0000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:20 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xc000000000000) 21:36:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4004ae99, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 610.099660] binder: 32621:32623 got transaction with invalid handle, 0 21:36:20 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd5f80000}, 'syz0\x00'}) 21:36:20 executing program 2: r0 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x8, 0x2) syz_open_dev$dmmidi(&(0x7f00000002c0)='/dev/dmmidi#\x00', 0x9f, 0x20000) r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000300)='/dev/hwrng\x00', 0x4000, 0x0) ioctl$PERF_EVENT_IOC_SET_FILTER(r1, 0x8914, &(0x7f0000000780)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r2 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) getsockopt$inet6_IPV6_IPSEC_POLICY(r0, 0x29, 0x22, &(0x7f0000000180)={{{@in6=@mcast2, @in=@rand_addr, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in=@broadcast}}, &(0x7f0000000280)=0xe8) getresuid(&(0x7f0000000380), &(0x7f00000003c0)=0x0, &(0x7f0000000400)) mount$9p_unix(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='9p\x00', 0x0, &(0x7f0000000440)={'trans=unix,', {[{@nodevmap='nodevmap'}], [{@measure='measure'}, {@obj_user={'obj_user'}}, {@rootcontext={'rootcontext', 0x3d, 'staff_u'}}, {@smackfstransmute={'smackfstransmute', 0x3d, '/dev/dmmidi#\x00'}}, {@euid_eq={'euid', 0x3d, r4}}, {@subj_user={'subj_user', 0x3d, '/dev/hwrng\x00'}}, {@fowner_eq={'fowner', 0x3d, r5}}, {@permit_directio='permit_directio'}]}}) recvmmsg(r2, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r3+30000000}) poll(&(0x7f0000000080)=[{r2}], 0x1, 0x0) [ 610.150394] binder: 32621:32623 transaction failed 29201/-22, size 24-8 line 3062 [ 610.177807] binder: BINDER_SET_CONTEXT_MGR already set [ 610.194970] binder_alloc: 32621: binder_alloc_buf, no vma 21:36:20 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x10]}) [ 610.246334] binder: 32621:32623 ioctl 40046207 0 returned -16 21:36:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xaeb7, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 610.312922] input: syz1 as /devices/virtual/input/input1613 21:36:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x4c000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 610.371575] input: syz1 as /devices/virtual/input/input1614 21:36:20 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xec0f00) 21:36:20 executing program 2: syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x8, 0x400000) ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r1+30000000}) r2 = shmget(0x2, 0x3000, 0xf, &(0x7f0000ffa000/0x3000)=nil) shmctl$SHM_STAT(r2, 0xd, &(0x7f00000000c0)=""/94) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) [ 610.480855] binder: 32654:32657 got transaction with invalid handle, 0 [ 610.506718] binder: BINDER_SET_CONTEXT_MGR already set 21:36:20 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x410101c000000000]}) 21:36:20 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) getuid() r1 = fcntl$getown(r0, 0x9) r2 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x280500, 0x0) epoll_ctl$EPOLL_CTL_DEL(r2, 0x2, r0) ioctl$TCSBRKP(r2, 0x5425, 0x1ff) perf_event_open(&(0x7f00000000c0)={0x2, 0x70, 0xdcb2, 0x1, 0x8, 0x1, 0x0, 0x80, 0x2000, 0xa, 0x1f, 0x4, 0x81, 0x9, 0x1ff, 0x2, 0x1000000000000000, 0x80000000, 0x5, 0x92, 0x9, 0x7cc2, 0x6, 0x9, 0x2, 0x6, 0x4, 0x2, 0x80000000, 0xffffffff80000000, 0x5, 0x0, 0x20000000000000, 0x6, 0x9, 0x2, 0x7, 0x0, 0x0, 0x7, 0x3, @perf_config_ext={0xfffffffffffffffb, 0x7}, 0x100, 0xfffffffffffff800, 0x4000000000000000, 0x5, 0x8, 0xffffffff, 0xff}, r1, 0x10, r2, 0xa) timer_create(0x5, &(0x7f0000000140)={0x0, 0x26, 0x2, @tid=r1}, &(0x7f0000000180)=0x0) timer_settime(r3, 0x1, &(0x7f00000001c0)={{}, {0x0, 0x989680}}, &(0x7f0000000200)) clock_gettime(0x7, &(0x7f0000000040)) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) ioctl$NBD_SET_SIZE_BLOCKS(r2, 0xab07, 0x3) 21:36:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x5452, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 610.539514] binder_alloc: 32654: binder_alloc_buf, no vma [ 610.576680] binder: 32654:32657 ioctl 40046207 0 returned -16 21:36:20 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x4000000}, 'syz0\x00'}) 21:36:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x300}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:21 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x400101c0]}) 21:36:21 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000480)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f8000000000000004804d81cfb3eec1480c051220180058a354253469c32481b73ac15f42e7fb1709fdb578a4029021c8023c054318c5af18d60fb1fdb9ae6bfc5c4db9f62063b69c7eb7e0df3ea53b9418e8883016fe3e7741b48df7d1f7dcba8d32f0d751ec9cd123b16bd9f8a4639c03618248eb163b017b7da9a311b6a5170d9ef143449ed70ab9ab9163aeab901cfdee0044eedba16b68d666232591d08e54b865f25f1e495ccedd03132fb7e1293a7eb5ef771d4d79f2159a194") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r1+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) [ 610.756174] binder: 32681:32685 got transaction with invalid handle, 0 [ 610.786846] input: syz1 as /devices/virtual/input/input1615 [ 610.792030] binder: BINDER_SET_CONTEXT_MGR already set 21:36:21 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1c000000) 21:36:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4068aea3, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 610.826210] binder_alloc: 32681: binder_alloc_buf, no vma [ 610.865277] binder: 32681:32685 ioctl 40046207 0 returned -16 [ 610.901187] input: syz1 as /devices/virtual/input/input1616 21:36:21 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r1+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) r2 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x4, 0x5300916aac018e3d) ioctl$PERF_EVENT_IOC_QUERY_BPF(r2, 0xc008240a, &(0x7f00000000c0)={0x4, 0x0, [0x0, 0x0, 0x0, 0x0]}) 21:36:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0xa00}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:21 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x3b000000]}) 21:36:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x9000aea4, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:21 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f00000000c0)={{{@in=@rand_addr, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@rand_addr}, 0x0, @in=@broadcast}}, &(0x7f0000000000)=0xe8) r2 = openat$dsp(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/dsp\x00', 0x250800, 0x0) ioctl$PPPOEIOCDFWD(r2, 0xb101, 0x0) ioprio_set$uid(0x3, r1, 0x800) signalfd(r2, &(0x7f0000000200)={0x2}, 0x8) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r3+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) 21:36:21 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd5f8000000000000}, 'syz0\x00'}) [ 611.074641] binder: 32714:32715 got transaction with invalid handle, 0 [ 611.157710] binder_alloc_mmap_handler: 4 callbacks suppressed [ 611.157729] binder_alloc: binder_alloc_mmap_handler: 32714 20001000-20004000 already mapped failed -16 21:36:21 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x5000000) [ 611.202920] binder: BINDER_SET_CONTEXT_MGR already set [ 611.220719] input: syz1 as /devices/virtual/input/input1617 21:36:21 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x79010000]}) [ 611.249501] binder: 32714:32715 ioctl 40046207 0 returned -16 21:36:21 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) socketpair$inet_sctp(0x2, 0x1, 0x84, &(0x7f00000038c0)={0xffffffffffffffff, 0xffffffffffffffff}) sendto$inet(r2, &(0x7f0000003900)="5a6a85405e0e53bbad1f120b36866ca9a92237b61ea5a32b85fb757a32dbb4b0d0a2293d862186d21d7b278d967b2c6158d25d14a3cd5a1c3bf351b834df84898eb4afd453fb5c1bdc4aae38fd3dc0cab3a48b3a7912a0e5e27035401248043cdadad14837dcb05fd4379f32fef9bfa2d916e9a8a1f6b5b8ff0e1c0ab142bc5c8cd23ae128d2c3df814d1e62fe854e825558122ba5ea0a930cc4e688349d02d63ad55c7643a508a2620565a43701695ab1c4036553", 0xb5, 0x4040840, &(0x7f00000039c0)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0xb}}, 0x10) readv(r0, &(0x7f0000003640)=[{&(0x7f0000000480)=""/4096, 0x1000}, {&(0x7f0000000100)=""/237, 0xed}, {&(0x7f0000000200)=""/79, 0x4f}, {&(0x7f0000000280)=""/118, 0x76}, {&(0x7f0000000300)=""/59, 0x3b}, {&(0x7f0000001480)=""/4096, 0x1000}, {&(0x7f0000002480)=""/65, 0x41}, {&(0x7f0000002500)=""/167, 0xa7}, {&(0x7f00000025c0)=""/86, 0x56}, {&(0x7f0000002640)=""/4096, 0x1000}], 0xa) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r1+30000000}) r3 = syz_open_dev$mice(&(0x7f0000003800)='/dev/input/mice\x00', 0x0, 0x8000000204000) getsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(r3, 0x84, 0x8, &(0x7f00000037c0), &(0x7f0000003840)=0x4) seccomp(0x1, 0x1, &(0x7f00000000c0)={0x4, &(0x7f0000000000)=[{0x3ff, 0x7ff, 0x1, 0x6}, {0x12a6, 0x1f, 0x88c, 0x2}, {0x10000, 0x2, 0x6, 0xfff}, {0x9, 0x1, 0xb99, 0xff}]}) ioctl$IOC_PR_PREEMPT(r3, 0x401870cb, &(0x7f0000003880)={0x7, 0x0, 0x3, 0x7}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) r4 = openat$vsock(0xffffffffffffff9c, &(0x7f0000003700)='/dev/vsock\x00', 0xc00, 0x0) write$FUSE_INIT(r4, &(0x7f0000003740)={0x50, 0xfffffffffffffffe, 0x4, {0x7, 0x1b, 0x2, 0x100000, 0x7c, 0x2, 0x0, 0x800}}, 0x50) 21:36:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4004ae8b, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 611.322884] input: syz1 as /devices/virtual/input/input1618 [ 611.382620] binder_alloc: 32714: binder_alloc_buf, no vma 21:36:21 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x8601000000000000]}) 21:36:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x300000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 611.424751] binder_release_work: 16 callbacks suppressed [ 611.424759] binder: undelivered TRANSACTION_ERROR: 29201 [ 611.464567] binder: undelivered TRANSACTION_ERROR: 29189 21:36:21 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)) poll(&(0x7f0000000080), 0x0, 0x0) 21:36:21 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xccf8000000000000}, 'syz0\x00'}) 21:36:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4004ae86, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:22 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x38000000) 21:36:22 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x7601000000000000]}) [ 611.667912] binder: 32762:32763 got transaction with invalid handle, 0 21:36:22 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x10000, 0x0) ioctl$SNDRV_TIMER_IOCTL_PAUSE(r1, 0x54a3) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r2+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) [ 611.734502] input: syz1 as /devices/virtual/input/input1619 [ 611.741522] binder_alloc: binder_alloc_mmap_handler: 32762 20001000-20004000 already mapped failed -16 [ 611.786981] binder: BINDER_SET_CONTEXT_MGR already set [ 611.792437] binder: 32762:32763 ioctl 40046207 0 returned -16 [ 611.794246] binder_alloc: 32762: binder_alloc_buf, no vma 21:36:22 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc018ae85, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 611.837913] input: syz1 as /devices/virtual/input/input1620 [ 611.846486] binder: undelivered TRANSACTION_ERROR: 29201 [ 611.865216] binder: undelivered TRANSACTION_ERROR: 29189 21:36:22 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000140)='/dev/audio\x00', 0x200500, 0x0) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(0xffffffffffffff9c, 0x84, 0x77, &(0x7f0000000180)=ANY=[@ANYRES32=0x0, @ANYBLOB], &(0x7f00000001c0)=0xa) setsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r1, 0x84, 0x75, &(0x7f0000000200)={r2, 0x3}, 0x8) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r3+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) ppoll(&(0x7f0000000000)=[{r0, 0x8292}], 0x1, &(0x7f00000000c0)={0x77359400}, &(0x7f0000000100)={0x3ff}, 0x8) 21:36:22 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x1b0001c000000000]}) 21:36:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x600000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:22 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1600) 21:36:22 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xbdf8}, 'syz0\x00'}) 21:36:22 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) rt_sigreturn() recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r1+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) [ 612.078731] binder: 331:338 got transaction with invalid handle, 0 21:36:22 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x5421, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 612.142198] binder_alloc: binder_alloc_mmap_handler: 331 20001000-20004000 already mapped failed -16 [ 612.158861] input: syz1 as /devices/virtual/input/input1621 [ 612.179691] binder: BINDER_SET_CONTEXT_MGR already set [ 612.198578] binder: 331:338 ioctl 40046207 0 returned -16 [ 612.218835] binder_alloc: 331: binder_alloc_buf, no vma [ 612.226072] input: syz1 as /devices/virtual/input/input1622 [ 612.238384] binder: undelivered TRANSACTION_ERROR: 29201 [ 612.245767] binder: undelivered TRANSACTION_ERROR: 29189 21:36:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0xfdfdffff00000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:22 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x91040000]}) 21:36:22 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x2, &(0x7f00000004c0)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffea3, 0x10000000000000, &(0x7f0000000340)={0x0, r1+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) r2 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000500)='/dev/qat_adf_ctl\x00', 0x80000, 0x0) gettid() ioctl$DRM_IOCTL_VERSION(r2, 0xc0406400, &(0x7f0000000480)={0x8, 0x101, 0x6, 0xdd, &(0x7f00000000c0)=""/221, 0xa7, &(0x7f00000001c0)=""/167, 0xb5, &(0x7f0000000280)=""/181}) ioctl$TIOCLINUX6(r2, 0x541c, &(0x7f0000000000)={0x6, 0x7}) 21:36:22 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc0189436, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:22 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x6000}, 'syz0\x00'}) [ 612.415896] binder: 359:362 got transaction with invalid handle, 0 [ 612.441040] QAT: Invalid ioctl [ 612.450946] QAT: Invalid ioctl 21:36:22 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x14) [ 612.468916] binder_alloc: binder_alloc_mmap_handler: 359 20001000-20004000 already mapped failed -16 [ 612.480321] QAT: Invalid ioctl [ 612.486736] QAT: Invalid ioctl [ 612.503865] binder_alloc: 359: binder_alloc_buf, no vma 21:36:22 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r1+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) r2 = fcntl$getown(r0, 0x9) pipe(&(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_inet_SIOCSARP(r3, 0x8955, &(0x7f0000000480)={{0x2, 0x4e20, @local}, {0x7}, 0x24, {0x2, 0x4e22, @local}, 'team_slave_1\x00'}) ioctl$SG_GET_COMMAND_Q(r3, 0x2270, &(0x7f0000000300)) process_vm_writev(r2, &(0x7f0000000180)=[{&(0x7f00000000c0)=""/153, 0x99}], 0x1, &(0x7f0000000280)=[{&(0x7f00000001c0)=""/133, 0x85}], 0x1, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x2000, 0x0) [ 612.542183] binder: undelivered TRANSACTION_ERROR: 29201 [ 612.549129] binder: undelivered TRANSACTION_ERROR: 29189 [ 612.554665] input: syz1 as /devices/virtual/input/input1623 21:36:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x1400000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:23 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x491]}) [ 612.631066] input: syz1 as /devices/virtual/input/input1624 21:36:23 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x40049409, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:23 executing program 2: r0 = gettid() sched_rr_get_interval(r0, &(0x7f0000000000)) ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r1 = syz_init_net_socket$nfc_llcp(0x27, 0xfffffffffffffffc, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r1, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r2+30000000}) poll(&(0x7f0000000080)=[{r1}], 0x1, 0x0) [ 612.735581] binder: 389:393 got transaction with invalid handle, 0 [ 612.753133] binder_alloc: binder_alloc_mmap_handler: 389 20001000-20004000 already mapped failed -16 [ 612.787816] binder: BINDER_SET_CONTEXT_MGR already set 21:36:23 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xcdf8000000000000}, 'syz0\x00'}) [ 612.815594] binder: 389:393 ioctl 40046207 0 returned -16 [ 612.830828] binder_alloc: 389: binder_alloc_buf, no vma [ 612.850374] binder: undelivered TRANSACTION_ERROR: 29201 21:36:23 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x100001c0]}) [ 612.876175] binder: undelivered TRANSACTION_ERROR: 29189 21:36:23 executing program 2: ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r0 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) r1 = openat$null(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/null\x00', 0xa19dcb0a3c3d1e94, 0x0) getsockopt$packet_int(r1, 0x107, 0xa, &(0x7f0000000100), &(0x7f0000000140)=0x4) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r2+30000000}) poll(&(0x7f0000000080)=[{r0}], 0x1, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/drop_entry\x00', 0x2, 0x0) 21:36:23 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1a00000000000000) [ 612.934195] input: syz1 as /devices/virtual/input/input1625 21:36:23 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4048ae9b, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x6c}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 613.014025] input: syz1 as /devices/virtual/input/input1626 21:36:23 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x6000}, 