 0x1c9c380}, 0x0) clone(0x10062101, 0x0, 0x0, 0x0, 0x0) utime(0x0, &(0x7f0000000600)={0x3}) ioctl$ASHMEM_GET_PIN_STATUS(0xffffffffffffffff, 0x7709, 0x0) eventfd2(0x7, 0x80800) ioctl$KDSETLED(0xffffffffffffffff, 0x4b32, 0x0) keyctl$read(0xb, r0, &(0x7f0000005340)=""/4096, 0xeb5) [ 3392.376606][T18943] binder_alloc: binder_alloc_mmap_handler: 18888 20001000-20004000 already mapped failed -16 [ 3392.377960][T15669] binder: undelivered TRANSACTION_COMPLETE [ 3392.422453][T18889] binder: BINDER_SET_CONTEXT_MGR already set [ 3392.454606][T18889] binder: 18888:18889 ioctl 40046207 0 returned -16 [ 3392.484448][T18970] binder_alloc: 18888: binder_alloc_buf, no vma [ 3392.496488][T18970] binder: 18888:18970 transaction failed 29189/-3, size 24-8 line 3147 [ 3392.505526][T18889] binder: 18888:18889 Release 1 refcount change on invalid ref 1 ret -22 [ 3392.515645][T15669] binder: undelivered TRANSACTION_ERROR: 29189 [ 3392.523713][T15669] binder: send failed reply for transaction 654, target dead 04:42:13 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x700000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20015, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) r2 = dup(r0) ioctl$KVM_SET_DEVICE_ATTR(r2, 0x4018aee1, &(0x7f0000000040)={0x0, 0xef17, 0x7e9, &(0x7f0000000000)=0xd36}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=ANY=[@ANYBLOB="0663ff0301000000"], 0x0, 0x0, 0x0}) [ 3392.670011][T19025] binder_alloc: 19024: binder_alloc_buf, no vma [ 3392.711453][T19025] binder: 19024:19025 transaction failed 29189/-3, size 24-8 line 3147 [ 3392.738307][T19028] kvm: apic: phys broadcast and lowest prio 04:42:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x700000000000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:14 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = syz_open_dev$radio(&(0x7f0000000480)='/dev/radio#\x00', 0x2, 0x2) sendto$unix(r3, &(0x7f00000006c0)="aed470c3705175c3a92878201928264b47ef9990e2e9802ff0c18277069dc8f3a717765cc976e7dbb7f1b743bdb8af326603150f0726bf12379678c8f5633a34adb530fa1489abef5b40112002884b5cb47c079f3650c1bd8de3f1d8dfc10361bfebcac1922fff1e289675bd3e11efaa2901396adaab7c31599935ad534c502f67fc0c38d463bdff48d5473ec9cb58887894036f6d55195b36f501b801b0701968b2028748afc96cfbc34fa7157dab4358cd67e5d4796b0fc07b925555f50bcde87d8890cb64ca7406d51622deebc052f3ebe43db10c78ce5210ad327d95a2049a4c004464a23945664a2d9ce1b59a4f3b0b0479bc796c36b1f5f5d517f53984ab49892cf7bafce17a1244ea8eec44f76ddec94d088e4823277a817f7dde1e858946f76054a8fdea3dc77d506942ebd863c5e62d305e8237d20eb56bfd8c64c820cf20398dd193f27d903103e24cde4d7d9b0bca6c178fc763842e5b862337067cb8970943a21649f8fe8756240ec385db5eb6b596f325e237642f57eaefe395d0b43cf10763c93a0235e6f029bb16c696b898ceed65f32f085c927a2d4694a189e8974f34af7843c9b3a3e65b0687058b147d575b5f3364dd19e5dd4d9108d8581ea15418cbd2c6a4de1830c71693bac20ec32c9d23cf7c90acdf35520181897d30c2fa31ff4b3335514cd29634a8ce719213bba032657913d78ee0d5d695f85f811e59adf5407fe25bb76aea0d8303c2b5c67003991f49d58972e3b843cc323a2155c29406a675138e61d6140f1aca669e7945d52e9f346e63f82074b64643ba1d74e80aa3c6cdfd21ba8b43bdaa187603db164b984dbe967d62cade1e028d21ee5f7c1ce1db39efdca44783ac6e7ef5164879f2c3d2060a7b768df3ed016a9c51ba802c7ecedcd3efa8ed109a214999e6c44318c77501d17bfddc5364f0c47cc6b2ad5799544e6f197d950278a3481d9188cd9ff56d0527bb8b83a75e6747f156d510875a7e5bfa52d723ee3d3c31d992897cff95fd2c5fd98c6c7c1746fab7ce47978f5a221852d7eaa901aa8af91e81a02f504a5b812836094d83074e1181731a5c6b6a9f613c627ea45d801aeec6c666f3d3180501fb75b00d5ff6da6b804a4692d5ce0e251eecac51cf7995c01e1f5e06cf0cd4f986c0c0df6bb614b41666e2dee70f73067f9b00d9d50f06814fbe97306277d978c2f3f7d1807c4256610030d3d14779c8d1da67f0b62316706beb3b670a640502b3715b2226a132f8c4ec769c22efae10ce88cbe0d0dfc56430837feadeaeb6a0ea885ba67974634119b91f5115acbaf291027ee02832b16d5f87911ec4e761b8d39e7503b8397f1f00b49acb70b63e6604ae12b0916be442a5a80b6c03ac3cb6c02aaac113d1d30ce6158490dfc9cfff6146c9b62793dedcb2509d35fc828a2b75e45118ef954b14e2b5d0d4dfc88e2534cb1d65530b0dda25fecb75bc9ece7c7b223fcc366659730c671b7fbea6dfa9df14a67824f2b19d7a4376e3b6a54a9ed1fd21ff53500212f0e01a90061a3f094bd2935614138585472a2282104d8887dd0d7bd5af6b0865036e184426a3f7bbd37a5de1df037f040b2870346cf0904f5144be203483565092c1aed06db1d9189015477032406c99963e324ccbc1241c73c6a8409717238082a56c898da57bb4c2a5149e64248dd945f4d06be9636a5070f3cc5dfe2bbfd25cbf04ad009f20509478e6f8b027b87536492e8d8f43bc49e27a3c069d93d680945f2837ebd18810a66817bb5c341a6cf2aa599c5855caa07b5f221d1a17575aa364fdf5ce51d1f944f279549193dd69a56a8370c94dcdb5e0c04fc4c4ba52fe30fb0e52cf3bfac9cf52462d097298330595e41b14bbd33f836c8022906aec696bc1db063ed8bd9c76bca623a9de49219390106adb619c68405520165e622506f861878dedb0aec5ea5cb2d956c959cf2c6961ec5d2ca4f3318488bdd7ba6f004f52ba46027b16af3bfe958d99c9437470f1c87ddc42ab60d950f4b32746f58300791c195b3fc8a3b7739f7e509d99723f1ad5ce01661e3ea7b977941ba67aefda76c8a2b2632b3c2bd7e38381149b2bbd97270f1105a2d4c2f09b0c9ae31f7c62ade6517c3d538bd1ae5a0ce562f70704134a07e6a1727398010e912fbf76332512fc6f4812485ba3f93f4b50cb85b7e23583c1dc2f09a598baf6318d10b3de1e4036f42608b3d163f370e030a8fdf8a63c6812fe0cf1baf37a1459ffdc7e7e488926c3e4e4bb34854d22a8b66e479fb909f6d789c8043281c7d496b8f5f22bd66465f0336986d1345dba73226b3c4a05c3d6442bbb2c29e72a28e840b03c663748e820933cd58407d7fcacaf8957e944c63570eb4d19e8ad5dfde9de9cdc34558b81cf981c4bf6326ca708c6accb3cae22fc2d67e3c6a5b033494fea58039ce0575ffb71f822f1b9059b56989bab86174bab349243b37c81eaf71806d7652ded6b6894c0eb1e32e90960cd4c077cb6ba94f9b112a05ac7527aeef22308e27aac709dd8ac61563419ac9f72b5bd99bc28f67de6d2b362b84e6f573d760f9ee176e7e38461fd809d1d7eb2a7584586e9274dcdc637e352954c9ff90d7306299158ce7353e3871c97230b35708e19487128a2267e18ae853693a86a3cc00dc9eb03b6fec5285ac24924fa1b6529965f97965ad42f3d011e679183227f2e756a6d461416a67f2685fb7c2d58315ad8e342fc1b63fddb667b59f088fa8c179cf2c3aa1fcc7349a8ea8fa45380a7c727bd70c466f65c3035848c4b5283066becb2c49e35b0e9dd16a8b101630ca019442830054244bc2716ec537541c27311079bfad8d291aeb0a8f2ee7b177891e14a4bd61eb5e944d76b4bf883debc8713428a7d30d7ae54f0da43113bf2f93f8fbd7a2294813f9e3ecba0fdee9141ba1930ac7333f198304afdf08d9032f2d852113b5c799df6f58904d1428db88a4d8a78c2e8960e9e4a048b6f2343a7acde6f6b0d2da5a2d659f556fbb599329c652f054d6e8425116f9060092830d3f4ba0746c5ac208778dbf532005a031a2ca976dc757dd7cc4efb37f1d2825a016352272c6d10a9ae2615b370e079759087570ed9562ccb22de47e1979b01a61331b0fb5f3babcca1f7553b4ddb6b5779ea389db95394d42a5629c5b706b8e906c6a572a836b7877579dba5093f90db2a4b4c5056ab5f78ee62d7f8fd9bf42b72ed71fc68f0e0c00e437cfbca919f4b7900562dbe7ea0619f84826122627e642be68334df7e389f2c041538b780f4448441e49893595b79f37db09761bc590289e8da55c4b7c4bede262b73fd7a7178884af9afb73f28c8e132b7e0a836bb4cee86d754072f7d7d8fbfb1ea5e52c19e3299d0e652e5b99d427a82bb4b8b156238a45222c9c17664010be422f319589787106acaa6273b93040bd9d976cf1dd8b6c285effcc59dcba49286df89871f22530ed75850bec5df1d010a9cd0080484ab001570564b7fcef1a1f7f567ce2fa9114ff1bec44a3f61cb6720b0fe97006673df13cffc51e9eea959942ae41f973b0c85f51adc157dcc9d1bf8022b05bbbd335ca6243498a77adbec3e3e74578c7c25fe050eee2b9bff8d818d25e55936f3cb20c77dea2e420657fcb5b7e6afadd1e831526fe6a31d6e4f16e12be169825851255b28c0c35e9dbeb0a5c783b5329ac5fcf9e1f1bf8f974f8cd6d466ebf688f0192c43fa8d5ddeb12609222ca0ba9908769919df8460552be4b08c2e6f8db39871298d61747a3bdce1b94e5c4879a6a4f3be83cf3cf467fd3255e11380a98a8a5f637c0602a1d989f995ddaab85dd663034cfeb2e55cab6aee96114eadcbc6ce327e42667e6368b576f6609886a23621102f1bbec5cfa4e0603258ff8fff029ecc573783716bc6d9a75c52b0589a1b931c56f0447a28b63da59085fd677a989f5ead2288edbe2bf2b3cf69e2a47b4b458b6a7f7b6063ca5923cdd5d975fd9fadd5f964499af83df7e3bddb0051b1afde04bd80d17e036d5d80c16dbd9f99b4988ea3faa69e2b92e82bbceb6b7144aca39e75b1d31f3b4d0096a9a36278e0a48836f861d2d1809edbcc88a06506376f894646eac19beffd6334882c85ab05e5808caa789717248d59411d680d23b412f57c0abce6bdee6eb88d791b0ab54b028e7e49833a93fbd38d28a5525c85f831d5830f1bbb2fcb830c40da3d1466054b5c3a58542e3062ec6a1cd9f4640f4cfd609f19d1281f1ca6e3383241ebade8dadb7433f8dc352ad1afc5832571572787130897fd5fbe046fd2b380d222ce3150dd180b53b6e145cd48c4841a0c1c89cea776b7fee04eccdc2dfc509f72e728264c5bfcc1cbfa2f556b511935a4091f0fee9f93beaf89fbc3a41794bb7201b7248ff2d4bad1ba6dacc6f1aba68d54dba53a8ea88010236ac9aee12de7f0272f78094ac3a9497b9a17393ed41dfaeef405a38e45e78d6ed10d1f68f16efa9bf9039050c4311904a246f919eb6edb337ded16d3fc911cb58674a33a6dfed18f7c063750a4ca7f455bad1e5e54fcd03d5010ff87603a42ca2a4b5f63fc0c3e520de94a01c609a8190d7da9156306dece000ec1f65337d88e858dd01ba80864f1c3e46f892c7a45a25bf9879d868e8a64548dce99f70235d19d270305a696a61be2b1e776859d0000988e6867912b8b7fa494542917be38128cb0bcdfd5d3c7d7e2580025b91d7c44b68253245de825141d4a367c76ba879a9e10b69da918c4a30bbddb45d6162f1a4fd56a016a44140c1c4b40e5e21834fa70aa525677a80d07ed7a04e7b0306dcf4f5d7c7d4a108b6b73750374c93e0aad45f43a0714ae93f88da2db9df28f8185abc8f1dd44f2bfab4ad8074dd195af1c71ffc7bb86a80e74e7157bbacda23047476ea06025d970163c1fa4ad0178eabb935b43c701b774b1e1d947f8e9320cc2680517e704611275c1972f91ec88a5981670b13142e9b2e3b3819a6c6feb4efd1bdecfed83b52c1904b960794513383410148600b89144d667e20b171c329530a42a50a858031c9e4cb735f69140cccb84a4cf42a5a59191cb01ceac7d45ee9afef7cc96d43ae313d542f719f6e13d98eb9abb856648960eeff9be6a7552f0b16b4ed53ac21b70eb2b1ec6724336d5348a2288ebd38c13455df9634c3898fa7ac8b96ed67083c497d594f1bbe5917e3aab7d59cc1dbdf8b491bfd0ff3595393903b145533cb8b7b3077c416e5ba1187d4850e08599b6f377cfdacadb07a3501cc937f1726113fde91a21a3243addc69a10f64fce471600a08e456967574bf385d2cc9917e5fca569b684678cdf76a0ddd0886e0955fefd0c7951e7f4c2068c47de108a9ca01e1c2fd1ca5496fd8ba0d571be193cec5445a81f3b090544c55893e12f72dbfd89ce94e7666a6b525ffcc07b038e4db596552a8897b9fc003a59da482dba32498374929f8df822e356d37328cf12759f392ba6f845cc24943c84999173374214f1adea9bbe93b66caa248dd96f537cd16836529d12954b1043366ec2f38919165f0cb7dab1237b0b70ab862a859944a9385ba7efd6b9aad961d535bdfea2b7b442d215ffc83b46babc2fd849ba4fee6b015cc270e3c217858bbc6852b3514bc9aec310c210bfacf43c9ec1c71b8e681b6f1bea641e085455a8ac16f88c749adfd381741592b933a561f939790cd4adc678f4330b92225a1b61fb4ca6c166b2fb15a948e4809fb8897123fe46a6cb1045ae9203444c8522392dd2e843121f3f165d6b81c8c3e80b7e2e81ebee", 0x1000, 0x80, &(0x7f00000016c0)=@file={0x0, './file0\x00'}, 0x6e) r4 = accept4(r1, 0x0, 0x0, 0x0) getsockopt$inet_sctp_SCTP_PR_SUPPORTED(r4, 0x84, 0x71, &(0x7f0000000000)={0x0, 0x3}, &(0x7f0000000040)=0x8) ioctl$CAPI_GET_FLAGS(r0, 0x80044323, &(0x7f0000000240)) getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r4, 0x84, 0x75, &(0x7f0000000080)={0x0, 0x2}, &(0x7f00000000c0)=0x8) setsockopt$inet_udp_encap(r4, 0x11, 0x64, &(0x7f00000004c0), 0x4) socket(0x7, 0x1, 0x2) getsockopt$inet_sctp6_SCTP_STATUS(r1, 0x84, 0xe, &(0x7f0000000100)={r5, 0x80, 0x266c, 0xb5e, 0x3ff, 0x3, 0x2, 0xbfe1, {r6, @in={{0x2, 0x4e22, @multicast1}}, 0xff, 0x80000000, 0x5, 0x9}}, &(0x7f00000001c0)=0xb0) get_thread_area(&(0x7f0000000440)={0x2, 0xffffffffffffffff, 0x0, 0x0, 0xd2a8, 0x3, 0x9, 0x7, 0x0, 0x6}) sendmsg$TIPC_NL_LINK_SET(r4, &(0x7f0000000400)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x1004}, 0xc, &(0x7f00000003c0)={&(0x7f0000000500)=ANY=[@ANYBLOB='x\x00\x00\x00', @ANYRES16=0x0, @ANYBLOB="000026bd7000fedbdf25090000003800020008000200d1ed81a50400041ecfb7d3950b4ff757c4b4baceac19ee000400040008000200ffffffff080002000001000004000400040004000800020080000000040004002c0406000800010009000000080001000300000004000200080001004a00000004000200080001003f0000004e7df2d2a18823137f4bf19c14fda188391330d039e2bccb96410c73200000003154c56a6f13a976b012750236b321bf0e778fc349a9fee7a0e9bc5368bcb72ff5dc441df7ad63d059065dc96c326a589a8a1a567a1348ed569a7102061b7429ee4a6620aebb1f041a01a36cc5883b71a3644c2e02827a9ecbebd560f5e2193b99e22db1d2a6258b3bb89c881ebed1db4dba7c67ca7666519bc1b59190720914bc32ee7cc8480070024bc442222a6d7caee4a304d79472abca55d316839a701e228da67c8b2d14c5d3ed33f7595b941d9c9d72c09daff42645a30c576bb21ba5091f2f2396c92b3cd615f44e3ebb67ff3c2564b7122c6cf8c7bb5bcdc23fce7044b339f5e05e0f4612553339c712aca9c27514f68dc93d0a7de7d7a2644df30f5f9fceb5dfed43b477f947fd182df066"], 