'syz0\x00'}) 21:36:23 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x840000c0]}) [ 613.133521] binder_transaction: 15 callbacks suppressed [ 613.133540] binder: 425:427 transaction failed 29201/-22, size 24-8 line 3062 21:36:23 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4090ae82, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 613.200275] binder_alloc: binder_alloc_mmap_handler: 425 20001000-20004000 already mapped failed -16 [ 613.244915] binder: BINDER_SET_CONTEXT_MGR already set [ 613.263801] binder: 425:427 ioctl 40046207 0 returned -16 [ 613.272977] binder_alloc: 425: binder_alloc_buf, no vma [ 613.278841] binder: 425:443 transaction failed 29189/-3, size 24-8 line 2970 [ 613.292110] input: syz1 as /devices/virtual/input/input1627 21:36:23 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdcf8}, 'syz0\x00'}) 21:36:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x200000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:23 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0xe006000000000000]}) 21:36:23 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x80040000) [ 613.473749] input: syz1 as /devices/virtual/input/input1628 [ 613.499247] binder: 454:456 transaction failed 29201/-22, size 24-8 line 3062 [ 613.517119] input: syz1 as /devices/virtual/input/input1629 21:36:23 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r4 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r4, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r5+30000000}) poll(&(0x7f0000000080)=[{r4}], 0x1, 0x0) 21:36:23 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4138ae84, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 613.531281] binder_alloc: binder_alloc_mmap_handler: 454 20001000-20004000 already mapped failed -16 [ 613.636213] binder: BINDER_SET_CONTEXT_MGR already set 21:36:24 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x86010000]}) 21:36:24 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xcbf8000000000000}, 'syz0\x00'}) [ 613.663350] binder_alloc: 454: binder_alloc_buf, no vma [ 613.694497] binder: 454:456 ioctl 40046207 0 returned -16 21:36:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4080aebf, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:24 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r4 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r4, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r5+30000000}) poll(&(0x7f0000000080)=[{r4}], 0x1, 0x0) [ 613.737806] binder: 454:471 transaction failed 29189/-3, size 24-8 line 2970 21:36:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x500}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:24 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x3000000) [ 613.828558] input: syz1 as /devices/virtual/input/input1630 21:36:24 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x76010000]}) [ 613.936113] input: syz1 as /devices/virtual/input/input1631 [ 613.969481] binder: 491:494 transaction failed 29201/-22, size 24-8 line 3062 21:36:24 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r4 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r4, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r5+30000000}) poll(&(0x7f0000000080)=[{r4}], 0x1, 0x0) [ 613.997391] binder_alloc: binder_alloc_mmap_handler: 491 20001000-20004000 already mapped failed -16 [ 614.007158] binder: BINDER_SET_CONTEXT_MGR already set [ 614.012698] binder: 491:494 ioctl 40046207 0 returned -16 [ 614.019114] binder_alloc: 491: binder_alloc_buf, no vma [ 614.029538] binder: 491:496 transaction failed 29189/-3, size 24-8 line 2970 21:36:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x8004ae98, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x1200}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:24 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xbdf80000}, 'syz0\x00'}) [ 614.189922] binder: 510:511 transaction failed 29201/-22, size 24-8 line 3062 21:36:24 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x7) [ 614.247036] binder_alloc: binder_alloc_mmap_handler: 510 20001000-20004000 already mapped failed -16 [ 614.277935] input: syz1 as /devices/virtual/input/input1632 21:36:24 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0xb7000040]}) [ 614.292862] binder: BINDER_SET_CONTEXT_MGR already set 21:36:24 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") r4 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) recvmmsg(r4, &(0x7f0000000040), 0x3fffffffffffec9, 0x0, &(0x7f0000000340)={0x0, r5+30000000}) [ 614.321141] binder: 510:511 ioctl 40046207 0 returned -16 [ 614.355181] input: syz1 as /devices/virtual/input/input1633 21:36:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc028ae92, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 614.369968] binder_alloc: 510: binder_alloc_buf, no vma [ 614.428054] binder: 510:521 transaction failed 29189/-3, size 24-8 line 2970 21:36:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x14}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:24 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)) 21:36:24 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x40000000}, 'syz0\x00'}) 21:36:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x8138ae83, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:25 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x2000000]}) [ 614.635791] binder_translate_handle: 4 callbacks suppressed [ 614.635801] binder: 538:539 got transaction with invalid handle, 0 21:36:25 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) clock_gettime(0x0, &(0x7f0000000040)) [ 614.678245] input: syz1 as /devices/virtual/input/input1634 21:36:25 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xf) [ 614.720283] binder: 538:539 transaction failed 29201/-22, size 24-8 line 3062 [ 614.790053] binder_alloc: binder_alloc_mmap_handler: 538 20001000-20004000 already mapped failed -16 [ 614.814869] input: syz1 as /devices/virtual/input/input1635 [ 614.836503] binder: BINDER_SET_CONTEXT_MGR already set 21:36:25 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae8a, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:25 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) [ 614.877172] binder: 538:539 ioctl 40046207 0 returned -16 [ 614.877766] binder_alloc: 538: binder_alloc_buf, no vma 21:36:25 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8d1}, 'syz0\x00'}) 21:36:25 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x7901]}) [ 614.930214] binder: 538:564 transaction failed 29189/-3, size 24-8 line 2970 [ 614.997808] input: syz1 as /devices/virtual/input/input1636 21:36:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x2000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 615.076738] input: syz1 as /devices/virtual/input/input1637 21:36:25 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1e000000) 21:36:25 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x8914, &(0x7f0000000380)="6e7230010060a19ef9d2c673d9a1571cb9e1369bcd61ef7e49793ae18712eceb1daa769497800b7fbbd35b170c10751d39aeb660d863e49b8c4f3b3cad48902b5b2d6cfd0abd372c63bcf5d70df3fd4d2e8d443c88c60fd7140fbc0e5637dd82fc3435bed4de5d693c9a781c863e05d8a6f8689a5be29216061f3ff53f8b6b396678e7ba155ef9152d7e43b1eccb2331eb8eb1ed5586dcf8b3b0b999361a44ff2c22c2abbef42dd24eabe6723346a6e46c0499a21442d8d00dcb57f013ff7595edd0ff076930de3675d34117a44eb0e4f832936da44e") 21:36:25 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae9c, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:25 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x2c00]}) [ 615.193885] binder: 587:588 got transaction with invalid handle, 0 21:36:25 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x6000000000000000}, 'syz0\x00'}) [ 615.260718] binder_alloc: 587: binder_alloc_buf, no vma [ 615.287597] binder: BINDER_SET_CONTEXT_MGR already set 21:36:25 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc020660b, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 615.341034] binder: 587:588 ioctl 40046207 0 returned -16 21:36:25 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:25 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x24d564b00000000]}) 21:36:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0xffffff7f}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 615.462462] input: syz1 as /devices/virtual/input/input1638 [ 615.542783] input: syz1 as /devices/virtual/input/input1639 [ 615.558153] binder: 615:617 got transaction with invalid handle, 0 21:36:25 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xc0000) [ 615.582906] binder: BINDER_SET_CONTEXT_MGR already set 21:36:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) symlinkat(&(0x7f0000000540)='./file0\x00', 0xffffffffffffffff, &(0x7f00000005c0)='./file0\x00') 21:36:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x8080aea1, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0xa01000000000000]}) [ 615.644709] binder: 615:617 ioctl 40046207 0 returned -16 21:36:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x14000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:26 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x3f000000}, 'syz0\x00'}) 21:36:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x5451, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 615.851733] binder: 643:647 got transaction with invalid handle, 0 21:36:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 615.922922] binder: BINDER_SET_CONTEXT_MGR already set 21:36:26 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x9000000) 21:36:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x9f00004000000000]}) [ 615.943932] binder: 643:647 ioctl 40046207 0 returned -16 [ 615.972664] input: syz1 as /devices/virtual/input/input1640 [ 616.039654] input: syz1 as /devices/virtual/input/input1641 21:36:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6c}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae90, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0xd9010000]}) [ 616.208912] binder: 671:674 got transaction with invalid handle, 0 [ 616.235948] binder_alloc_mmap_handler: 3 callbacks suppressed [ 616.235965] binder_alloc: binder_alloc_mmap_handler: 671 20001000-20004000 already mapped failed -16 21:36:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x300000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:26 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdbf8}, 'syz0\x00'}) 21:36:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xaea2, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:26 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1d00) [ 616.411740] binder: 686:689 got transaction with invalid handle, 0 [ 616.469711] binder_alloc: binder_alloc_mmap_handler: 686 20001000-20004000 already mapped failed -16 [ 616.490516] input: syz1 as /devices/virtual/input/input1642 21:36:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1db]}) [ 616.515051] binder: BINDER_SET_CONTEXT_MGR already set 21:36:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 616.551744] binder: 686:689 ioctl 40046207 0 returned -16 [ 616.565076] input: syz1 as /devices/virtual/input/input1643 21:36:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4020940d, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x20000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 616.605566] binder_release_work: 17 callbacks suppressed [ 616.605572] binder: undelivered TRANSACTION_ERROR: 29201 [ 616.629507] binder: undelivered TRANSACTION_ERROR: 29189 21:36:27 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:27 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x70001c0]}) [ 616.740849] binder: 717:720 got transaction with invalid handle, 0 [ 616.779648] binder_alloc: binder_alloc_mmap_handler: 717 20001000-20004000 already mapped failed -16 21:36:27 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x2) [ 616.824919] binder: BINDER_SET_CONTEXT_MGR already set 21:36:27 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdbf8000000000000}, 'syz0\x00'}) [ 616.852896] binder_alloc_new_buf_locked: 3 callbacks suppressed [ 616.852906] binder_alloc: 717: binder_alloc_buf, no vma 21:36:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x5000aea5, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 616.924186] binder: undelivered TRANSACTION_ERROR: 29201 [ 616.930253] binder: 717:720 ioctl 40046207 0 returned -16 21:36:27 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 616.967483] input: syz1 as /devices/virtual/input/input1644 [ 616.974694] binder: undelivered TRANSACTION_ERROR: 29189 21:36:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x3000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 617.046450] input: syz1 as /devices/virtual/input/input1645 21:36:27 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8000a0]}) 21:36:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x8090ae81, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 617.176249] binder: 749:753 got transaction with invalid handle, 0 [ 617.202021] binder_alloc: binder_alloc_mmap_handler: 749 20001000-20004000 already mapped failed -16 [ 617.228323] binder: BINDER_SET_CONTEXT_MGR already set 21:36:27 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xbff80000}, 'syz0\x00'}) 21:36:27 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:27 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x200000003) [ 617.253820] binder: 749:753 ioctl 40046207 0 returned -16 [ 617.284357] binder: undelivered TRANSACTION_ERROR: 29201 21:36:27 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1e010000]}) [ 617.346114] input: syz1 as /devices/virtual/input/input1646 21:36:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x5450, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x1000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 617.411641] input: syz1 as /devices/virtual/input/input1647 21:36:27 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 617.482764] binder: 773:779 got transaction with invalid handle, 0 [ 617.521492] binder_alloc: binder_alloc_mmap_handler: 773 20001000-20004000 already mapped failed -16 [ 617.550426] binder_alloc: 773: binder_alloc_buf, no vma [ 617.556476] binder: undelivered TRANSACTION_ERROR: 29201 [ 617.562635] binder: undelivered TRANSACTION_ERROR: 29189 21:36:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x60000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:27 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8d3}, 'syz0\x00'}) 21:36:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xa001]}) 21:36:28 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x80ffff00000000) 21:36:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4080aea2, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 617.706046] binder: 788:795 got transaction with invalid handle, 0 [ 617.738540] input: syz1 as /devices/virtual/input/input1648 [ 617.770316] binder_alloc: binder_alloc_mmap_handler: 788 20001000-20004000 already mapped failed -16 [ 617.808849] input: syz1 as /devices/virtual/input/input1649 [ 617.840090] binder: BINDER_SET_CONTEXT_MGR already set [ 617.858302] binder: 788:795 ioctl 40046207 0 returned -16 [ 617.872859] binder_alloc: 788: binder_alloc_buf, no vma 21:36:28 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x12}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 617.888848] binder: undelivered TRANSACTION_ERROR: 29201 [ 617.895928] binder: undelivered TRANSACTION_ERROR: 29189 21:36:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1b00]}) 21:36:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4400ae8f, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 617.997485] binder_alloc: binder_alloc_mmap_handler: 814 20001000-20004000 already mapped failed -16 21:36:28 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xfdffffff00000000}, 'syz0\x00'}) [ 618.063508] binder: BINDER_SET_CONTEXT_MGR already set 21:36:28 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:28 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x17000000) [ 618.084322] binder_alloc: 814: binder_alloc_buf, no vma [ 618.110690] binder: undelivered TRANSACTION_ERROR: 29201 [ 618.116950] binder: 814:816 ioctl 40046207 0 returned -16 [ 618.145828] input: syz1 as /devices/virtual/input/input1650 21:36:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1d9]}) 21:36:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x1200000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 618.240440] input: syz1 as /devices/virtual/input/input1651 21:36:28 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae91, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) [ 618.397097] binder_transaction: 18 callbacks suppressed [ 618.397113] binder: 846:850 transaction failed 29201/-22, size 24-8 line 3062 [ 618.437030] binder_alloc: binder_alloc_mmap_handler: 846 20001000-20004000 already mapped failed -16 21:36:28 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe2f80000}, 'syz0\x00'}) 21:36:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0000084]}) 21:36:28 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xe803000000000000) [ 618.456264] binder: BINDER_SET_CONTEXT_MGR already set [ 618.473567] binder: 846:850 ioctl 40046207 0 returned -16 [ 618.490226] binder_alloc: 846: binder_alloc_buf, no vma [ 618.535626] input: syz1 as /devices/virtual/input/input1652 [ 618.547386] binder: 846:858 transaction failed 29189/-3, size 24-8 line 2970 21:36:28 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 618.597138] input: syz1 as /devices/virtual/input/input1653 21:36:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x400000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4188aea7, &(0x7f0000000380)={0x7b, 