0x78}, 0x1, 0x0, 0x0, 0x10}, 0x40090) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) getsockopt$inet6_udp_int(r1, 0x11, 0xb, &(0x7f0000000340), &(0x7f0000000380)=0x4) [ 3392.838186][T19025] binder: 19024:19025 ioctl 4018aee1 20000040 returned -22 [ 3392.878039][T19083] binder: 19024:19083 unknown command 67068678 [ 3392.956266][T19083] binder: 19024:19083 ioctl c0306201 200001c0 returned -22 [ 3393.032737][T19083] binder: BINDER_SET_CONTEXT_MGR already set 04:42:14 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x2000000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3393.083795][T19092] binder_alloc: 19024: binder_alloc_buf, no vma [ 3393.110231][T19083] binder: 19024:19083 ioctl 40046207 0 returned -16 [ 3393.122439][T19097] binder: 19024:19097 ioctl 4018aee1 20000040 returned -22 [ 3393.161120][T19092] binder: 19024:19092 transaction failed 29189/-3, size 24-8 line 3147 [ 3393.184207][T19098] kvm: apic: phys broadcast and lowest prio [ 3393.227174][T19025] binder: 19024:19025 unknown command 67068678 [ 3393.234362][T15669] binder: undelivered TRANSACTION_ERROR: 29189 [ 3393.241281][T15669] binder: undelivered TRANSACTION_ERROR: 29189 [ 3393.276940][T19025] binder: 19024:19025 ioctl c0306201 200001c0 returned -22 04:42:14 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x4800000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:14 executing program 2: r0 = add_key(&(0x7f0000000080)='big_key\x00', &(0x7f00000000c0)={'\xff\xff\xff'}, &(0x7f0000000340)="46ac5128da090e4899c38028efeb85968ead969e21e33725a7edc030260cdb3ca79964a6e93ce51185f005b7dac052cb797af438c32c29b736fb12c63dd0e504445044a1ae9c10fd8171232ed7dcb08e9acaf4c569c4c16c5c47994118fc35ff7f03407dc7093fa7d3132d276a10768b2711cd1c6ecd3545692431856b6e0651412ff7b73711097f061a1b67f6c3d7605eab3b675b6c061e6ef32b7ea8847b6f84da1334d35322b94447bfaca74b152eb64cfa54cb63126c2cc662e7898e6459ed40c4566403f303d341c9c34c6049d9f8e1c2a9483f003c20e66886d0e1629f498668c202f183de294d03da07c9f5feb65bc196554a79a2f255828c1f1cf9a09654f9df849443e8d290debcc78efbdca391a348b33f18ef618011273faa1f095298dd71db08a90e177a1e9a0c771deca3b51670a26850b89d4439574328c19d9e91766dd52169e0ad5011e4acc005861b3b3146d67445e6f6c75ce4af9d8db6963887d79113613267c5bc42fb0aca828590fb291ce8836d3cd391d364efdbb7015d8ec643d83b623380c21c6ebbf774498c94e60838a45d4692bfe73aaea2bbcecb6dcec20e5aa48a950428e2372009212f2f6be608cdec5ff84108f3f3d2e42c99a6d4cd4577ec9f39a51533efe71d494ccadb66eddd4cc0e56b33eefb0ada68ae36c905a977d9042a63299d2130f4e85357b0078c31bc45b00f5ccd879a6735d85882bfddbc6f2cff4a2b976b29e5a8adc74893c748b297a660ba0f64ad8a6ac6fcf180b6a4357ad6733cb75035cd58631142bd720cf52bcd1438647cbe1058e32d33c38f1327bef3f6b1c815ab4f2d47366473ae37c65a2d1df88823dd4c326d640c50e5bddfa976f04cd034331b632cd7a8bbc838081f28f6e24ed646721cea36e56501f9085e428a6c94b7ba5431f59651f36c8f715e4547ffed53c03cc58d2d4382193625cf69c197c4eb3c3c86c291d693837ab7eb23d61d2518379f0c61acf67425afa1ff8d1fac196a7ef9f6f9b514a2028ae010d1bf10833940294c400401ec706ce366dc4c62f6c55c6985a31592360cc7e6cc30a90cae1891b4cffb882b0329457503055db6a8e3b651b3302c24e6d149e8368ee6d3bafbc417256d042b4b87cb1bf46169ad1a593da66b2c6f453180f2c51be35c431e1af07e54c1251334415135422fa81b015a7a746c1979827e3d32057d408016cdc2b641a42626bbf8b7970a5638e9e48783ff80ded5b5184b69d41e60ba9e2ff7ef3e85b4419db2b064d64f833dc2035a6cc3ea28335ad94eb5ba974d9799ce94565559e6a7636b725c4c3dc1702af3c0f3d9dc77f6d404b7c8ff2cec2b4e703451a1d2750d9a22e9f4b5e27da765d228f09bbd30088ac9dff793ec759161849cf4217f5684bff8eddd65be61d3ed2dcc7bae8ab5e1260c3a90cdb37626c4871098802b34f271d8a091b0517bd1588b43cf21b2e3fe676e34d115a56d450d50a97ac7e2ea5904f9695dbde822dba41ac3a1190d63ef486a1829d38b005f9458a82533a555a2f674eea95af7ef7f0cf9654e0ed8d2ab722ca065fd97e6518b76a39cc1b04dc49c395f3aad5e05c76c1881f6a85fee6c6fba8340692eb0b7f3f948350e6947dac635cfef9e4ff4d3f756802cbd97e8c5845b25bc5a021d9875277f197d1bce55661e6961dd788a444962e33fa582a01d0bd61aaa22a76adf68b3169d3f0b49", 0x4c1, 0xfffffffffffffffd) recvmsg(0xffffffffffffff9c, &(0x7f0000002a40)={&(0x7f0000001600)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev}}}, 0x80, &(0x7f00000028c0)=[{&(0x7f0000001680)=""/108, 0x6c}, {&(0x7f0000001700)=""/112, 0x70}, {0x0}], 0x3, &(0x7f0000002940)=""/220, 0xdc}, 0x0) r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000240)='/proc/capi/capi20ncci\x00', 0x200000, 0x0) ioctl$VIDIOC_DBG_G_CHIP_INFO(0xffffffffffffffff, 0xc0c85666, 0x0) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffff9c, 0x0, 0x11, &(0x7f00000030c0)={{{@in=@multicast2, @in=@local}}, {{@in6=@mcast2}}}, &(0x7f00000031c0)=0xe8) setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(0xffffffffffffffff, 0x6, 0x16, 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000003400)={{{@in6=@ipv4, @in=@remote}}, {{@in=@local}, 0x0, @in=@local}}, &(0x7f0000003500)=0xe8) openat$vimc0(0xffffffffffffff9c, &(0x7f0000000580)='/dev/video0\x00', 0x2, 0x0) sendmsg$unix(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, 0x0}, 0x0) unshare(0x8020000) restart_syscall() ioctl$sock_bt_cmtp_CMTPGETCONNLIST(0xffffffffffffffff, 0x800443d2, &(0x7f0000000200)={0x2, &(0x7f0000000040)=[{}, {}]}) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_LOCAL_AUTH_CHUNKS(r1, 0x84, 0x1b, &(0x7f0000000840)={0x0, 0x81, "2c32141e8da3cf836558a954f3fae76f80ace902d030d25fd9551aac7cf0bc29e9e12fd7a91b507b5bc86ee0e71ae2f09898eb7483169ea33d2e2089bfb72a060ebe1da6be631ce367d33abaff870c371a2d87e851f8bb3d195a263f2ef7d75774d6231ab2080861932578aa226d7ddba595dd114dccf71e46cdbde14887899244"}, &(0x7f0000000000)=0x89) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000180)={r3, 0x1ff}, &(0x7f00000001c0)=0x8) openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000380)='/dev/qat_adf_ctl\x00', 0x0, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) r4 = syz_open_procfs$namespace(0x0, &(0x7f0000000140)='ns/mnt\x00') openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer2\x00', 0x200000, 0x0) ioctl$VHOST_SET_VRING_BUSYLOOP_TIMEOUT(0xffffffffffffffff, 0x4008af23, &(0x7f00000004c0)={0x2, 0x100000000}) connect$unix(0xffffffffffffffff, 0x0, 0x0) setns(r4, 0x0) nanosleep(&(0x7f0000000280)={0x0, 0x1c9c380}, 0x0) clone(0x10062101, 0x0, 0x0, 0x0, 0x0) utime(0x0, &(0x7f0000000600)={0x3}) ioctl$ASHMEM_GET_PIN_STATUS(0xffffffffffffffff, 0x7709, 0x0) eventfd2(0x7, 0x80800) ioctl$KDSETLED(0xffffffffffffffff, 0x4b32, 0x0) keyctl$read(0xb, r0, &(0x7f0000005340)=""/4096, 0xeb5) 04:42:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x900000000000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) 04:42:14 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc1f123c123f3188b070") clone(0x802102001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r1 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x20, 0x103000) ioctl$KVM_GET_MP_STATE(r1, 0x8004ae98, &(0x7f0000000040)) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180)={'syz'}, &(0x7f0000000100), 0x3cc, 0xfffffffffffffffe) 04:42:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x200203, 0x0) ioctl$HDIO_GETGEO(r1, 0x301, &(0x7f0000000040)) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) [ 3393.782025][T19116] binder_alloc: binder_alloc_mmap_handler: 19111 20001000-20004000 already mapped failed -16 [ 3393.797369][T19106] kvm: apic: phys broadcast and lowest prio [ 3393.806957][T19114] encrypted_key: insufficient parameters specified [ 3393.818193][T19115] binder_alloc: 19111: binder_alloc_buf, no vma 04:42:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x4c00000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:15 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x171080, 0x0) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, &(0x7f0000000040)=@assoc_value={0x0}, &(0x7f0000000080)=0x8) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f00000000c0)={r1, 0x5, 0x817}, 0x8) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r2, &(0x7f0000000140)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r2, 0x5) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = accept4(r2, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3393.909224][T19112] binder: BINDER_SET_CONTEXT_MGR already set [ 3393.918410][T19116] binder: 19111:19116 Release 1 refcount change on invalid ref 1 ret -22 [ 3393.964899][T19115] binder: 19111:19115 transaction failed 29189/-3, size 24-8 line 3147 [ 3393.989371][T19112] binder: 19111:19112 ioctl 40046207 0 returned -16 [ 3393.997711][T14003] binder: release 19111:19112 transaction 662 out, still active [ 3394.006149][T14003] binder: undelivered TRANSACTION_COMPLETE [ 3394.027274][T14003] binder: send failed reply for transaction 662, target dead 04:42:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000000)={0x0}, &(0x7f0000000040)=0xc) process_vm_writev(r2, &(0x7f0000000480)=[{&(0x7f0000000080)=""/215, 0xd7}, {&(0x7f0000000540)=""/4096, 0x1000}, {&(0x7f0000000180)=""/18, 0x12}, {&(0x7f0000000280)=""/27, 0x1b}, {&(0x7f00000002c0)=""/58, 0x3a}, {&(0x7f0000000380)=""/90, 0x5a}], 0x6, &(0x7f0000002ac0)=[{&(0x7f0000001540)=""/143, 0x8f}, {&(0x7f0000001600)=""/12, 0xc}, {&(0x7f0000001640)=""/169, 0xa9}, {&(0x7f0000001700)=""/192, 0xc0}, {&(0x7f00000017c0)=""/226, 0xe2}, {&(0x7f00000018c0)=""/22, 0x16}, {&(0x7f0000001900)=""/4096, 0x1000}, {&(0x7f0000002900)=""/168, 0xa8}, {&(0x7f00000029c0)=""/217, 0xd9}], 0x9, 0x0) r3 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000002c00)='/dev/vga_arbiter\x00', 0x2, 0x0) setsockopt$inet_sctp_SCTP_RECVNXTINFO(r3, 0x84, 0x21, &(0x7f0000002c40)=0xfffffffffffffff7, 0x4) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB='\x00c@@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\x00\x00\x00\x00\x00\x00', @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) r4 = syz_open_dev$adsp(&(0x7f0000002b80)='/dev/adsp#\x00', 0xb7d, 0x10000) ioctl$IOC_PR_CLEAR(r4, 0x401070cd, &(0x7f0000002bc0)={0x551}) [ 3394.072503][T14003] binder: undelivered TRANSACTION_ERROR: 29189 04:42:15 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) fremovexattr(r0, &(0x7f0000000140)=@known='trusted.overlay.metacopy\x00') r1 = socket$inet_dccp(0x2, 0x6, 0x0) getsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000000040)={0x0, @dev, @dev}, &(0x7f0000000080)=0xc) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/sys/net/ipv4/vs/amemthresh\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) chroot(&(0x7f0000000000)='./file0\x00') r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000028000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) 04:42:15 executing program 2: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000300)='/dev/dsp\x00', 0x4401, 0x0) socket$netlink(0x10, 0x3, 0x0) ioctl$sock_SIOCBRADDBR(0xffffffffffffffff, 0x89a0, 0x0) r1 = socket(0x1e, 0x4, 0x0) r2 = socket(0x1e, 0x4, 0x0) prctl$PR_SET_SECCOMP(0x16, 0x1, &(0x7f0000000500)={0x2, &(0x7f00000002c0)=[{0x8000, 0x9, 0x2, 0x1f}, {0x9, 0x4, 0x6, 0x97e7}]}) r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$packet_tx_ring(r2, 0x10f, 0x87, &(0x7f0000000080)=@req={0x3fc}, 0x10) r4 = msgget(0x2, 0x204) msgctl$IPC_STAT(r4, 0x2, &(0x7f0000000180)=""/232) ioctl$SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE(r0, 0x40045542, &(0x7f00000000c0)=0x6) setsockopt$packet_tx_ring(r1, 0x10f, 0x87, &(0x7f0000265000)=@req={0x3fc}, 0x10) sendmmsg(r1, &(0x7f0000000a40), 0x400000000000030, 0x0) r5 = dup3(r3, r2, 0x0) r6 