0x0, [0x40000003]}) 21:36:29 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2c]}) [ 618.741140] binder: 877:880 transaction failed 29201/-22, size 24-8 line 3062 21:36:29 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:29 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd0f80000}, 'syz0\x00'}) [ 618.789876] binder_alloc: binder_alloc_mmap_handler: 877 20001000-20004000 already mapped failed -16 [ 618.827904] binder: BINDER_SET_CONTEXT_MGR already set 21:36:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x1d, 0x0, [0x40000003]}) [ 618.850870] binder: 877:880 ioctl 40046207 0 returned -16 [ 618.868675] binder_alloc: 877: binder_alloc_buf, no vma [ 618.900876] binder: 877:885 transaction failed 29189/-3, size 24-8 line 2970 21:36:29 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x15000000) [ 618.944511] input: syz1 as /devices/virtual/input/input1654 [ 618.983695] input: syz1 as /devices/virtual/input/input1655 21:36:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x7000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:29 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:29 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xb0201c000000000]}) [ 619.120427] binder: 907:908 transaction failed 29201/-22, size 24-8 line 3062 [ 619.148294] binder_alloc: binder_alloc_mmap_handler: 907 20001000-20004000 already mapped failed -16 21:36:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x18, 0x0, [0x40000003]}) 21:36:29 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x2000000}, 'syz0\x00'}) 21:36:29 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:29 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0010141]}) 21:36:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x600}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 619.336467] input: syz1 as /devices/virtual/input/input1656 21:36:29 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xa00) [ 619.431333] input: syz1 as /devices/virtual/input/input1657 [ 619.442174] binder: 935:938 transaction failed 29201/-22, size 24-8 line 3062 [ 619.473664] binder: BINDER_SET_CONTEXT_MGR already set 21:36:29 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x12, 0x0, [0x40000003]}) [ 619.535087] binder: 935:938 ioctl 40046207 0 returned -16 21:36:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0000081]}) 21:36:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x3}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0xd, 0x0, [0x40000003]}) 21:36:30 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x300}, 'syz0\x00'}) 21:36:30 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 619.752784] binder_translate_handle: 5 callbacks suppressed [ 619.752795] binder: 957:958 got transaction with invalid handle, 0 21:36:30 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xfffffdfd) [ 619.810084] input: syz1 as /devices/virtual/input/input1658 [ 619.835275] binder: 957:958 transaction failed 29201/-22, size 24-8 line 3062 [ 619.880949] input: syz1 as /devices/virtual/input/input1659 [ 619.900718] binder: BINDER_SET_CONTEXT_MGR already set 21:36:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x69, 0x0, [0x40000003]}) [ 619.922822] binder_alloc: 957: binder_alloc_buf, no vma 21:36:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0010015]}) [ 619.957770] binder: 957:958 ioctl 40046207 0 returned -16 [ 619.973304] binder: 957:976 transaction failed 29189/-3, size 24-8 line 2970 21:36:30 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x7}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:30 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8c3}, 'syz0\x00'}) 21:36:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x1b, 0x0, [0x40000003]}) 21:36:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc1000000]}) 21:36:30 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xe00000000000000) 21:36:30 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 620.215588] binder: 1001:1004 got transaction with invalid handle, 0 [ 620.260138] binder: 1001:1004 transaction failed 29201/-22, size 24-8 line 3062 [ 620.279558] input: syz1 as /devices/virtual/input/input1660 21:36:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xcd00]}) [ 620.328223] binder: BINDER_SET_CONTEXT_MGR already set [ 620.355233] binder_alloc: 1001: binder_alloc_buf, no vma [ 620.378141] input: syz1 as /devices/virtual/input/input1661 [ 620.415631] binder: 1001:1004 ioctl 40046207 0 returned -16 [ 620.422523] binder: 1001:1017 transaction failed 29189/-3, size 24-8 line 2970 21:36:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x9, 0x0, [0x40000003]}) 21:36:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x4}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:30 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x10a]}) [ 620.593488] binder: 1032:1034 got transaction with invalid handle, 0 21:36:31 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8c0}, 'syz0\x00'}) 21:36:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 620.672696] binder: BINDER_SET_CONTEXT_MGR already set 21:36:31 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1c00) [ 620.694004] binder_alloc: 1032: binder_alloc_buf, no vma 21:36:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x35, 0x0, [0x40000003]}) [ 620.755993] binder: 1032:1034 ioctl 40046207 0 returned -16 [ 620.782237] input: syz1 as /devices/virtual/input/input1662 21:36:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x7400000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 620.814787] input: syz1 as /devices/virtual/input/input1663 21:36:31 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0010055]}) 21:36:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x38, 0x0, [0x40000003]}) [ 620.985205] binder: 1061:1062 got transaction with invalid handle, 0 21:36:31 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe4ffffff00000000}, 'syz0\x00'}) [ 621.037695] binder: BINDER_SET_CONTEXT_MGR already set [ 621.043044] binder: 1061:1062 ioctl 40046207 0 returned -16 21:36:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:31 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x17a]}) 21:36:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x1400}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x60, 0x0, [0x40000003]}) [ 621.194998] input: syz1 as /devices/virtual/input/input1664 21:36:31 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1900) [ 621.249764] input: syz1 as /devices/virtual/input/input1665 [ 621.260752] binder: 1086:1089 got transaction with invalid handle, 0 21:36:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 621.331554] binder_alloc_mmap_handler: 5 callbacks suppressed [ 621.331572] binder_alloc: binder_alloc_mmap_handler: 1086 20001000-20004000 already mapped failed -16 [ 621.369874] binder: BINDER_SET_CONTEXT_MGR already set 21:36:31 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xcd00000000000000]}) 21:36:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 621.387016] binder: 1086:1089 ioctl 40046207 0 returned -16 [ 621.410401] binder_alloc: 1086: binder_alloc_buf, no vma 21:36:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x41, 0x0, [0x40000003]}) 21:36:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x700}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:31 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd4f80000}, 'syz0\x00'}) 21:36:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 621.598284] binder: 1120:1126 got transaction with invalid handle, 0 21:36:32 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xa00d000000000000]}) [ 621.655917] input: syz1 as /devices/virtual/input/input1666 [ 621.668625] binder_alloc: binder_alloc_mmap_handler: 1120 20001000-20004000 already mapped failed -16 21:36:32 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x200000000000000) 21:36:32 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x6f, 0x0, [0x40000003]}) [ 621.708451] input: syz1 as /devices/virtual/input/input1667 [ 621.715624] binder: BINDER_SET_CONTEXT_MGR already set [ 621.751070] binder: 1120:1126 ioctl 40046207 0 returned -16 [ 621.812826] binder_release_work: 16 callbacks suppressed [ 621.812833] binder: undelivered TRANSACTION_ERROR: 29201 [ 621.826705] binder: undelivered TRANSACTION_ERROR: 29189 21:36:32 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x2}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:32 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2a000000]}) 21:36:32 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x21, 0x0, [0x40000003]}) 21:36:32 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc1f8}, 'syz0\x00'}) 21:36:32 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xc00000000000000) [ 622.066982] binder: 1157:1162 got transaction with invalid handle, 0 [ 622.095698] binder_alloc: binder_alloc_mmap_handler: 1157 20001000-20004000 already mapped failed -16 [ 622.108288] input: syz1 as /devices/virtual/input/input1668 21:36:32 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 622.137524] binder: BINDER_SET_CONTEXT_MGR already set 21:36:32 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xe0060000]}) [ 622.174714] input: syz1 as /devices/virtual/input/input1669 [ 622.217155] binder: 1157:1162 ioctl 40046207 0 returned -16 [ 622.223081] binder: undelivered TRANSACTION_ERROR: 29201 [ 622.223091] binder_alloc_new_buf_locked: 1 callbacks suppressed [ 622.223105] binder_alloc: 1157: binder_alloc_buf, no vma 21:36:32 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) write$P9_RUNLINKAT(0xffffffffffffffff, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}}) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(0xffffffffffffffff, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}, 0x2c, {[{@access_uid={'access'}}]}}) r1 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r1, &(0x7f00000005c0)='./file0\x00') [ 622.307882] binder: undelivered TRANSACTION_ERROR: 29189 21:36:32 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x42, 0x0, [0x40000003]}) 21:36:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6800000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:32 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdff8}, 'syz0\x00'}) 21:36:32 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1e00) [ 622.434395] 9pnet: Insufficient options for proto=fd 21:36:32 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x150001c0]}) [ 622.454710] binder: 1189:1191 got transaction with invalid handle, 0 [ 622.473663] 9pnet: Insufficient options for proto=fd [ 622.507513] binder_alloc: binder_alloc_mmap_handler: 1189 20001000-20004000 already mapped failed -16 [ 622.544365] input: syz1 as /devices/virtual/input/input1670 [ 622.570643] input: syz1 as /devices/virtual/input/input1671 [ 622.580384] binder: BINDER_SET_CONTEXT_MGR already set [ 622.596724] binder: 1189:1191 ioctl 40046207 0 returned -16 21:36:32 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) write$P9_RUNLINKAT(0xffffffffffffffff, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}}) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(0xffffffffffffffff, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}, 0x2c, {[{@access_uid={'access'}}]}}) r1 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r1, &(0x7f00000005c0)='./file0\x00') 21:36:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x1c, 0x0, [0x40000003]}) [ 622.623767] binder_alloc: 1189: binder_alloc_buf, no vma [ 622.655923] binder: undelivered TRANSACTION_ERROR: 29201 [ 622.662144] binder: undelivered TRANSACTION_ERROR: 29189 21:36:33 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xfe]}) [ 622.717682] 9pnet: Insufficient options for proto=fd 21:36:33 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd6f8}, 'syz0\x00'}) 21:36:33 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x100000000000000) [ 622.763445] 9pnet: Insufficient options for proto=fd 21:36:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x500000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:33 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) write$P9_RUNLINKAT(0xffffffffffffffff, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}}) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(0xffffffffffffffff, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}, 0x2c, {[{@access_uid={'access'}}]}}) r1 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r1, &(0x7f00000005c0)='./file0\x00') [ 622.900108] input: syz1 as /devices/virtual/input/input1672 [ 622.918986] binder: 1232:1235 got transaction with invalid handle, 0 [ 622.940715] binder_alloc: binder_alloc_mmap_handler: 1232 20001000-20004000 already mapped failed -16 21:36:33 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x14d564b]}) 21:36:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0xa, 0x0, [0x40000003]}) [ 622.962091] input: syz1 as /devices/virtual/input/input1673 [ 622.998168] binder: BINDER_SET_CONTEXT_MGR already set [ 623.023999] binder: 1232:1235 ioctl 40046207 0 returned -16 [ 623.058642] binder_alloc: 1232: binder_alloc_buf, no vma 21:36:33 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x300000000000000) 21:36:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xffffff7f00000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 623.086544] 9pnet: Insufficient options for proto=fd [ 623.089002] binder: undelivered TRANSACTION_ERROR: 29201 [ 623.114852] 9pnet: Insufficient options for proto=fd [ 623.118991] binder: undelivered TRANSACTION_ERROR: 29189 21:36:33 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:33 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8c8}, 'syz0\x00'}) 21:36:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x6d, 0x0, [0x40000003]}) 21:36:33 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x580001c0]}) [ 623.270103] binder: 1258:1261 got transaction with invalid handle, 0 [ 623.315725] binder_alloc: binder_alloc_mmap_handler: 1258 20001000-20004000 already mapped failed -16 [ 623.325494] binder: BINDER_SET_CONTEXT_MGR already set 21:36:33 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 623.358010] input: syz1 as /devices/virtual/input/input1674 [ 623.369867] binder_alloc: 1258: binder_alloc_buf, no vma [ 623.406822] binder: undelivered TRANSACTION_ERROR: 29201 [ 623.413449] binder: 1258:1261 ioctl 40046207 0 returned -16 [ 623.429961] input: syz1 as /devices/virtual/input/input1675 [ 623.437864] binder_transaction: 14 callbacks suppressed [ 623.437882] binder: 1258:1268 transaction failed 29189/-3, size 24-8 line 2970 21:36:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x74000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 623.464364] binder: undelivered TRANSACTION_ERROR: 29189 21:36:33 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x76010000]}) 21:36:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x5a, 0x0, [0x40000003]}) 21:36:33 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x11000000) [ 623.624622] binder: 1286:1288 transaction failed 29201/-22, size 24-8 line 3062 21:36:34 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$KVM_GET_REG_LIST(r0, 0xc008aeb0, &(0x7f0000000180)={0x2, [0x9, 0x8001]}) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:34 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8bd}, 'syz0\x00'}) [ 623.687423] binder_alloc: binder_alloc_mmap_handler: 1286 20001000-20004000 already mapped failed -16 [ 623.726679] binder: BINDER_SET_CONTEXT_MGR already set [ 623.747397] binder: 1286:1288 ioctl 40046207 0 returned -16 [ 623.770220] binder_alloc: 1286: binder_alloc_buf, no vma 21:36:34 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc2000000]}) [ 623.797802] binder: 1286:1295 transaction failed 29189/-3, size 24-8 line 2970 [ 623.816869] input: syz1 as /devices/virtual/input/input1676 21:36:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x17, 0x0, [0x40000003]}) 21:36:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x4000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 623.871008] input: syz1 as /devices/virtual/input/input1677 21:36:34 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:34 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1300) 21:36:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x79, 0x0, [0x40000003]}) 21:36:34 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xfdfdffff}, 'syz0\x00'}) [ 624.052267] binder: 1321:1325 transaction failed 29201/-22, size 24-8 line 3062 21:36:34 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xd0040000]}) 21:36:34 executing program 2: ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r1, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) write$P9_RREADDIR(r1, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r1, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r1, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r1, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@access_uid={'access'}}]}}) r2 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r2, &(0x7f00000005c0)='./file0\x00') [ 624.124365] binder_alloc: binder_alloc_mmap_handler: 1321 20001000-20004000 already mapped failed -16 [ 624.183864] input: syz1 as /devices/virtual/input/input1678 [ 624.199008] binder: BINDER_SET_CONTEXT_MGR already set [ 624.256008] input: syz1 as /devices/virtual/input/input1679 [ 624.266646] binder: 1321:1325 ioctl 40046207 0 returned -16 [ 624.273979] binder_alloc: 1321: binder_alloc_buf, no vma 21:36:34 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7401000000000000]}) 21:36:34 executing program 2: ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r1, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) write$P9_RREADDIR(r1, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r1, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r1, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r1, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@access_uid={'access'}}]}}) r2 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r2, &(0x7f00000005c0)='./file0\x00') [ 624.299862] binder: 1321:1342 transaction failed 29189/-3, size 24-8 line 2970 21:36:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x5d, 0x0, [0x40000003]}) 21:36:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6c00000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:34 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x400000000000000) 21:36:34 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8e5}, 'syz0\x00'}) 21:36:34 executing program 2: ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r1, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) write$P9_RREADDIR(r1, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r1, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r1, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r1, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@access_uid={'access'}}]}}) r2 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r2, &(0x7f00000005c0)='./file0\x00') 21:36:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x11, 0x0, [0x40000003]}) [ 624.531514] binder: 1362:1367 transaction failed 29201/-22, size 24-8 line 3062 [ 624.570794] binder_alloc: binder_alloc_mmap_handler: 1362 20001000-20004000 already mapped failed -16 [ 624.594048] binder: BINDER_SET_CONTEXT_MGR already set [ 624.599748] binder: 1362:1367 ioctl 40046207 0 returned -16 [ 624.606142] input: syz1 as /devices/virtual/input/input1680 [ 624.608118] binder_alloc: 1362: binder_alloc_buf, no vma [ 624.658509] binder: 1362:1369 transaction failed 29189/-3, size 24-8 line 2970 [ 624.694416] input: syz1 as /devices/virtual/input/input1681 21:36:35 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc200000000000000]}) 21:36:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x48000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:35 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x5f, 0x0, [0x40000003]}) 21:36:35 executing program 2: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:35 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x16000000) 21:36:35 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x7f00000000000000}, 'syz0\x00'}) [ 624.876783] binder_translate_handle: 3 callbacks suppressed [ 624.882667] binder: 1399:1401 got transaction with invalid handle, 0 [ 624.904162] binder: 1399:1401 transaction failed 29201/-22, size 24-8 line 3062 21:36:35 executing program 2: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 624.980715] binder_alloc: binder_alloc_mmap_handler: 1399 20001000-20004000 already mapped failed -16 [ 625.020525] input: syz1 as /devices/virtual/input/input1682 21:36:35 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x9f000040]}) 21:36:35 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x2a, 0x0, [0x40000003]}) [ 625.026586] binder: BINDER_SET_CONTEXT_MGR already set [ 625.045239] binder: 1399:1401 ioctl 40046207 0 returned -16 [ 625.063031] binder_alloc: 1399: binder_alloc_buf, no vma [ 625.096843] input: syz1 as /devices/virtual/input/input1683 [ 625.129490] binder: 1399:1419 transaction failed 29189/-3, size 24-8 line 2970 21:36:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x2000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:35 executing program 2: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:35 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1500) 21:36:35 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc4f8000000000000}, 'syz0\x00'}) [ 625.346010] binder: 1438:1440 got transaction with invalid handle, 0 [ 625.364338] binder: 1438:1440 transaction failed 29201/-22, size 24-8 line 3062 [ 625.418796] binder: BINDER_SET_CONTEXT_MGR already set [ 625.424142] binder: 1438:1448 ioctl 40046207 0 returned -16 21:36:35 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r1, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) write$P9_RREADDIR(r1, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r1, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r1, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r1, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@access_uid={'access'}}]}}) r2 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r2, &(0x7f00000005c0)='./file0\x00') 21:36:35 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8b000000]}) [ 625.463440] input: syz1 as /devices/virtual/input/input1684 21:36:35 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x46, 0x0, [0x40000003]}) 21:36:35 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x10) 21:36:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x14}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 625.553833] input: syz1 as /devices/virtual/input/input1685 21:36:36 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r1, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) write$P9_RREADDIR(r1, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r1, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r1, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r1, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@access_uid={'access'}}]}}) r2 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r2, &(0x7f00000005c0)='./file0\x00') [ 625.701013] binder: 1469:1470 got transaction with invalid handle, 0 [ 625.709491] binder: BINDER_SET_CONTEXT_MGR already set [ 625.715005] binder: 1469:1470 ioctl 40046207 0 returned -16 [ 625.720955] binder_alloc: 1469: binder_alloc_buf, no vma 21:36:36 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x3, 0x0, [0x40000003]}) 21:36:36 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x20100c0]}) 21:36:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x74}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:36 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x4000000000000}, 'syz0\x00'}) 21:36:36 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r1, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) write$P9_RREADDIR(r1, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r1, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r1, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r1, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r1, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@access_uid={'access'}}]}}) r2 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r2, &(0x7f00000005c0)='./file0\x00') [ 625.928300] binder: 1485:1490 got transaction with invalid handle, 0 [ 625.938102] input: syz1 as /devices/virtual/input/input1686 [ 625.953227] binder: BINDER_SET_CONTEXT_MGR already set 21:36:36 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x3800000000000000) [ 626.003697] input: syz1 as /devices/virtual/input/input1687 [ 626.012591] binder: 1485:1490 ioctl 40046207 0 returned -16 21:36:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x60}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:36 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:36 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x30, 0x0, [0x40000003]}) 21:36:36 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xb0201c0]}) 21:36:36 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xbcf80000}, 'syz0\x00'}) [ 626.174183] binder: 1507:1508 got transaction with invalid handle, 0 [ 626.199726] binder: BINDER_SET_CONTEXT_MGR already set [ 626.228797] binder_alloc: 1507: binder_alloc_buf, no vma [ 626.258397] binder: 1507:1508 ioctl 40046207 0 returned -16 [ 626.292601] input: syz1 as /devices/virtual/input/input1688 21:36:36 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 626.342757] input: syz1 as /devices/virtual/input/input1689 21:36:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x4800000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:36 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x37, 0x0, [0x40000003]}) 21:36:36 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x13000000) 21:36:36 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4800]}) 21:36:36 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:36 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x2}, 'syz0\x00'}) [ 626.520698] binder: 1535:1537 got transaction with invalid handle, 0 [ 626.538278] binder_alloc_mmap_handler: 4 callbacks suppressed [ 626.538295] binder_alloc: binder_alloc_mmap_handler: 1535 20001000-20004000 already mapped failed -16 [ 626.607734] binder: BINDER_SET_CONTEXT_MGR already set [ 626.629756] binder: 1535:1537 ioctl 40046207 0 returned -16 21:36:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x100000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:37 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x10, 0x0, [0x40000003]}) 21:36:37 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc001001b]}) [ 626.731989] input: syz1 as /devices/virtual/input/input1690 21:36:37 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(0xffffffffffffffff, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 626.810519] input: syz1 as /devices/virtual/input/input1691 [ 626.836376] binder: 1559:1561 got transaction with invalid handle, 0 21:36:37 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1400) [ 626.877104] binder_alloc: binder_alloc_mmap_handler: 1559 20001000-20004000 already mapped failed -16 [ 626.905805] binder: BINDER_SET_CONTEXT_MGR already set [ 626.920771] binder: 1559:1561 ioctl 40046207 0 returned -16 21:36:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 626.949450] binder_release_work: 16 callbacks suppressed [ 626.949458] binder: undelivered TRANSACTION_ERROR: 29201 [ 626.977425] binder: undelivered TRANSACTION_ERROR: 29189 21:36:37 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3a00000000000000]}) 21:36:37 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(0xffffffffffffffff, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:37 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x8000000}, 'syz0\x00'}) 21:36:37 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x4b, 0x0, [0x40000003]}) [ 627.122703] binder: 1579:1583 got transaction with invalid handle, 0 [ 627.165259] binder_alloc: binder_alloc_mmap_handler: 1579 20001000-20004000 already mapped failed -16 [ 627.197063] input: syz1 as /devices/virtual/input/input1692 [ 627.226983] binder: BINDER_SET_CONTEXT_MGR already set [ 627.242244] binder: 1579:1583 ioctl 40046207 0 returned -16 [ 627.256938] input: syz1 as /devices/virtual/input/input1693 [ 627.270313] binder_alloc_new_buf_locked: 2 callbacks suppressed 21:36:37 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x800000000000000) 21:36:37 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xce00000000000000]}) 21:36:37 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(0xffffffffffffffff, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 627.270321] binder_alloc: 1579: binder_alloc_buf, no vma [ 627.292918] binder: undelivered TRANSACTION_ERROR: 29201 [ 627.301325] binder: undelivered TRANSACTION_ERROR: 29189 21:36:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x500}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:37 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x64, 0x0, [0x40000003]}) 21:36:37 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8601000000000000]}) [ 627.480405] binder: 1608:1609 got transaction with invalid handle, 0 21:36:37 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xcdf8}, 'syz0\x00'}) [ 627.525522] binder_alloc: binder_alloc_mmap_handler: 1608 20001000-20004000 already mapped failed -16 [ 627.579998] binder: BINDER_SET_CONTEXT_MGR already set [ 627.601754] binder: 1608:1609 ioctl 40046207 0 returned -16 [ 627.614377] binder_alloc: 1608: binder_alloc_buf, no vma [ 627.625000] binder: undelivered TRANSACTION_ERROR: 29201 21:36:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x7a00}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 627.631857] binder: undelivered TRANSACTION_ERROR: 29189 [ 627.652047] input: syz1 as /devices/virtual/input/input1694 21:36:38 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x18000000) 21:36:38 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xce000000]}) [ 627.721262] input: syz1 as /devices/virtual/input/input1695 21:36:38 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 627.787939] binder: 1633:1636 got transaction with invalid handle, 0 21:36:38 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x26, 0x0, [0x40000003]}) [ 627.847880] binder_alloc: binder_alloc_mmap_handler: 1633 20001000-20004000 already mapped failed -16 [ 627.882764] binder: BINDER_SET_CONTEXT_MGR already set [ 627.897353] 9pnet: Insufficient options for proto=fd [ 627.906706] binder: 1633:1636 ioctl 40046207 0 returned -16 [ 627.920789] binder_alloc: 1633: binder_alloc_buf, no vma [ 627.936091] binder: undelivered TRANSACTION_ERROR: 29201 21:36:38 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x67, 0x0, [0x40000003]}) [ 627.959026] binder: undelivered TRANSACTION_ERROR: 29189 21:36:38 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8ce}, 'syz0\x00'}) 21:36:38 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xde010000]}) 21:36:38 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:38 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xf000000) 21:36:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x48}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 628.130019] 9pnet: Insufficient options for proto=fd [ 628.162331] input: syz1 as /devices/virtual/input/input1696 [ 628.188157] binder_alloc: binder_alloc_mmap_handler: 1666 20001000-20004000 already mapped failed -16 21:36:38 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 628.232982] binder: BINDER_SET_CONTEXT_MGR already set 21:36:38 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x52, 0x0, [0x40000003]}) [ 628.264950] input: syz1 as /devices/virtual/input/input1697 [ 628.271490] binder: 1666:1670 ioctl 40046207 0 returned -16 [ 628.287139] binder_alloc: 1666: binder_alloc_buf, no vma 21:36:38 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1f0001c0]}) [ 628.316537] binder: undelivered TRANSACTION_ERROR: 29201 [ 628.333450] binder: undelivered TRANSACTION_ERROR: 29189 [ 628.341261] 9pnet: Insufficient options for proto=fd 21:36:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xffffffff00000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:38 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1b00) 21:36:38 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:38 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x6b, 0x0, [0x40000003]}) 21:36:38 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc1f8000000000000}, 'syz0\x00'}) 21:36:38 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x40000108]}) [ 628.538308] binder_transaction: 17 callbacks suppressed [ 628.538325] binder: 1692:1693 transaction failed 29201/-22, size 24-8 line 3062 [ 628.607601] input: syz1 as /devices/virtual/input/input1698 [ 628.633320] 9pnet: Insufficient options for proto=fd [ 628.640471] binder_alloc: binder_alloc_mmap_handler: 1692 20001000-20004000 already mapped failed -16 [ 628.682232] input: syz1 as /devices/virtual/input/input1699 [ 628.688409] binder: BINDER_SET_CONTEXT_MGR already set [ 628.693748] binder: 1692:1693 ioctl 40046207 0 returned -16 [ 628.699750] binder_alloc: 1692: binder_alloc_buf, no vma [ 628.705920] binder: 1692:1715 transaction failed 29189/-3, size 24-8 line 2970 21:36:39 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xfdfdffff00000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:39 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x43, 0x0, [0x40000003]}) 21:36:39 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x9901000000000000]}) 21:36:39 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xffff8000) 21:36:39 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe4ffffff}, 'syz0\x00'}) [ 628.880283] 9pnet: Insufficient options for proto=fd [ 628.895424] binder: 1723:1725 transaction failed 29201/-22, size 24-8 line 3062 [ 628.917283] binder_alloc: binder_alloc_mmap_handler: 1723 20001000-20004000 already mapped failed -16 21:36:39 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 628.999554] binder: BINDER_SET_CONTEXT_MGR already set [ 629.008960] binder: 1723:1725 ioctl 40046207 0 returned -16 [ 629.030016] input: syz1 as /devices/virtual/input/input1700 [ 629.031512] binder_alloc: 1723: binder_alloc_buf, no vma [ 629.065598] binder: 1723:1741 transaction failed 29189/-3, size 24-8 line 2970 21:36:39 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x56, 0x0, [0x40000003]}) 21:36:39 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:39 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1c0]}) [ 629.112252] input: syz1 as /devices/virtual/input/input1701 [ 629.136739] 9pnet: Insufficient options for proto=fd 21:36:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x7a00000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:39 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xe) 21:36:39 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x790c}, 'syz0\x00'}) [ 629.295458] binder: 1755:1757 transaction failed 29201/-22, size 24-8 line 3062 [ 629.342539] binder_alloc: binder_alloc_mmap_handler: 1755 20001000-20004000 already mapped failed -16 21:36:39 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:39 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x51, 0x0, [0x40000003]}) [ 629.387034] binder: BINDER_SET_CONTEXT_MGR already set [ 