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000580)='IPVS\x00') sendmsg$IPVS_CMD_GET_CONFIG(r2, &(0x7f00000006c0)={&(0x7f0000000540)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f0000000680)={&(0x7f00000005c0)={0x84, r6, 0x4, 0x70bd28, 0x25dfdbfe, {}, [@IPVS_CMD_ATTR_DEST={0x2c, 0x2, [@IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0xff}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x7fff}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x518}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e24}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x7}, @IPVS_CMD_ATTR_DEST={0x3c, 0x2, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4000000000000000}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xb8fa}, @IPVS_DEST_ATTR_WEIGHT={0x8}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x8001}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x6697}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x1}]}]}, 0x84}, 0x1, 0x0, 0x0, 0x1}, 0x800) r7 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) readlink(0x0, &(0x7f0000000140)=""/30, 0x1e) r8 = shmget(0x1, 0x2000, 0x21, &(0x7f0000ffb000/0x2000)=nil) shmat(r8, &(0x7f0000ff2000/0x2000)=nil, 0x2000) r9 = openat$vfio(0xffffffffffffff9c, &(0x7f0000001940)='/dev/vfio/vfio\x00', 0x0, 0x0) r10 = ioctl$KVM_CREATE_VM(r7, 0xae01, 0x0) r11 = ioctl$KVM_CREATE_VCPU(r10, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r9, r11, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x519, 0x0, 0x0, 0x8) ioctl$sock_SIOCSIFBR(r1, 0x8941, &(0x7f0000000040)=@add_del={0x2, &(0x7f0000000000)='gretap0\x00'}) ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000700)=0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_REPLACE(r5, 0xc1105518, &(0x7f00000003c0)={{0x4, 0x0, 0x0, 0x1, 'syz1\x00', 0x8}, 0x5, 0x3, 0x2, r12, 0x5, 0x100000000, 'syz1\x00', &(0x7f0000000340)=['/keyring[securityppp1GPL[\x00', '/dev/dsp\x00', 'eth0\xb0ppp1&md5sum\x00', '\x00', 'system}cgroup\'vboxnet1\x00'], 0x4c, [], [0x4, 0xf94b, 0x5, 0xfffffffffffffff9]}) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$int_in(0xffffffffffffffff, 0x800000c0045002, 0x0) 04:42:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6000000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:15 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xa00000000000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3394.191608][T19337] binder_alloc: 19335: binder_alloc_buf size 1073742912 failed, no address space [ 3394.265424][T19337] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) [ 3394.276944][ T26] audit: type=1326 audit(1553575335.513:91): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=19342 comm="syz-executor.2" exe="/root/syz-executor.2" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45b06a code=0x0 [ 3394.314575][T19345] binder: 19335:19345 Release 1 refcount change on invalid ref 1 ret -22 [ 3394.345998][T19347] kvm: apic: phys broadcast and lowest prio [ 3394.394521][T19337] binder: 19335:19337 transaction failed 29201/-28, size 536871424-536871488 line 3147 [ 3394.447372][T19345] binder_alloc: binder_alloc_mmap_handler: 19335 20001000-20004000 already mapped failed -16 [ 3394.505675][T19337] binder: BINDER_SET_CONTEXT_MGR already set 04:42:15 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6800000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3394.549327][T19337] binder: 19335:19337 ioctl 40046207 0 returned -16 [ 3394.587660][T19348] binder: 19335:19348 Release 1 refcount change on invalid ref 1 ret -22 04:42:15 executing program 0: r0 = socket(0x80000000010, 0x100000802, 0x0) sendto(r0, &(0x7f0000000000)="120000001200e7ef007b1a41cd00000000a1", 0x12, 0x0, 0x0, 0x0) recvmmsg(r0, &(0x7f00000037c0)=[{{0x0, 0x0, &(0x7f0000000640)=[{&(0x7f00000000c0)=""/85, 0x55}], 0x1}}], 0x1, 0x0, 0x0) ioctl$sock_bt_cmtp_CMTPGETCONNLIST(r0, 0x800443d2, &(0x7f0000000300)={0x1, &(0x7f00000002c0)=[{}]}) r1 = gettid() get_robust_list(r1, &(0x7f0000000240)=&(0x7f0000000200)={&(0x7f0000000140)={&(0x7f0000000040)}, 0x0, &(0x7f00000001c0)={&(0x7f0000000180)}}, &(0x7f0000000280)=0x18) r2 = socket(0xa, 0x2, 0x0) setsockopt$inet_int(r2, 0x0, 0x40, &(0x7f0000000080), 0x4) [ 3394.639761][T19345] binder: 19335:19345 transaction failed 29189/-22, size 536871424-536871488 line 2994 04:42:16 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x6c00000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) 04:42:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x400) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="000000000000ffde"]], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, 0x0}) r2 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x2, 0x2) ioctl$TCSBRK(r2, 0x5409, 0x800) ioctl$BLKRESETZONE(r2, 0x40101283, &(0x7f0000000040)={0xf8, 0x77}) getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r2, 0x84, 0x1f, &(0x7f0000000080)={0x0, @in6={{0xa, 0x4e23, 0x4, @mcast2, 0x10000}}, 0x80000000, 0x1}, &(0x7f0000000140)=0x90) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r2, 0x84, 0x6c, &(0x7f0000000540)={r3, 0xcd, "35d9b67ac3f500b00c30218e1c2f9a3c4aec3d1892c3eb1e5a9abc8876710cf44baa99c2c96f1374e1a71e53b3531e1c12b6a8bf37bb410cf0d46139ae45c889160d357c3d8a5f43b8fb4ab121060dadd0c409ef61b991aa18270dd168b260935cacd3462593f10158b532d0348531c53517307d5ca7fa9f84bb0ef5182fce4f851f7ce3775e76a3a0086cbf89ae04347c920f7e121ab62a874a68855e57770c633dc8c4d2cdd83a851da167f3d67584dde1381b1a7171c4b2040ad73ae60b132cce3dcefe0246b89387ea730e"}, &(0x7f0000000180)=0xd5) ioctl$TIOCSSOFTCAR(r2, 0x541a, &(0x7f0000000280)=0x4) 04:42:16 executing program 2: mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x2, &(0x7f0000527ff8)=0xeef, 0x7, 0x0) get_mempolicy(0x0, 0x0, 0x0, &(0x7f000041e000/0x1000)=nil, 0x2) 04:42:16 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) accept$inet(0xffffffffffffff9c, &(0x7f0000000000)={0x2, 0x0, @empty}, &(0x7f0000000040)=0x10) syz_open_dev$swradio(&(0x7f0000000080)='/dev/swradio#\x00', 0x1, 0x2) r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer\x00', 0x800, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(r0, 0x84, 0xd, 0x0, 0xfffffcf9) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r1, 0x5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = accept4(r1, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3395.003273][T19599] ------------[ cut here ]------------ [ 3395.008771][T19599] kernel BUG at drivers/android/binder_alloc.c:1141! 