629.404702] binder: 1755:1757 ioctl 40046207 0 returned -16 [ 629.428711] input: syz1 as /devices/virtual/input/input1702 [ 629.451741] binder_alloc: 1755: binder_alloc_buf, no vma [ 629.482655] binder: 1755:1774 transaction failed 29189/-3, size 24-8 line 2970 [ 629.496453] input: syz1 as /devices/virtual/input/input1703 21:36:39 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:39 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x34d564b]}) 21:36:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6000000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:39 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x5) 21:36:40 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd9f8000000000000}, 'syz0\x00'}) 21:36:40 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x0, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:40 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x61, 0x0, [0x40000003]}) [ 629.722513] binder: 1791:1794 transaction failed 29201/-22, size 24-8 line 3062 [ 629.758882] binder_alloc: binder_alloc_mmap_handler: 1791 20001000-20004000 already mapped failed -16 [ 629.793054] binder: BINDER_SET_CONTEXT_MGR already set [ 629.808312] binder: 1791:1794 ioctl 40046207 0 returned -16 [ 629.826132] binder_alloc: 1791: binder_alloc_buf, no vma 21:36:40 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xcd]}) [ 629.837373] binder: 1791:1795 transaction failed 29189/-3, size 24-8 line 2970 [ 629.847382] input: syz1 as /devices/virtual/input/input1704 [ 629.877753] input: syz1 as /devices/virtual/input/input1705 21:36:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x2000000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:40 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x0, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:40 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x4a, 0x0, [0x40000003]}) 21:36:40 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1400000000000000) [ 630.062012] binder_translate_handle: 5 callbacks suppressed [ 630.062022] binder: 1817:1818 got transaction with invalid handle, 0 21:36:40 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x201c0]}) [ 630.112897] binder: 1817:1818 transaction failed 29201/-22, size 24-8 line 3062 21:36:40 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd0f8000000000000}, 'syz0\x00'}) 21:36:40 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x0, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 630.154946] binder: BINDER_SET_CONTEXT_MGR already set [ 630.202220] binder: 1817:1818 ioctl 40046207 0 returned -16 [ 630.202278] binder_alloc: 1817: binder_alloc_buf, no vma [ 630.240825] binder: 1817:1825 transaction failed 29189/-3, size 24-8 line 2970 21:36:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x68}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 630.258310] input: syz1 as /devices/virtual/input/input1706 21:36:40 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x4e, 0x0, [0x40000003]}) [ 630.355956] input: syz1 as /devices/virtual/input/input1707 [ 630.367949] binder: 1843:1845 got transaction with invalid handle, 0 [ 630.384501] binder: BINDER_SET_CONTEXT_MGR already set 21:36:40 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xbff]}) 21:36:40 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0xb, 0x29, 0x1}, 0xb) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 630.412141] binder_alloc: 1843: binder_alloc_buf, no vma [ 630.437366] binder: 1843:1845 ioctl 40046207 0 returned -16 21:36:40 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x3) 21:36:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x600000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:40 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x4800000000000000}, 'syz0\x00'}) 21:36:41 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x48, 0x0, [0x40000003]}) [ 630.601173] binder: 1861:1863 got transaction with invalid handle, 0 21:36:41 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x801004000000000]}) 21:36:41 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0xb, 0x29, 0x1}, 0xb) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 630.679210] binder: BINDER_SET_CONTEXT_MGR already set [ 630.688073] input: syz1 as /devices/virtual/input/input1708 [ 630.700469] binder: 1861:1863 ioctl 40046207 0 returned -16 [ 630.751922] input: syz1 as /devices/virtual/input/input1709 21:36:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xa00000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:41 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x22, 0x0, [0x40000003]}) 21:36:41 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x100c000000000]}) [ 630.897879] binder: 1886:1887 got transaction with invalid handle, 0 [ 630.919517] binder: BINDER_SET_CONTEXT_MGR already set 21:36:41 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x8) 21:36:41 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0xb, 0x29, 0x1}, 0xb) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:41 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc2f8}, 'syz0\x00'}) [ 630.953585] binder: 1886:1887 ioctl 40046207 0 returned -16 21:36:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x68000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:41 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x29, 0x0, [0x40000003]}) [ 631.093930] input: syz1 as /devices/virtual/input/input1710 21:36:41 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x830000c0]}) [ 631.152852] binder: 1908:1909 got transaction with invalid handle, 0 21:36:41 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 631.209311] binder: BINDER_SET_CONTEXT_MGR already set [ 631.226818] input: syz1 as /devices/virtual/input/input1711 [ 631.235653] binder: 1908:1915 ioctl 40046207 0 returned -16 21:36:41 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x57, 0x0, [0x40000003]}) 21:36:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x1200}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:41 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xcaf8}, 'syz0\x00'}) 21:36:41 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x19) [ 631.454432] binder: 1931:1936 got transaction with invalid handle, 0 [ 631.463550] input: syz1 as /devices/virtual/input/input1712 21:36:41 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 631.496925] binder: BINDER_SET_CONTEXT_MGR already set 21:36:41 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x400000b7]}) [ 631.526781] binder: 1931:1936 ioctl 40046207 0 returned -16 [ 631.548528] input: syz1 as /devices/virtual/input/input1713 21:36:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x300}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:42 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x8, 0x0, [0x40000003]}) 21:36:42 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xd00000000000000) 21:36:42 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1b000000]}) [ 631.710708] binder: 1952:1954 got transaction with invalid handle, 0 21:36:42 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc5f8}, 'syz0\x00'}) [ 631.780250] binder_alloc_mmap_handler: 6 callbacks suppressed [ 631.780268] binder_alloc: binder_alloc_mmap_handler: 1952 20001000-20004000 already mapped failed -16 21:36:42 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 631.859813] input: syz1 as /devices/virtual/input/input1714 21:36:42 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xff02]}) 21:36:42 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x3a, 0x0, [0x40000003]}) 21:36:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 631.940209] input: syz1 as /devices/virtual/input/input1715 21:36:42 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xf00000000000000) 21:36:42 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 632.077969] binder: 1984:1988 got transaction with invalid handle, 0 [ 632.104852] binder_alloc: binder_alloc_mmap_handler: 1984 20001000-20004000 already mapped failed -16 [ 632.126303] binder: BINDER_SET_CONTEXT_MGR already set 21:36:42 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x7a}, 'syz0\x00'}) 21:36:42 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x80040000]}) [ 632.164454] binder: 1984:1988 ioctl 40046207 0 returned -16 [ 632.171993] binder_release_work: 22 callbacks suppressed [ 632.172001] binder: undelivered TRANSACTION_ERROR: 29201 21:36:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x7a}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 632.289653] input: syz1 as /devices/virtual/input/input1716 21:36:42 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x49, 0x0, [0x40000003]}) 21:36:42 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 632.404950] binder: 2011:2015 got transaction with invalid handle, 0 21:36:42 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2c000000]}) 21:36:42 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x45, 0x0, [0x40000003]}) 21:36:42 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x600) [ 632.483151] binder_alloc: binder_alloc_mmap_handler: 2011 20001000-20004000 already mapped failed -16 [ 632.519825] binder: BINDER_SET_CONTEXT_MGR already set 21:36:42 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc0f8000000000000}, 'syz0\x00'}) [ 632.554500] binder: 2011:2015 ioctl 40046207 0 returned -16 [ 632.586751] binder_alloc_new_buf_locked: 5 callbacks suppressed [ 632.586760] binder_alloc: 2011: binder_alloc_buf, no vma 21:36:42 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 632.608999] binder: undelivered TRANSACTION_ERROR: 29201 [ 632.649517] input: syz1 as /devices/virtual/input/input1718 [ 632.673485] binder: undelivered TRANSACTION_ERROR: 29189 21:36:43 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x70, 0x0, [0x40000003]}) 21:36:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x700000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:43 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8004000000000000]}) [ 632.734626] input: syz1 as /devices/virtual/input/input1719 21:36:43 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(0xffffffffffffffff, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 632.862967] binder: 2047:2052 got transaction with invalid handle, 0 [ 632.893954] binder_alloc: binder_alloc_mmap_handler: 2047 20001000-20004000 already mapped failed -16 21:36:43 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xb00) [ 632.923456] binder: BINDER_SET_CONTEXT_MGR already set [ 632.938322] binder: 2047:2052 ioctl 40046207 0 returned -16 [ 632.954270] binder_alloc: 2047: binder_alloc_buf, no vma [ 632.967917] binder: undelivered TRANSACTION_ERROR: 29201 21:36:43 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x97ffffff}, 'syz0\x00'}) 21:36:43 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0xc, 0x0, [0x40000003]}) [ 632.974912] binder: undelivered TRANSACTION_ERROR: 29189 21:36:43 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x17b]}) 21:36:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x4c000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:43 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(0xffffffffffffffff, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 633.137622] input: syz1 as /devices/virtual/input/input1720 [ 633.190666] binder_alloc: binder_alloc_mmap_handler: 2070 20001000-20004000 already mapped failed -16 [ 633.211570] input: syz1 as /devices/virtual/input/input1721 [ 633.234966] binder: BINDER_SET_CONTEXT_MGR already set 21:36:43 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(0xffffffffffffffff, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:43 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1200) [ 633.255895] binder: 2070:2079 ioctl 40046207 0 returned -16 21:36:43 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x36, 0x0, [0x40000003]}) 21:36:43 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x12]}) [ 633.338867] binder_alloc: 2070: binder_alloc_buf, no vma [ 633.369082] binder: undelivered TRANSACTION_ERROR: 29201 [ 633.387129] binder: undelivered TRANSACTION_ERROR: 29189 21:36:43 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe0f8}, 'syz0\x00'}) 21:36:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xfffffdfd}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:43 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x0, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:43 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x2d, 0x0, [0x40000003]}) 21:36:43 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x9f00004000000000]}) [ 633.571865] input: syz1 as /devices/virtual/input/input1722 [ 633.610561] input: syz1 as /devices/virtual/input/input1723 21:36:44 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x3800) [ 633.640393] binder_alloc: binder_alloc_mmap_handler: 2105 20001000-20004000 already mapped failed -16 [ 633.686647] binder: BINDER_SET_CONTEXT_MGR already set [ 633.691992] binder: 2105:2108 ioctl 40046207 0 returned -16 [ 633.698927] binder_alloc: 2105: binder_alloc_buf, no vma [ 633.713638] binder_transaction: 19 callbacks suppressed [ 633.713686] binder: 2105:2121 transaction failed 29189/-3, size 24-8 line 2970 [ 633.769172] binder: undelivered TRANSACTION_ERROR: 29189 21:36:44 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x6c, 0x0, [0x40000003]}) 21:36:44 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x0, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:44 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xa001000000000000]}) 21:36:44 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xc) 21:36:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x7a000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:44 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8be}, 'syz0\x00'}) [ 633.990107] binder: 2138:2139 transaction failed 29201/-22, size 24-8 line 3062 21:36:44 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x10040]}) 21:36:44 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x74, 0x0, [0x40000003]}) [ 634.067681] input: syz1 as /devices/virtual/input/input1724 [ 634.083603] binder_alloc: binder_alloc_mmap_handler: 2138 20001000-20004000 already mapped failed -16 21:36:44 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x16, 0x6f, 0x1, {0x1, [{}]}}, 0x16) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 634.127995] binder: BINDER_SET_CONTEXT_MGR already set [ 634.142604] input: syz1 as /devices/virtual/input/input1725 21:36:44 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x16) [ 634.175503] binder: 2138:2139 ioctl 40046207 0 returned -16 [ 634.211988] binder_alloc: 2138: binder_alloc_buf, no vma [ 634.252909] binder: 2138:2166 transaction failed 29189/-3, size 24-8 line 2970 [ 634.295542] binder: undelivered TRANSACTION_ERROR: 29201 [ 634.304324] binder: undelivered TRANSACTION_ERROR: 29189 21:36:44 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x16, 0x6f, 0x1, {0x1, [{}]}}, 0x16) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:44 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x6, 0x0, [0x40000003]}) 21:36:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x4800}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:44 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x176]}) 21:36:44 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x800000000000000}, 'syz0\x00'}) [ 634.442868] binder: 2181:2182 transaction failed 29201/-22, size 24-8 line 3062 [ 634.494963] binder_alloc: binder_alloc_mmap_handler: 2181 20001000-20004000 already mapped failed -16 [ 634.507217] input: syz1 as /devices/virtual/input/input1726 21:36:44 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 634.573158] input: syz1 as /devices/virtual/input/input1727 [ 634.586511] binder: BINDER_SET_CONTEXT_MGR already set [ 634.591837] binder: 2181:2182 ioctl 40046207 0 returned -16 21:36:45 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x75, 0x0, [0x40000003]}) [ 634.661122] binder_alloc: 2181: binder_alloc_buf, no vma 21:36:45 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2a]}) 21:36:45 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xc000000) 21:36:45 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 634.711696] binder: 2181:2200 transaction failed 29189/-3, size 24-8 line 2970 21:36:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xa}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:45 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x6c000000}, 'syz0\x00'}) 21:36:45 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x16, 0x0, [0x40000003]}) 21:36:45 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8701]}) [ 634.932024] input: syz1 as /devices/virtual/input/input1728 [ 634.946026] binder: 2224:2227 transaction failed 29201/-22, size 24-8 line 3062 [ 634.992688] binder_alloc: binder_alloc_mmap_handler: 2224 20001000-20004000 already mapped failed -16 [ 635.018381] input: syz1 as /devices/virtual/input/input1729 21:36:45 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 635.044825] binder: BINDER_SET_CONTEXT_MGR already set 21:36:45 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xe00) [ 635.080865] binder: 2224:2227 ioctl 40046207 0 returned -16 [ 635.087764] binder_alloc: 2224: binder_alloc_buf, no vma [ 635.101428] binder: 2224:2241 transaction failed 29189/-3, size 24-8 line 2970 21:36:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x8000000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:45 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x9801]}) 21:36:45 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x5, 0x0, [0x40000003]}) 21:36:45 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x1000000000}, 'syz0\x00'}) 21:36:45 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 635.296349] binder_translate_handle: 4 callbacks suppressed [ 635.296360] binder: 2254:2256 got transaction with invalid handle, 0 [ 635.325606] binder: 2254:2256 transaction failed 29201/-22, size 24-8 line 3062 21:36:45 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1200]}) [ 635.366149] input: syz1 as /devices/virtual/input/input1730 [ 635.380168] binder_alloc: binder_alloc_mmap_handler: 2254 20001000-20004000 already mapped failed -16 [ 635.427960] binder: BINDER_SET_CONTEXT_MGR already set [ 635.448921] binder: 2254:2256 ioctl 40046207 0 returned -16 [ 635.454064] binder_alloc: 2254: binder_alloc_buf, no vma 21:36:45 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x300000002000000) 21:36:45 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x65, 0x0, [0x40000003]}) [ 635.475809] input: syz1 as /devices/virtual/input/input1731 [ 635.521758] binder: 2254:2276 transaction failed 29189/-3, size 24-8 line 2970 21:36:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x200000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:45 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 635.620841] binder: 2284:2285 got transaction with invalid handle, 0 [ 635.629401] binder: 2284:2285 transaction failed 29201/-22, size 24-8 line 3062 21:36:46 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1100000000000000]}) [ 635.669393] binder: BINDER_SET_CONTEXT_MGR already set [ 635.685284] binder_alloc: 2284: binder_alloc_buf, no vma 21:36:46 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x66, 0x0, [0x40000003]}) 21:36:46 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xffffff7f00000000}, 'syz0\x00'}) [ 635.732117] binder: 2284:2285 ioctl 40046207 0 returned -16 21:36:46 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x4c00000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:46 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xe000000) [ 635.827063] input: syz1 as /devices/virtual/input/input1732 [ 635.857832] input: syz1 as /devices/virtual/input/input1733 [ 635.958665] binder: 2310:2312 got transaction with invalid handle, 0 [ 635.995506] binder: BINDER_SET_CONTEXT_MGR already set 21:36:46 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(0xffffffffffffffff, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:46 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x120101c000000000]}) [ 636.009040] binder_alloc: 2310: binder_alloc_buf, no vma [ 636.027447] binder: 2310:2312 ioctl 40046207 0 returned -16 21:36:46 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x3b, 0x0, [0x40000003]}) 21:36:46 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x1f000000}, 'syz0\x00'}) 21:36:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xa000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:46 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x10000000) [ 636.201675] input: syz1 as /devices/virtual/input/input1734 [ 636.240210] input: syz1 as /devices/virtual/input/input1735 21:36:46 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x4c, 0x0, [0x40000003]}) 21:36:46 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x0, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 636.279378] binder: 2338:2340 got transaction with invalid handle, 0 21:36:46 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x410101c0]}) [ 636.343046] binder: BINDER_SET_CONTEXT_MGR already set [ 636.381636] binder: 2338:2345 ioctl 40046207 0 returned -16 21:36:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x14000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:46 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc7f80000}, 'syz0\x00'}) 21:36:46 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x3c, 0x0, [0x40000003]}) 21:36:46 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x0, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:46 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1700) 21:36:46 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x80ffff]}) [ 636.583809] input: syz1 as /devices/virtual/input/input1736 [ 636.587136] binder: 2365:2366 got transaction with invalid handle, 0 [ 636.667820] input: syz1 as /devices/virtual/input/input1737 [ 636.681470] binder: BINDER_SET_CONTEXT_MGR already set [ 636.720956] binder: 2365:2366 ioctl 40046207 0 returned -16 21:36:47 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x5e, 0x0, [0x40000003]}) 21:36:47 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0xb, 0x29, 0x1}, 0xb) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:47 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc2f80000}, 'syz0\x00'}) 21:36:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6c00}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:47 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4001]}) [ 636.947394] input: syz1 as /devices/virtual/input/input1738 21:36:47 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xc00) [ 637.000344] binder: 2405:2408 got transaction with invalid handle, 0 [ 637.030911] input: syz1 as /devices/virtual/input/input1739 [ 637.034079] binder_alloc_mmap_handler: 4 callbacks suppressed [ 637.034097] binder_alloc: binder_alloc_mmap_handler: 2405 20001000-20004000 already mapped failed -16 21:36:47 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:47 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0xfffffdfd, 0x0, [0x40000003]}) [ 637.112734] binder: BINDER_SET_CONTEXT_MGR already set [ 637.130256] binder: 2405:2408 ioctl 40046207 0 returned -16 21:36:47 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7a01]}) 21:36:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x2000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:47 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xddf80000}, 'syz0\x00'}) 21:36:47 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x28, 0x0, [0x40000003]}) 21:36:47 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 637.318580] binder: 2430:2431 got transaction with invalid handle, 0 [ 637.351371] binder_alloc: binder_alloc_mmap_handler: 2430 20001000-20004000 already mapped failed -16 [ 637.397293] binder: BINDER_SET_CONTEXT_MGR already set 21:36:47 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1e) [ 637.420901] binder: 2430:2431 ioctl 40046207 0 returned -16 [ 637.426784] input: syz1 as /devices/virtual/input/input1740 [ 637.464629] binder_release_work: 16 callbacks suppressed [ 637.464637] binder: undelivered TRANSACTION_ERROR: 29201 21:36:47 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xce00]}) [ 637.512498] input: syz1 as /devices/virtual/input/input1741 [ 637.520014] binder: undelivered TRANSACTION_ERROR: 29189 21:36:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x7400}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:47 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(0xffffffffffffffff, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:48 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x4d, 0x0, [0x40000003]}) [ 637.663266] binder: 2460:2461 got transaction with invalid handle, 0 [ 637.701173] binder_alloc: binder_alloc_mmap_handler: 2460 20001000-20004000 already mapped failed -16 21:36:48 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8c5}, 'syz0\x00'}) 21:36:48 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x40000100]}) [ 637.716805] binder: BINDER_SET_CONTEXT_MGR already set [ 637.728793] binder_alloc_new_buf_locked: 4 callbacks suppressed [ 637.728801] binder_alloc: 2460: binder_alloc_buf, no vma [ 637.757286] binder: 2460:2461 ioctl 40046207 0 returned -16 [ 637.784438] binder: undelivered TRANSACTION_ERROR: 29201 [ 637.796042] binder: undelivered TRANSACTION_ERROR: 29189 21:36:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x5}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 637.846535] input: syz1 as /devices/virtual/input/input1742 21:36:48 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x40000) 21:36:48 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:48 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x78, 0x0, [0x40000003]}) 21:36:48 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7601000000000000]}) [ 637.897007] input: syz1 as /devices/virtual/input/input1743 [ 637.989372] binder: 2485:2486 got transaction with invalid handle, 0 [ 638.032735] binder_alloc: binder_alloc_mmap_handler: 2485 20001000-20004000 already mapped failed -16 [ 638.068542] binder: BINDER_SET_CONTEXT_MGR already set [ 638.073883] binder: 2485:2486 ioctl 40046207 0 returned -16 21:36:48 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7, 0x0, [0x40000003]}) 21:36:48 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x400101c0]}) 21:36:48 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x6c00000000000000}, 'syz0\x00'}) [ 638.118328] binder_alloc: 2485: binder_alloc_buf, no vma 21:36:48 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 638.164816] binder: undelivered TRANSACTION_ERROR: 29201 [ 638.185533] binder: undelivered TRANSACTION_ERROR: 29189 21:36:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x1400000000000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 638.250532] input: syz1 as /devices/virtual/input/input1744 21:36:48 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x6e, 0x0, [0x40000003]}) [ 638.327010] input: syz1 as /devices/virtual/input/input1745 21:36:48 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 638.371895] binder: 2519:2522 got transaction with invalid handle, 0 21:36:48 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1e00000000000000) 21:36:48 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1b]}) [ 638.429275] binder_alloc: binder_alloc_mmap_handler: 2519 20001000-20004000 already mapped failed -16 [ 638.456995] binder: BINDER_SET_CONTEXT_MGR already set [ 638.487174] binder: 2519:2522 ioctl 40046207 0 returned -16 [ 638.519825] binder_alloc: 2519: binder_alloc_buf, no vma 21:36:48 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x47, 0x0, [0x40000003]}) [ 638.542525] binder: undelivered TRANSACTION_ERROR: 29201 [ 638.579781] binder: undelivered TRANSACTION_ERROR: 29189 21:36:48 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x6800}, 'syz0\x00'}) 21:36:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x12000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:49 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x550001c000000000]}) 21:36:49 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:49 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x39, 0x0, [0x40000003]}) [ 638.725542] binder_transaction: 17 callbacks suppressed [ 638.725557] binder: 2546:2547 transaction failed 29201/-22, size 24-8 line 3062 [ 638.749115] input: syz1 as /devices/virtual/input/input1746 21:36:49 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xb00000000000000) [ 638.800300] input: syz1 as /devices/virtual/input/input1747 21:36:49 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1000000]}) [ 638.856962] binder_alloc: binder_alloc_mmap_handler: 2546 20001000-20004000 already mapped failed -16 [ 638.914577] binder: BINDER_SET_CONTEXT_MGR already set 21:36:49 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x2000}, 'syz0\x00'}) [ 638.944124] binder: 2546:2547 ioctl 40046207 0 returned -16 21:36:49 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 638.987126] binder_alloc: 2546: binder_alloc_buf, no vma [ 639.005231] binder: 2546:2570 transaction failed 29189/-3, size 24-8 line 2970 [ 639.026466] binder: undelivered TRANSACTION_ERROR: 29189 21:36:49 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x68, 0x0, [0x40000003]}) [ 639.032849] binder: undelivered TRANSACTION_ERROR: 29201 [ 639.071747] input: syz1 as /devices/virtual/input/input1748 [ 639.122667] input: syz1 as /devices/virtual/input/input1749 21:36:49 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:49 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xb0000040]}) 21:36:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xfdfdffff}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:49 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x8000000) 21:36:49 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x2f, 0x0, [0x40000003]}) 21:36:49 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x3000000}, 'syz0\x00'}) [ 639.318832] 9pnet: Insufficient options for proto=fd 21:36:49 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 639.350877] binder: 2592:2597 transaction failed 29201/-22, size 24-8 line 3062 21:36:49 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xa00d]}) [ 639.449527] binder_alloc: binder_alloc_mmap_handler: 2592 20001000-20004000 already mapped failed -16 [ 639.469795] input: syz1 as /devices/virtual/input/input1750 [ 639.475945] binder: BINDER_SET_CONTEXT_MGR already set [ 639.492431] 9pnet: Insufficient options for proto=fd [ 639.496811] binder: 2592:2597 ioctl 40046207 0 returned -16 21:36:49 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 639.531998] input: syz1 as /devices/virtual/input/input1751 [ 639.565906] binder_alloc: 2592: binder_alloc_buf, no vma 21:36:49 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xd000000) [ 639.601498] binder: 2592:2620 transaction failed 29189/-3, size 24-8 line 2970 21:36:50 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x34, 0x0, [0x40000003]}) 21:36:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6800}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:50 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7501]}) [ 639.702667] 9pnet: Insufficient options for proto=fd 21:36:50 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x700}, 'syz0\x00'}) 21:36:50 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:50 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x23, 0x0, [0x40000003]}) [ 639.852534] binder: 2639:2641 transaction failed 29201/-22, size 24-8 line 3062 21:36:50 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x300) [ 639.914558] input: syz1 as /devices/virtual/input/input1752 [ 639.935410] binder_alloc: binder_alloc_mmap_handler: 2639 20001000-20004000 already mapped failed -16 21:36:50 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x400101c000000000]}) [ 639.975124] binder: BINDER_SET_CONTEXT_MGR already set [ 639.993542] binder: 2639:2641 ioctl 40046207 0 returned -16 [ 639.999870] input: syz1 as /devices/virtual/input/input1753 [ 640.007973] 9pnet: Insufficient options for proto=fd 21:36:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xa00}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:50 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:50 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x50, 0x0, [0x40000003]}) [ 640.149849] binder: 2666:2669 transaction failed 29201/-22, size 24-8 line 3062 [ 640.172779] 9pnet: Insufficient options for proto=fd 21:36:50 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:50 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1b00000000000000]}) [ 640.215817] binder_alloc: binder_alloc_mmap_handler: 2666 20001000-20004000 already mapped failed -16 21:36:50 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd4f8}, 'syz0\x00'}) 21:36:50 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x38) [ 640.302210] binder_alloc: 2666: binder_alloc_buf, no vma [ 640.302215] binder: BINDER_SET_CONTEXT_MGR already set [ 640.302239] binder: 2666:2669 ioctl 40046207 0 returned -16 [ 640.308825] 9pnet: Insufficient options for proto=fd [ 640.320751] binder: 2666:2675 transaction failed 29189/-3, size 24-8 line 2970 21:36:50 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:50 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xff0b0000]}) [ 640.456989] input: syz1 as /devices/virtual/input/input1754 21:36:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x4c}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:50 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x19, 0x0, [0x40000003]}) 21:36:50 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x0, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 640.544152] input: syz1 as /devices/virtual/input/input1755 [ 640.607290] binder_translate_handle: 4 callbacks suppressed [ 640.607300] binder: 2705:2707 got transaction with invalid handle, 0 [ 640.620853] binder: 2705:2707 transaction failed 29201/-22, size 24-8 line 3062 [ 640.633356] binder_alloc: binder_alloc_mmap_handler: 2705 20001000-20004000 already mapped failed -16 [ 640.649692] binder: BINDER_SET_CONTEXT_MGR already set [ 640.663622] binder: 2705:2707 ioctl 40046207 0 returned -16 [ 640.680059] binder_alloc: 2705: binder_alloc_buf, no vma 21:36:51 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', 0xffffffffffffffff, &(0x7f00000005c0)='./file0\x00') [ 640.705459] binder: 2705:2710 transaction failed 29189/-3, size 24-8 line 2970 21:36:51 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xa00d0000]}) 21:36:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x5000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:51 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x62, 0x0, [0x40000003]}) 21:36:51 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc9f8}, 'syz0\x00'}) 21:36:51 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1700000000000000) [ 640.850144] binder: 2723:2724 got transaction with invalid handle, 0 [ 640.872461] binder: 2723:2724 transaction failed 29201/-22, size 24-8 line 3062 [ 640.888274] input: syz1 as /devices/virtual/input/input1756 [ 640.947595] input: syz1 as /devices/virtual/input/input1757 [ 640.958030] binder: BINDER_SET_CONTEXT_MGR already set [ 640.984452] binder_alloc: 2723: binder_alloc_buf, no vma 21:36:51 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x20000]}) 