04:42:16 executing program 2: r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000080)={0x0, 0x7530}, 0x10) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f0000000000)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) sendmsg$TIPC_NL_PEER_REMOVE(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="ec80cb532f70e18a3569d384f44f3dfe8a0e36970a49453bce97797b4b7ce3142374f7870fdfbdbedf0d8786d3c22a1a616fcdb7feb9520fe48656b719e1b5238161c942dd5efb2158ecf23fcd0a476945f011a2995f50016b497d85d38bfd813e1e5247fad4ef838ea3a7a9b9cfb30bb3a4d7749916fb296c15d0a2aebb3d9c6b36cc55581643447c9730a1eefd9c0d08107cf1cbf169985cc4a643cf701aecfb126342256c6a953a3f4f644113c06cee2a4a03badbae91c199723d61bcc85440894dc30207154d50e912062aa7a4fa91e02e3546b630bd6a09068ed6fa55"], 0x1}}, 0x4c080) setsockopt$inet_tcp_int(r1, 0x6, 0x2000000000000013, &(0x7f0000000180)=0x1, 0x4) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000380)=0x1, 0x4) r2 = open(&(0x7f0000000280)='./file0\x00', 0x110000141042, 0x0) write$P9_RREADDIR(r1, &(0x7f00000000c0)=ANY=[@ANYBLOB="ac"], 0x1) ftruncate(r2, 0x10099b7) sendfile(r0, r2, 0x0, 0x88000fbfffffc) [ 3395.048223][T19619] binder: 19597:19619 Release 1 refcount change on invalid ref 1 ret -22 [ 3395.160225][T19599] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 3395.166345][T19599] CPU: 1 PID: 19599 Comm: syz-executor.4 Not tainted 5.1.0-rc2 #36 [ 3395.174231][T19599] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 3395.184375][T19599] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 3395.190879][T19599] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf f9 23 fc 4c 89 e6 4c 89 ef e8 d4 fa 23 fc 4d 39 e5 76 07 e8 aa f9 23 fc <0f> 0b e8 a3 f9 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1 [ 3395.210483][T19599] RSP: 0018:ffff888055517550 EFLAGS: 00010216 [ 3395.216553][T19599] RAX: 0000000000040000 RBX: 0000000020001000 RCX: ffffc9000e65f000 [ 3395.224539][T19599] RDX: 0000000000000419 RSI: ffffffff854c77d6 RDI: 0000000000000006 [ 3395.232507][T19599] RBP: ffff8880555175d0 R08: ffff88809f694600 R09: 0000000000000028 [ 3395.240477][T19599] R10: ffffed100aaa2f01 R11: ffff88805551780f R12: 0000000000000020 [ 3395.248458][T19599] R13: 0000000000000028 R14: ffff888086c05890 R15: 0000000000000000 [ 3395.256455][T19599] FS: 00007f77ebaf8700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 [ 3395.265391][T19599] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3395.271973][T19599] CR2: 00007f77ebab5db8 CR3: 000000005b6b8000 CR4: 00000000001426e0 [ 3395.279941][T19599] Call Trace: [ 3395.283238][T19599] ? memcpy+0x46/0x50 [ 3395.287239][T19599] binder_alloc_copy_from_buffer+0x37/0x42 [ 3395.293100][T19599] binder_get_object+0xc3/0x200 [ 3395.297959][T19599] binder_transaction+0x2b4a/0x6690 [ 3395.303180][T19599] ? binder_thread_read+0x3d50/0x3d50 [ 3395.308565][T19599] ? __might_fault+0x12b/0x1e0 [ 3395.313336][T19599] ? lock_downgrade+0x880/0x880 [ 3395.318215][T19599] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 3395.324454][T19599] ? _copy_from_user+0xdd/0x150 [ 3395.329320][T19599] binder_thread_write+0x64a/0x2820 [ 3395.334521][T19599] ? __lockdep_free_key_range+0x120/0x120 [ 3395.340246][T19599] ? binder_transaction+0x6690/0x6690 [ 3395.345639][T19599] ? __might_fault+0x12b/0x1e0 [ 3395.350415][T19599] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 3395.356654][T19599] ? _copy_from_user+0xdd/0x150 [ 3395.361504][T19599] binder_ioctl+0x1033/0x183b [ 3395.366183][T19599] ? binder_thread_write+0x2820/0x2820 [ 3395.371639][T19599] ? tomoyo_path_number_perm+0x263/0x520 [ 3395.377285][T19599] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 3395.383095][T19599] ? __lockdep_free_key_range+0x120/0x120 [ 3395.388826][T19599] ? binder_thread_write+0x2820/0x2820 [ 3395.394301][T19599] do_vfs_ioctl+0xd6e/0x1390 [ 3395.398895][T19599] ? ioctl_preallocate+0x210/0x210 [ 3395.404007][T19599] ? __fget+0x381/0x550 [ 3395.408162][T19599] ? ksys_dup3+0x3e0/0x3e0 [ 3395.412583][T19599] ? nsecs_to_jiffies+0x30/0x30 [ 3395.417460][T19599] ? tomoyo_file_ioctl+0x23/0x30 [ 3395.422402][T19599] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 3395.428669][T19599] ? security_file_ioctl+0x93/0xc0 [ 3395.433776][T19599] ksys_ioctl+0xab/0xd0 [ 3395.437945][T19599] __x64_sys_ioctl+0x73/0xb0 [ 3395.442535][T19599] do_syscall_64+0x103/0x610 [ 3395.447125][T19599] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 3395.453012][T19599] RIP: 0033:0x458209 [ 3395.456904][T19599] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 3395.476531][T19599] RSP: 002b:00007f77ebaf7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 3395.484953][T19599] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 3395.492919][T19599] RDX: 0000000020000440 RSI: 00000000c0306201 RDI: 0000000000000003 [ 3395.500889][T19599] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 04:42:16 executing program 0: r0 = socket(0x80000000010, 0x100000802, 0x0) sendto(r0, &(0x7f0000000000)="120000001200e7ef007b1a41cd00000000a1", 0x12, 0x0, 0x0, 0x0) recvmmsg(r0, &(0x7f00000037c0)=[{{0x0, 0x0, &(0x7f0000000640)=[{&(0x7f00000000c0)=""/85, 0x55}], 0x1}}], 0x1, 0x0, 0x0) ioctl$sock_bt_cmtp_CMTPGETCONNLIST(r0, 0x800443d2, &(0x7f0000000300)={0x1, &(0x7f00000002c0)=[{}]}) r1 = gettid() get_robust_list(r1, &(0x7f0000000240)=&(0x7f0000000200)={&(0x7f0000000140)={&(0x7f0000000040)}, 0x0, &(0x7f00000001c0)={&(0x7f0000000180)}}, &(0x7f0000000280)=0x18) r2 = socket(0xa, 0x2, 0x0) setsockopt$inet_int(r2, 0x0, 0x40, &(0x7f0000000080), 0x4) 04:42:16 executing program 2: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000200)='/dev/vcs\x00', 0x0, 0x0) setsockopt$RDS_CANCEL_SENT_TO(r0, 0x114, 0x1, &(0x7f00000001c0)={0x2, 0x0, @dev}, 0x10) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) perf_event_open(&(0x7f000025c000)={0x1, 0x70, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240)='/dev/nullb0\x00', 0x4000000004002, 0x0) ioctl$SG_SET_DEBUG(r0, 0x227e, &(0x7f0000000140)=0x1) getsockopt$inet6_tcp_int(r0, 0x6, 0x0, 0x0, 0x0) ioctl$TUNSETVNETLE(r0, 0x400454dc, &(0x7f0000000080)) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r1, 0x0) ioctl$KDSETKEYCODE(0xffffffffffffffff, 0x4b4d, 0x0) r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000)='/dev/nullb0\x00', 0x0, 0x0) preadv(r2, &(0x7f0000000040)=[{&(0x7f0000000400)=""/4096, 0x8d5af}], 0x1000000000000159, 0x0) ioctl$TCSETAF(0xffffffffffffffff, 0x5408, 0x0) [ 3395.508858][T19599] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f77ebaf86d4 [ 3395.516836][T19599] R13: 00000000004bf49a R14: 00000000004d0e80 R15: 00000000ffffffff [ 3395.524809][T19599] Modules linked in: [ 3395.542610][T19600] kobject: 'kvm' (00000000f8d677f0): kobject_uevent_env [ 3395.547156][T19599] ---[ end trace 0854c422b1edf0fe ]--- [ 3395.558025][ T3875] kobject: 'loop2' (0000000097cb6281): kobject_uevent_env [ 3395.565610][T19599] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 3395.572236][ T3875] kobject: 'loop2' (0000000097cb6281): fill_kobj_path: path = '/devices/virtual/block/loop2' [ 3395.583371][T19599] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf f9 23 fc 4c 89 e6 4c 89 ef e8 d4 fa 23 fc 4d 39 e5 76 07 e8 aa f9 23 fc <0f> 0b e8 a3 f9 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1 [ 3395.602983][T19600] kobject: 'kvm' (00000000f8d677f0): fill_kobj_path: path = '/devices/virtual/misc/kvm' 04:42:16 executing program 5: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000080)={0x2, 0x0, @ioapic={0x0, 0x0, 0x0, 0x58d9b16a, 0x0, [{}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x7400000000000000}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x1, 0x0, [], 0xffffffff}]}}) [ 3395.653138][ T3875] kobject: 'loop5' (000000005f00a9c2): kobject_uevent_env [ 3395.678505][T19794] kobject: 'kvm' (00000000f8d677f0): kobject_uevent_env [ 3395.681171][ T3875] kobject: 'loop5' (000000005f00a9c2): fill_kobj_path: path = '/devices/virtual/block/loop5' 04:42:16 executing program 0: unlink(&(0x7f00000007c0)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00') perf_event_open(&(0x7f000001d000)={0x1, 0xfffffffffffffd82, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x82, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) statfs(&(0x7f0000000240)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', &(0x7f00000002c0)=""/207) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000100)={0x26, 'hash\x00', 0x0, 0x0, 'sha3-512-generic\x00'}, 0xde6e) bind$alg(r0, &(0x7f0000001000)={0x26, 'hash\x00', 0x0, 0x0, 'michael_mic\x00'}, 0x58) unlink(&(0x7f00000003c0)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00') setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000412ff8)="3665a1ab415b7ac7", 0x8) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='net/dev\x00') setsockopt$inet6_udp_encap(r1, 0x11, 0x64, &(0x7f00000000c0)=0x7, 0x4) futimesat(r1, &(0x7f0000000000)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', &(0x7f0000000200)={{}, {0x77359400}}) r2 = accept$alg(r0, 0x0, 0x0) sendmmsg(r2, &(0x7f0000007b40)=[{{&(0x7f0000000180)=@l2, 0x3d4}}, {{&(0x7f0000007500)=@hci, 0xfe3c, &(0x7f0000007680), 0x141, &(0x7f00000076c0), 0x10}}], 0x4000000000003d5, 0x0) 04:42:16 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r0, 0x5) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = accept4(r0, 0x0, 0x0, 0x0) syz_open_dev$sndtimer(0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) syz_open_dev$dspn(0x0, 0x0, 0x0) mkdir(0x0, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f000000c000)='ramfs\x00', 0x0, 0x0) chdir(&(0x7f0000000100)='./file0\x00') mkdir(&(0x7f0000000340)='./control\x00', 0x0) creat(&(0x7f0000000040)='./control/file0\x00', 0x0) rmdir(&(0x7f0000000080)='./control\x00') setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0xe00000000000000, @empty}}, 0x0, 0x3f00, 0x0, 0x0, 0x54}, 0x98) ioctl$KVM_S390_UCAS_MAP(0xffffffffffffffff, 0x4018ae50, 0x0) [ 3395.697809][T19794] kobject: 'kvm' (00000000f8d677f0): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 3395.735859][ T3875] kobject: 'loop1' (00000000b924397d): kobject_uevent_env [ 3395.757020][ T3875] kobject: 'loop1' (00000000b924397d): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 3395.757936][T19794] kvm: apic: phys broadcast and lowest prio [ 3395.794386][T19684] binder_alloc: binder_alloc_mmap_handler: 19597 20001000-20004000 already mapped failed -16 [ 3395.823742][T19794] kobject: 'kvm' (00000000f8d677f0): kobject_uevent_env [ 3395.859147][T19619] binder: BINDER_SET_CONTEXT_MGR already set [ 3395.859202][T19599] RSP: 0018:ffff888055517550 EFLAGS: 00010216 [ 3395.865145][T19619] binder: 19597:19619 ioctl 40046207 0 returned -16 [ 3395.867096][ T3875] kobject: 'nullb0' (00000000b0d4b16f): kobject_uevent_env [ 3395.884604][T19792] kobject: 'kvm' (00000000f8d677f0): kobject_uevent_env [ 3395.892347][T19794] kobject: 'kvm' (00000000f8d677f0): fill_kobj_path: path = '/devices/virtual/misc/kvm' 04:42:17 executing program 2: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000200)='/dev/vcs\x00', 0x0, 0x0) setsockopt$RDS_CANCEL_SENT_TO(r0, 0x114, 0x1, &(0x7f00000001c0)={0x2, 0x0, @dev}, 0x10) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x10, 0xffffffffffffffff, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) perf_event_open(&(0x7f000025c000)={0x1, 0x70, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240)='/dev/nullb0\x00', 0x4000000004002, 0x0) ioctl$SG_SET_DEBUG(r0, 0x227e, &(0x7f0000000140)=0x1) getsockopt$inet6_tcp_int(r0, 0x6, 0x0, 0x0, 0x0) ioctl$TUNSETVNETLE(r0, 0x400454dc, &(0x7f0000000080)) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r1, 0x0) ioctl$KDSETKEYCODE(0xffffffffffffffff, 0x4b4d, 0x0) r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000)='/dev/nullb0\x00', 0x0, 0x0) preadv(r2, &(0x7f0000000040)=[{&(0x7f0000000400)=""/4096, 0x8d5af}], 0x1000000000000159, 0x0) ioctl$TCSETAF(0xffffffffffffffff, 0x5408, 0x0) 04:42:17 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$mouse(&(0x7f0000000200)='/dev/input/mouse#\x00', 0x5, 0x401ffc) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(0xffffffffffffff9c, 0xc00c642d, &(0x7f00000000c0)={0x0, 0x80000}) r2 = syz_open_dev$sndpcmc(&(0x7f0000000100)='/dev/snd/pcmC#D#c\x00', 0xffff, 0x0) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f0000000140)={r1, 0x80000, r2}) setsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, 0x0, 0x0) io_setup(0x0, 0x0) ioctl$VIDIOC_S_CTRL(r0, 0xc008561c, &(0x7f0000000180)={0x3}) epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, 0x0) r3 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r3, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback}, 0x1c) listen(r3, 0x5) r4 = socket$inet6_sctp(0xa, 0x5, 0x84) r5 = accept4(r3, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback}], 0x1c) r6 = syz_open_dev$dspn(0x0, 0x0, 0x0) ioctl$VIDIOC_G_MODULATOR(r6, 0xc0445636, &(0x7f0000000000)={0xd3, "da8eec3638182d244297ac25e871c0ffffc8e3de93e0675617fdfac7322a3f57", 0x1000, 0x8, 0x0, 0x8, 0x5}) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000280)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x3f00, 0xe000000, 0x0, 0x54}, 0x98) [ 3395.917673][T19992] binder_alloc: 19597: binder_alloc_buf, no vma [ 3395.950077][ T3875] kobject: 'nullb0' (00000000b0d4b16f): fill_kobj_path: path = '/devices/virtual/block/nullb0' 04:42:17 executing program 0: unlink(&(0x7f00000007c0)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00') perf_event_open(&(0x7f000001d000)={0x1, 0xfffffffffffffd82, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x82, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) statfs(&(0x7f0000000240)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', &(0x7f00000002c0)=""/207) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000100)={0x26, 'hash\x00', 0x0, 0x0, 'sha3-512-generic\x00'}, 0xde6e) bind$alg(r0, &(0x7f0000001000)={0x26, 'hash\x00', 0x0, 0x0, 'michael_mic\x00'}, 0x58) unlink(&(0x7f00000003c0)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00') setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000412ff8)="3665a1ab415b7ac7", 0x8) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='net/dev\x00') setsockopt$inet6_udp_encap(r1, 0x11, 0x64, &(0x7f00000000c0)=0x7, 0x4) futimesat(r1, &(0x7f0000000000)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', &(0x7f0000000200)={{}, {0x77359400}}) r2 = accept$alg(r0, 0x0, 0x0) sendmmsg(r2, &(0x7f0000007b40)=[{{&(0x7f0000000180)=@l2, 0x3d4}}, {{&(0x7f0000007500)=@hci, 0xfe3c, &(0x7f0000007680), 0x141, &(0x7f00000076c0), 0x10}}], 0x4000000000003d5, 0x0) [ 3395.960697][T19599] RAX: 0000000000040000 RBX: 0000000020001000 RCX: ffffc9000e65f000 [ 3395.962725][T19992] binder: 19597:19992 transaction failed 29189/-3, size 24-8 line 3147 [ 3395.991982][T19792] kobject: 'kvm' (00000000f8d677f0): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 3395.992224][ T3875] kobject: 'loop2' (0000000097cb6281): kobject_uevent_env [ 3396.018025][ T3875] kobject: 'loop2' (0000000097cb6281): fill_kobj_path: path = '/devices/virtual/block/loop2' [ 3396.055905][T19599] RDX: 0000000000000419 RSI: ffffffff854c77d6 RDI: 0000000000000006 [ 3396.057736][T19619] binder: 19597:19619 Release 1 refcount change on invalid ref 1 ret -22 [ 3396.101512][ T3875] kobject: 'loop3' (0000000030248a1c): kobject_uevent_env [ 3396.128575][ T3875] kobject: 'loop3' (0000000030248a1c): fill_kobj_path: path = '/devices/virtual/block/loop3' [ 3396.140140][T19792] kobject: 'kvm' (00000000f8d677f0): kobject_uevent_env [ 3396.160397][T19599] RBP: ffff8880555175d0 R08: ffff88809f694600 R09: 0000000000000028 [ 3396.199812][T19792] kobject: 'kvm' (00000000f8d677f0): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 3396.226761][T19599] R10: ffffed100aaa2f01 R11: ffff88805551780f R12: 0000000000000020 [ 3396.325579][T14003] binder_release_work: 2 callbacks suppressed [ 3396.325586][T14003] binder: undelivered TRANSACTION_ERROR: 29189 [ 3396.346323][T19599] R13: 0000000000000028 R14: ffff888086c05890 R15: 0000000000000000 [ 3396.399420][ T3875] kobject: 'loop5' (000000005f00a9c2): kobject_uevent_env [ 3396.406576][ T3875] kobject: 'loop5' (000000005f00a9c2): fill_kobj_path: path = '/devices/virtual/block/loop5' [ 3396.440005][T19599] FS: 00007f77ebaf8700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 [ 3396.518944][ T3875] kobject: 'nullb0' (00000000b0d4b16f): kobject_uevent_env [ 3396.533205][T19599] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3396.553204][ T3875] kobject: 'nullb0' (00000000b0d4b16f): fill_kobj_path: path = '/devices/virtual/block/nullb0' [ 3396.581576][T19599] CR2: 000000000070b158 CR3: 000000005b6b8000 CR4: 00000000001426e0 [ 3396.611854][T19599] Kernel panic - not syncing: Fatal exception [ 3396.612457][ T3875] kobject: 'loop2' (0000000097cb6281): kobject_uevent_env [ 3396.618751][T19599] Kernel Offset: disabled [ 3396.630169][T19599] Rebooting in 86400 seconds..