21:36:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x48}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 641.003212] binder: 2723:2724 ioctl 40046207 0 returned -16 21:36:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6c000000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:51 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x3d, 0x0, [0x40000003]}) 21:36:51 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xffffffe4}, 'syz0\x00'}) [ 641.144554] binder: 2760:2761 got transaction with invalid handle, 0 21:36:51 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2a00]}) [ 641.197115] binder: BINDER_SET_CONTEXT_MGR already set [ 641.202453] binder: 2762:2763 ioctl 40046207 0 returned -16 21:36:51 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1d00000000000000) [ 641.242080] binder: 2762:2763 got transaction with invalid handle, 0 [ 641.267543] input: syz1 as /devices/virtual/input/input1758 [ 641.270853] binder: BINDER_SET_CONTEXT_MGR already set [ 641.309984] binder: 2762:2771 got transaction with invalid handle, 0 [ 641.319833] input: syz1 as /devices/virtual/input/input1759 [ 641.346106] binder: 2762:2763 ioctl 40046207 0 returned -16 21:36:51 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(0xffffffffffffffff, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x1, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:51 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7a, 0x0, [0x40000003]}) 21:36:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0xffffff7f}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:51 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x491]}) 21:36:51 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xcef80000}, 'syz0\x00'}) [ 641.542306] binder: 2793:2795 got transaction with invalid handle, 0 21:36:52 executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdcf8}, 'syz0\x00'}) 21:36:52 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x5b, 0x0, [0x40000003]}) 21:36:52 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x600000000000000) [ 641.600657] binder_alloc: 2793: binder_alloc_buf, no vma [ 641.635470] binder: BINDER_SET_CONTEXT_MGR already set [ 641.640823] binder: 2793:2795 ioctl 40046207 0 returned -16 [ 641.668735] input: syz1 as /devices/virtual/input/input1760 [ 641.713467] input: syz1 as /devices/virtual/input/input1761 [ 641.749940] input: syz1 as /devices/virtual/input/input1762 21:36:52 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x40000000]}) 21:36:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x6000}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:52 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0xcd00]}) 21:36:52 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x55, 0x0, [0x40000003]}) 21:36:52 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdaf80000}, 'syz0\x00'}) [ 641.969172] binder: 2827:2829 got transaction with invalid handle, 0 21:36:52 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x8000000000) [ 642.017655] binder_alloc: 2827: binder_alloc_buf, no vma [ 642.051756] input: syz1 as /devices/virtual/input/input1763 [ 642.059181] binder: BINDER_SET_CONTEXT_MGR already set 21:36:52 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8b]}) [ 642.066145] binder: 2827:2829 ioctl 40046207 0 returned -16 [ 642.102394] input: syz1 as /devices/virtual/input/input1764 21:36:52 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x32, 0x0, [0x40000003]}) 21:36:52 executing program 2 (fault-call:14 fault-nth:0): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85, 0x0, 0x0, 0x4c00}], &(0x7f0000000080)=[0x0]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:52 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdef80000}, 'syz0\x00'}) 21:36:52 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x130101c000000000]}) [ 642.318770] FAULT_INJECTION: forcing a failure. [ 642.318770] name failslab, interval 1, probability 0, space 0, times 0 [ 642.371870] binder: 2857:2858 got transaction with invalid handle, 0 [ 642.410803] CPU: 0 PID: 2853 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 642.418037] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 642.427400] Call Trace: [ 642.427432] dump_stack+0x1c4/0x2b4 [ 642.427458] ? dump_stack_print_info.cold.2+0x52/0x52 [ 642.427483] ? find_held_lock+0x36/0x1c0 [ 642.427517] should_fail.cold.4+0xa/0x17 [ 642.427540] ? get_pid_task+0xd6/0x1a0 [ 642.433750] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 642.433774] ? graph_lock+0x170/0x170 [ 642.433788] ? find_held_lock+0x36/0x1c0 [ 642.433812] ? __f_unlock_pos+0x19/0x20 [ 642.443058] ? find_held_lock+0x36/0x1c0 [ 642.443097] ? ___might_sleep+0x1ed/0x300 [ 642.443118] ? __mutex_unlock_slowpath+0x197/0x8c0 [ 642.451048] ? arch_local_save_flags+0x40/0x40 [ 642.451080] __should_failslab+0x124/0x180 [ 642.451101] should_failslab+0x9/0x14 [ 642.468017] kmem_cache_alloc+0x2be/0x730 [ 642.468037] ? check_preemption_disabled+0x48/0x200 [ 642.468064] getname_flags+0xd0/0x5a0 [ 642.468084] do_symlinkat+0x8b/0x2d0 [ 642.479355] input: syz1 as /devices/virtual/input/input1765 [ 642.481225] ? do_syscall_64+0x9a/0x820 [ 642.481247] ? lockdep_hardirqs_on+0x421/0x5c0 [ 642.481267] ? __ia32_sys_unlink+0x50/0x50 [ 642.481285] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 642.481303] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 642.481325] __x64_sys_symlinkat+0x73/0xb0 [ 642.544012] do_syscall_64+0x1b9/0x820 [ 642.547907] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 642.553277] ? syscall_return_slowpath+0x5e0/0x5e0 [ 642.558207] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 642.563056] ? trace_hardirqs_on_caller+0x310/0x310 [ 642.568079] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 642.573105] ? prepare_exit_to_usermode+0x291/0x3b0 [ 642.578161] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 642.583022] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 642.588211] RIP: 0033:0x457569 [ 642.591407] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 642.610314] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a 21:36:53 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x2c, 0x0, [0x40000003]}) 21:36:53 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1300000000000000) [ 642.618030] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 642.625307] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 642.632577] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 642.639858] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 642.647137] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 642.699154] input: syz1 as /devices/virtual/input/input1766 [ 642.708938] binder: BINDER_SET_CONTEXT_MGR already set [ 642.710050] binder_alloc_mmap_handler: 4 callbacks suppressed [ 642.710068] binder_alloc: binder_alloc_mmap_handler: 2857 20001000-20004000 already mapped failed -16 [ 642.714251] binder: 2857:2858 ioctl 40046207 0 returned -16 [ 642.737662] binder_alloc: 2857: binder_alloc_buf, no vma [ 642.753952] binder_release_work: 16 callbacks suppressed [ 642.753959] binder: undelivered TRANSACTION_ERROR: 29201 [ 642.766546] binder: undelivered TRANSACTION_ERROR: 29189 21:36:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6c00000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:53 executing program 2 (fault-call:14 fault-nth:1): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:53 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4d564b00000000]}) [ 642.871941] binder: 2883:2884 got transaction with invalid offset (7782220156096217088, min 0 max 24) or object. 21:36:53 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x31, 0x0, [0x40000003]}) 21:36:53 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc5f8000000000000}, 'syz0\x00'}) 21:36:53 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xe803) [ 642.960689] binder_alloc: binder_alloc_mmap_handler: 2883 20001000-20004000 already mapped failed -16 [ 642.996093] FAULT_INJECTION: forcing a failure. [ 642.996093] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 643.007965] CPU: 1 PID: 2889 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 643.015178] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 643.024556] Call Trace: [ 643.027180] dump_stack+0x1c4/0x2b4 [ 643.030843] ? dump_stack_print_info.cold.2+0x52/0x52 [ 643.030869] ? __lock_acquire+0x7ec/0x4ec0 [ 643.030892] ? graph_lock+0x170/0x170 [ 643.040316] should_fail.cold.4+0xa/0x17 [ 643.040339] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 643.040373] ? mark_held_locks+0x130/0x130 [ 643.048208] ? graph_lock+0x170/0x170 [ 643.048227] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 643.048242] ? _kstrtoull+0x188/0x250 [ 643.048258] ? _parse_integer+0x180/0x180 [ 643.048273] ? graph_lock+0x170/0x170 [ 643.048288] ? lock_release+0x970/0x970 [ 643.048303] ? arch_local_save_flags+0x40/0x40 [ 643.048322] ? find_held_lock+0x36/0x1c0 [ 643.048340] ? graph_lock+0x170/0x170 [ 643.048359] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 643.057691] ? should_fail+0x22d/0xd01 [ 643.057707] ? get_pid_task+0xd6/0x1a0 [ 643.057727] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 643.057754] __alloc_pages_nodemask+0x34b/0xde0 [ 643.057768] ? find_held_lock+0x36/0x1c0 [ 643.057796] ? __alloc_pages_slowpath+0x2d80/0x2d80 [ 643.067135] ? __f_unlock_pos+0x19/0x20 [ 643.067160] ? find_held_lock+0x36/0x1c0 [ 643.067194] ? ___might_sleep+0x1ed/0x300 [ 643.078914] ? trace_hardirqs_off+0xb8/0x310 [ 643.078939] cache_grow_begin+0x91/0x8c0 [ 643.078957] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 643.078983] ? check_preemption_disabled+0x48/0x200 [ 643.087537] kmem_cache_alloc+0x665/0x730 [ 643.087556] ? check_preemption_disabled+0x48/0x200 [ 643.087581] getname_flags+0xd0/0x5a0 [ 643.087602] do_symlinkat+0x8b/0x2d0 [ 643.087628] ? do_syscall_64+0x9a/0x820 [ 643.087645] ? lockdep_hardirqs_on+0x421/0x5c0 [ 643.087665] ? __ia32_sys_unlink+0x50/0x50 [ 643.092738] input: syz1 as /devices/virtual/input/input1767 [ 643.095516] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 643.095537] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 643.095562] __x64_sys_symlinkat+0x73/0xb0 [ 643.095582] do_syscall_64+0x1b9/0x820 [ 643.095596] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 643.095626] ? syscall_return_slowpath+0x5e0/0x5e0 [ 643.095641] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 643.095655] ? trace_hardirqs_on_caller+0x310/0x310 [ 643.095670] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 643.095694] ? prepare_exit_to_usermode+0x291/0x3b0 [ 643.095715] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 643.095742] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 643.252955] RIP: 0033:0x457569 [ 643.256166] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 643.275529] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 643.283251] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 643.290524] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 643.297793] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 643.305063] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 643.312334] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 643.353071] input: syz1 as /devices/virtual/input/input1768 [ 643.378162] binder: BINDER_SET_CONTEXT_MGR already set 21:36:53 executing program 2 (fault-call:14 fault-nth:2): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 643.416947] binder: 2883:2884 ioctl 40046207 0 returned -16 [ 643.444061] binder: undelivered TRANSACTION_ERROR: 29201 [ 643.449981] binder_alloc: 2883: binder_alloc_buf, no vma 21:36:53 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x73, 0x0, [0x40000003]}) [ 643.463009] binder: undelivered TRANSACTION_ERROR: 29189 21:36:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x3000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:53 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x6) 21:36:53 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x820000c0]}) 21:36:53 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd2f80000}, 'syz0\x00'}) [ 643.640858] binder: 2918:2920 got transaction with invalid offset (50331648, min 0 max 24) or object. [ 643.680872] binder_alloc: binder_alloc_mmap_handler: 2918 20001000-20004000 already mapped failed -16 21:36:54 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x40010000]}) [ 643.707038] binder: BINDER_SET_CONTEXT_MGR already set 21:36:54 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x1e, 0x0, [0x40000003]}) [ 643.733767] input: syz1 as /devices/virtual/input/input1769 [ 643.739736] binder: 2918:2920 ioctl 40046207 0 returned -16 [ 643.754834] binder: undelivered TRANSACTION_ERROR: 29201 21:36:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x600000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:54 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2]}) [ 643.796749] input: syz1 as /devices/virtual/input/input1770 21:36:54 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x34]}) [ 643.922368] binder: 2941:2948 got transaction with invalid offset (432345564227567616, min 0 max 24) or object. 21:36:54 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0xe, 0x0, [0x40000003]}) [ 643.964054] binder_transaction: 13 callbacks suppressed [ 643.964074] binder: 2941:2948 transaction failed 29201/-22, size 24-8 line 3033 [ 644.011827] binder_alloc: binder_alloc_mmap_handler: 2941 20001000-20004000 already mapped failed -16 [ 644.051509] binder: BINDER_SET_CONTEXT_MGR already set [ 644.065761] binder: 2941:2948 ioctl 40046207 0 returned -16 [ 644.088001] binder_alloc: 2941: binder_alloc_buf, no vma [ 644.097040] binder: undelivered TRANSACTION_ERROR: 29201 [ 644.098506] binder: 2941:2953 transaction failed 29189/-3, size 24-8 line 2970 [ 644.110794] binder: undelivered TRANSACTION_ERROR: 29189 [ 644.183156] FAULT_INJECTION: forcing a failure. [ 644.183156] name failslab, interval 1, probability 0, space 0, times 0 [ 644.194830] CPU: 1 PID: 2959 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 644.202026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 644.211378] Call Trace: [ 644.213961] dump_stack+0x1c4/0x2b4 [ 644.217594] ? dump_stack_print_info.cold.2+0x52/0x52 [ 644.222798] ? graph_lock+0x170/0x170 [ 644.226595] should_fail.cold.4+0xa/0x17 [ 644.230656] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 644.235743] ? smack_privileged+0xd0/0xd0 [ 644.239880] ? walk_component+0x3fe/0x25c0 [ 644.244106] ? find_held_lock+0x36/0x1c0 [ 644.248160] ? graph_lock+0x170/0x170 [ 644.251947] ? graph_lock+0x170/0x170 [ 644.255736] ? mark_held_locks+0x130/0x130 [ 644.259955] ? __lock_acquire+0x7ec/0x4ec0 [ 644.264179] ? smk_curacc+0x7f/0xa0 [ 644.267836] ? find_held_lock+0x36/0x1c0 [ 644.271889] ? __lock_is_held+0xb5/0x140 [ 644.275946] ? ___might_sleep+0x1ed/0x300 [ 644.280085] ? arch_local_save_flags+0x40/0x40 [ 644.284666] __should_failslab+0x124/0x180 [ 644.288892] should_failslab+0x9/0x14 [ 644.292684] kmem_cache_alloc+0x2be/0x730 [ 644.296885] __d_alloc+0xc8/0xcc0 [ 644.300331] ? shrink_dcache_for_umount+0x2b0/0x2b0 [ 644.305349] ? d_alloc_parallel+0x1f40/0x1f40 [ 644.309841] ? d_lookup+0x269/0x340 [ 644.313520] ? d_lookup+0x269/0x340 [ 644.317204] ? lockdep_hardirqs_on+0x421/0x5c0 [ 644.321827] ? lookup_dcache+0x22/0x140 [ 644.325793] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 644.331242] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 644.336254] d_alloc+0x96/0x380 [ 644.339521] ? __d_lookup+0x9e0/0x9e0 [ 644.343310] ? __d_alloc+0xcc0/0xcc0 [ 644.347020] __lookup_hash+0xd9/0x190 [ 644.350813] filename_create+0x1e5/0x5b0 [ 644.354863] ? kern_path_mountpoint+0x40/0x40 [ 644.359350] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 644.364872] ? getname_flags+0x26e/0x5a0 [ 644.368922] do_symlinkat+0xfe/0x2d0 [ 644.372632] ? do_syscall_64+0x9a/0x820 [ 644.376597] ? __ia32_sys_unlink+0x50/0x50 [ 644.380846] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 644.386296] __x64_sys_symlinkat+0x73/0xb0 [ 644.390522] do_syscall_64+0x1b9/0x820 [ 644.394399] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 644.399753] ? syscall_return_slowpath+0x5e0/0x5e0 [ 644.404675] ? trace_hardirqs_on_caller+0x310/0x310 [ 644.409701] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 644.414706] ? recalc_sigpending_tsk+0x180/0x180 [ 644.419450] ? kasan_check_write+0x14/0x20 [ 644.423685] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 644.428524] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 644.433699] RIP: 0033:0x457569 [ 644.436883] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 644.455775] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 644.463474] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 644.470741] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 21:36:54 executing program 2 (fault-call:14 fault-nth:3): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:54 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x10000000}, 'syz0\x00'}) 21:36:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x700000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:54 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x33, 0x0, [0x40000003]}) 21:36:54 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x24d564b00000000]}) 21:36:54 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x13) [ 644.477999] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 644.485253] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 644.492522] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 644.551605] input: syz1 as /devices/virtual/input/input1771 [ 644.561248] binder: 2967:2970 got transaction with invalid offset (504403158265495552, min 0 max 24) or object. [ 644.598242] input: syz1 as /devices/virtual/input/input1772 [ 644.635911] binder: 2967:2970 transaction failed 29201/-22, size 24-8 line 3033 21:36:55 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2a1001c000000000]}) [ 644.662962] binder_alloc: binder_alloc_mmap_handler: 2967 20001000-20004000 already mapped failed -16 [ 644.699943] binder: BINDER_SET_CONTEXT_MGR already set 21:36:55 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x76, 0x0, [0x40000003]}) [ 644.718019] FAULT_INJECTION: forcing a failure. [ 644.718019] name failslab, interval 1, probability 0, space 0, times 0 [ 644.732859] binder: 2967:2970 ioctl 40046207 0 returned -16 [ 644.752545] binder: undelivered TRANSACTION_ERROR: 29201 [ 644.772757] CPU: 0 PID: 2981 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 644.779997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 644.780011] Call Trace: [ 644.780041] dump_stack+0x1c4/0x2b4 [ 644.780075] ? dump_stack_print_info.cold.2+0x52/0x52 [ 644.792008] ? kernel_text_address+0x79/0xf0 [ 644.792037] should_fail.cold.4+0xa/0x17 [ 644.805254] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 644.814395] ? __lock_acquire+0x7ec/0x4ec0 [ 644.818657] ? graph_lock+0x170/0x170 [ 644.822471] ? save_stack+0x43/0xd0 [ 644.826107] ? kasan_kmalloc+0xc7/0xe0 [ 644.826121] ? kasan_slab_alloc+0x12/0x20 [ 644.826139] ? graph_lock+0x170/0x170 [ 644.826154] ? graph_lock+0x170/0x170 [ 644.826177] ? find_held_lock+0x36/0x1c0 [ 644.826197] ? __lock_is_held+0xb5/0x140 [ 644.849912] ? ___might_sleep+0x1ed/0x300 [ 644.854093] ? arch_local_save_flags+0x40/0x40 [ 644.858697] __should_failslab+0x124/0x180 [ 644.862945] should_failslab+0x9/0x14 [ 644.866759] kmem_cache_alloc_trace+0x2d7/0x750 [ 644.871436] ? _raw_spin_unlock+0x2c/0x50 [ 644.875599] p9_fid_create+0x49/0x2b0 [ 644.879426] p9_client_walk+0x124/0xb30 [ 644.883406] ? find_held_lock+0x36/0x1c0 [ 644.887479] ? p9_client_zc_rpc.constprop.10+0x1550/0x1550 [ 644.893112] ? v9fs_fid_lookup_with_uid+0x11d/0xb90 [ 644.898133] ? d_alloc+0x28b/0x380 [ 644.901680] ? lock_downgrade+0x846/0x900 [ 644.905836] ? v9fs_fid_add+0x240/0x240 [ 644.909823] ? kasan_check_read+0x11/0x20 [ 644.913984] ? do_raw_spin_unlock+0xa7/0x2f0 [ 644.918402] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 644.923009] v9fs_vfs_lookup+0x1f7/0x4a0 [ 644.927129] ? v9fs_vfs_lookup+0x1f7/0x4a0 [ 644.931368] ? d_alloc+0x290/0x380 [ 644.934924] ? v9fs_vfs_create+0x130/0x130 [ 644.939181] __lookup_hash+0x12e/0x190 [ 644.943085] filename_create+0x1e5/0x5b0 [ 644.947165] ? kern_path_mountpoint+0x40/0x40 [ 644.951677] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 644.957225] ? getname_flags+0x26e/0x5a0 [ 644.961300] do_symlinkat+0xfe/0x2d0 [ 644.965021] ? do_syscall_64+0x9a/0x820 [ 644.969025] ? __ia32_sys_unlink+0x50/0x50 [ 644.973274] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 644.978761] __x64_sys_symlinkat+0x73/0xb0 [ 644.983018] do_syscall_64+0x1b9/0x820 [ 644.986924] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 644.992302] ? syscall_return_slowpath+0x5e0/0x5e0 [ 644.997259] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 645.002116] ? trace_hardirqs_on_caller+0x310/0x310 [ 645.007144] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 645.012172] ? prepare_exit_to_usermode+0x291/0x3b0 [ 645.017222] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 645.022085] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 645.027281] RIP: 0033:0x457569 [ 645.030481] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 645.049395] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 645.057123] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 645.064415] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 21:36:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xa]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 645.071716] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 645.079009] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 645.086296] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 21:36:55 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x800000000}, 'syz0\x00'}) 21:36:55 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x10100c0]}) [ 645.149896] binder: 2995:2996 got transaction with invalid offset (10, min 0 max 24) or object. [ 645.194904] binder: 2995:2996 transaction failed 29201/-22, size 24-8 line 3033 [ 645.210260] input: syz1 as /devices/virtual/input/input1773 21:36:55 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x63, 0x0, [0x40000003]}) [ 645.248385] binder_alloc: binder_alloc_mmap_handler: 2995 20001000-20004000 already mapped failed -16 [ 645.283318] binder: BINDER_SET_CONTEXT_MGR already set [ 645.295013] binder: 2995:2996 ioctl 40046207 0 returned -16 [ 645.307435] input: syz1 as /devices/virtual/input/input1774 [ 645.316020] binder_alloc: 2995: binder_alloc_buf, no vma [ 645.327726] binder: 2995:3006 transaction failed 29189/-3, size 24-8 line 2970 21:36:55 executing program 2 (fault-call:14 fault-nth:4): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:55 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x12000000) [ 645.348434] binder: undelivered TRANSACTION_ERROR: 29201 [ 645.362643] binder: undelivered TRANSACTION_ERROR: 29189 21:36:55 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x87010000]}) 21:36:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6800000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:55 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x2b, 0x0, [0x40000003]}) 21:36:55 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xcbf80000}, 'syz0\x00'}) [ 645.577296] binder: 3031:3032 got transaction with invalid offset (7493989779944505344, min 0 max 24) or object. [ 645.589362] FAULT_INJECTION: forcing a failure. [ 645.589362] name failslab, interval 1, probability 0, space 0, times 0 [ 645.620095] CPU: 0 PID: 3039 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 645.627336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 645.636694] Call Trace: [ 645.639298] dump_stack+0x1c4/0x2b4 [ 645.642947] ? dump_stack_print_info.cold.2+0x52/0x52 [ 645.648150] ? graph_lock+0x170/0x170 [ 645.651966] should_fail.cold.4+0xa/0x17 [ 645.656044] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 645.661150] ? smack_privileged+0xd0/0xd0 [ 645.665317] ? walk_component+0x3fe/0x25c0 [ 645.669565] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 645.674583] ? map_id_up+0x193/0x3d0 [ 645.678311] ? graph_lock+0x170/0x170 [ 645.682121] ? graph_lock+0x170/0x170 [ 645.685928] ? mark_held_locks+0x130/0x130 [ 645.690166] ? __lock_acquire+0x7ec/0x4ec0 [ 645.694405] ? smk_curacc+0x7f/0xa0 [ 645.698043] ? find_held_lock+0x36/0x1c0 [ 645.702111] ? __lock_is_held+0xb5/0x140 [ 645.706194] ? ___might_sleep+0x1ed/0x300 [ 645.710349] ? arch_local_save_flags+0x40/0x40 [ 645.714949] __should_failslab+0x124/0x180 [ 645.719200] should_failslab+0x9/0x14 [ 645.723011] kmem_cache_alloc+0x2be/0x730 [ 645.727176] __d_alloc+0xc8/0xcc0 [ 645.730644] ? shrink_dcache_for_umount+0x2b0/0x2b0 [ 645.735697] ? d_alloc_parallel+0x1f40/0x1f40 [ 645.740195] ? d_lookup+0x269/0x340 [ 645.743826] ? d_lookup+0x269/0x340 [ 645.747464] ? lockdep_hardirqs_on+0x421/0x5c0 [ 645.752058] ? lookup_dcache+0x22/0x140 [ 645.756045] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 645.761513] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 645.766542] d_alloc+0x96/0x380 [ 645.769829] ? __d_lookup+0x9e0/0x9e0 [ 645.773648] ? __d_alloc+0xcc0/0xcc0 [ 645.777386] __lookup_hash+0xd9/0x190 [ 645.781214] filename_create+0x1e5/0x5b0 [ 645.785282] ? kern_path_mountpoint+0x40/0x40 [ 645.789820] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 645.795363] ? getname_flags+0x26e/0x5a0 [ 645.799442] do_symlinkat+0xfe/0x2d0 [ 645.803159] ? do_syscall_64+0x9a/0x820 [ 645.807145] ? __ia32_sys_unlink+0x50/0x50 [ 645.811390] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 645.816854] __x64_sys_symlinkat+0x73/0xb0 [ 645.821109] do_syscall_64+0x1b9/0x820 [ 645.825004] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 645.830378] ? syscall_return_slowpath+0x5e0/0x5e0 [ 645.835315] ? trace_hardirqs_on_caller+0x310/0x310 [ 645.840347] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 645.845372] ? recalc_sigpending_tsk+0x180/0x180 [ 645.850137] ? kasan_check_write+0x14/0x20 [ 645.854383] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 645.859246] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 645.864440] RIP: 0033:0x457569 [ 645.867648] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 645.886560] RSP: 002b:00007f4e83fa3c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 645.894282] RAX: ffffffffffffffda RBX: 00007f4e83fa3c90 RCX: 0000000000457569 [ 645.901557] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 645.908828] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 645.916100] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fa46d4 [ 645.923371] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 645.953690] input: syz1 as /devices/virtual/input/input1775 [ 645.960992] binder: 3031:3032 transaction failed 29201/-22, size 24-8 line 3033 21:36:56 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xe8030000) [ 645.985222] input: syz1 as /devices/virtual/input/input1776 [ 645.998899] binder_alloc: binder_alloc_mmap_handler: 3031 20001000-20004000 already mapped failed -16 21:36:56 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0xb, 0x0, [0x40000003]}) [ 646.029939] binder: BINDER_SET_CONTEXT_MGR already set [ 646.051706] binder: 3031:3032 ioctl 40046207 0 returned -16 [ 646.067806] binder_alloc: 3031: binder_alloc_buf, no vma [ 646.084285] binder: 3031:3046 transaction failed 29189/-3, size 24-8 line 2970 21:36:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xfdfdffff00000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:56 executing program 2 (fault-call:14 fault-nth:5): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:56 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0000102]}) 21:36:56 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x25, 0x0, [0x40000003]}) 21:36:56 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xbef8}, 'syz0\x00'}) [ 646.253099] binder: 3057:3058 got transaction with invalid offset (-144678142324244480, min 0 max 24) or object. 21:36:56 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0xf00) [ 646.308317] binder: 3057:3058 transaction failed 29201/-22, size 24-8 line 3033 [ 646.330681] input: syz1 as /devices/virtual/input/input1777 [ 646.339007] binder_alloc: binder_alloc_mmap_handler: 3057 20001000-20004000 already mapped failed -16 [ 646.367954] binder: BINDER_SET_CONTEXT_MGR already set [ 646.375099] FAULT_INJECTION: forcing a failure. [ 646.375099] name failslab, interval 1, probability 0, space 0, times 0 [ 646.383259] binder: 3057:3058 ioctl 40046207 0 returned -16 [ 646.399525] binder_alloc: 3057: binder_alloc_buf, no vma [ 646.405002] input: syz1 as /devices/virtual/input/input1778 [ 646.405285] binder: 3057:3071 transaction failed 29189/-3, size 24-8 line 2970 21:36:56 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x4, 0x0, [0x40000003]}) [ 646.456666] CPU: 1 PID: 3065 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 646.463893] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 646.463902] Call Trace: [ 646.463932] dump_stack+0x1c4/0x2b4 [ 646.463961] ? dump_stack_print_info.cold.2+0x52/0x52 [ 646.484956] ? kernel_text_address+0x79/0xf0 [ 646.489398] should_fail.cold.4+0xa/0x17 [ 646.493486] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 646.498605] ? __lock_acquire+0x7ec/0x4ec0 [ 646.498634] ? graph_lock+0x170/0x170 [ 646.498650] ? save_stack+0x43/0xd0 [ 646.498662] ? kasan_kmalloc+0xc7/0xe0 [ 646.498681] ? kasan_slab_alloc+0x12/0x20 [ 646.506716] ? graph_lock+0x170/0x170 [ 646.506733] ? graph_lock+0x170/0x170 [ 646.506758] ? find_held_lock+0x36/0x1c0 [ 646.506777] ? __lock_is_held+0xb5/0x140 [ 646.506811] ? ___might_sleep+0x1ed/0x300 [ 646.506829] ? arch_local_save_flags+0x40/0x40 [ 646.506854] __should_failslab+0x124/0x180 [ 646.506872] should_failslab+0x9/0x14 [ 646.506895] kmem_cache_alloc_trace+0x2d7/0x750 [ 646.506918] ? _raw_spin_unlock+0x2c/0x50 [ 646.550999] p9_fid_create+0x49/0x2b0 [ 646.551021] p9_client_walk+0x124/0xb30 [ 646.551038] ? find_held_lock+0x36/0x1c0 [ 646.551063] ? p9_client_zc_rpc.constprop.10+0x1550/0x1550 [ 646.577295] ? v9fs_fid_lookup_with_uid+0x11d/0xb90 [ 646.577313] ? d_alloc+0x28b/0x380 [ 646.577331] ? lock_downgrade+0x846/0x900 [ 646.577349] ? v9fs_fid_add+0x240/0x240 [ 646.577367] ? kasan_check_read+0x11/0x20 [ 646.577381] ? do_raw_spin_unlock+0xa7/0x2f0 [ 646.577395] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 646.577421] v9fs_vfs_lookup+0x1f7/0x4a0 [ 646.577436] ? v9fs_vfs_lookup+0x1f7/0x4a0 [ 646.577452] ? d_alloc+0x290/0x380 [ 646.586015] ? v9fs_vfs_create+0x130/0x130 [ 646.586044] __lookup_hash+0x12e/0x190 [ 646.586064] filename_create+0x1e5/0x5b0 [ 646.586082] ? kern_path_mountpoint+0x40/0x40 [ 646.586107] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 646.586121] ? getname_flags+0x26e/0x5a0 [ 646.586141] do_symlinkat+0xfe/0x2d0 [ 646.586157] ? do_syscall_64+0x9a/0x820 [ 646.586177] ? __ia32_sys_unlink+0x50/0x50 21:36:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xfdfdffff]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 646.586198] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 646.594316] __x64_sys_symlinkat+0x73/0xb0 [ 646.594337] do_syscall_64+0x1b9/0x820 [ 646.594358] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 646.602903] ? syscall_return_slowpath+0x5e0/0x5e0 [ 646.602919] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 646.602942] ? trace_hardirqs_on_caller+0x310/0x310 [ 646.611571] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 646.611590] ? prepare_exit_to_usermode+0x291/0x3b0 [ 646.611624] ? trace_hardirqs_off_thunk+0x1a/0x1c 21:36:57 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8000000000000]}) [ 646.619405] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 646.619419] RIP: 0033:0x457569 [ 646.619437] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 646.619450] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 [ 646.636102] ORIG_RAX: 000000000000010a [ 646.636114] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 646.636123] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 21:36:57 executing program 2 (fault-call:14 fault-nth:6): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 646.636131] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 646.636140] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 646.636149] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 646.659542] binder: 3085:3086 got transaction with invalid offset (4261281791, min 0 max 24) or object. [ 646.669079] binder: 3085:3086 transaction failed 29201/-22, size 24-8 line 3033 [ 646.758451] binder_alloc: binder_alloc_mmap_handler: 3085 20001000-20004000 already mapped failed -16 21:36:57 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x5c, 0x0, [0x40000003]}) [ 646.797783] binder: BINDER_SET_CONTEXT_MGR already set [ 646.813857] binder: 3085:3086 ioctl 40046207 0 returned -16 21:36:57 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x6}, 'syz0\x00'}) [ 646.926933] binder_alloc: 3085: binder_alloc_buf, no vma [ 646.941853] FAULT_INJECTION: forcing a failure. [ 646.941853] name failslab, interval 1, probability 0, space 0, times 0 [ 646.953589] CPU: 1 PID: 3094 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 646.960800] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 646.970160] Call Trace: [ 646.972779] dump_stack+0x1c4/0x2b4 [ 646.976427] ? dump_stack_print_info.cold.2+0x52/0x52 [ 646.981645] should_fail.cold.4+0xa/0x17 [ 646.985733] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 646.990846] ? print_usage_bug+0xc0/0xc0 [ 646.994937] ? mark_held_locks+0x130/0x130 [ 646.999178] ? print_usage_bug+0xc0/0xc0 [ 647.003251] ? __lock_acquire+0x7ec/0x4ec0 [ 647.007506] ? graph_lock+0x170/0x170 [ 647.011308] ? graph_lock+0x170/0x170 [ 647.015114] ? print_usage_bug+0xc0/0xc0 [ 647.019183] ? print_usage_bug+0xc0/0xc0 [ 647.023261] __should_failslab+0x124/0x180 [ 647.027513] should_failslab+0x9/0x14 [ 647.031320] kmem_cache_alloc+0x47/0x730 [ 647.035399] radix_tree_node_alloc.constprop.18+0x1f7/0x370 [ 647.041122] radix_tree_extend+0x294/0x660 [ 647.045369] ? radix_tree_node_alloc.constprop.18+0x370/0x370 [ 647.051263] ? kernel_text_address+0x79/0xf0 [ 647.055676] ? __kernel_text_address+0xd/0x40 [ 647.060177] ? unwind_get_return_address+0x61/0xa0 [ 647.065116] ? __save_stack_trace+0x8d/0xf0 [ 647.069446] idr_get_free+0x83d/0xec0 [ 647.073273] ? ida_pre_get+0x130/0x130 [ 647.077163] ? filename_create+0x1e5/0x5b0 [ 647.081401] ? __x64_sys_symlinkat+0x73/0xb0 [ 647.085814] ? do_syscall_64+0x1b9/0x820 [ 647.089883] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 647.095273] ? find_held_lock+0x36/0x1c0 [ 647.099368] ? graph_lock+0x170/0x170 [ 647.103185] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 647.108746] ? check_preemption_disabled+0x48/0x200 [ 647.113788] ? check_preemption_disabled+0x48/0x200 [ 647.118841] ? lock_acquire+0x1ed/0x520 [ 647.122846] ? p9_fid_create+0x1bc/0x2b0 [ 647.126923] idr_alloc_u32+0x201/0x3f0 [ 647.130830] ? __fprop_inc_percpu_max+0x2d0/0x2d0 [ 647.135687] ? trace_hardirqs_on+0x310/0x310 [ 647.140127] ? kasan_check_write+0x14/0x20 [ 647.144377] ? do_raw_spin_lock+0xc1/0x200 [ 647.148638] p9_fid_create+0x1d7/0x2b0 [ 647.152543] p9_client_walk+0x124/0xb30 [ 647.156542] ? find_held_lock+0x36/0x1c0 [ 647.160625] ? p9_client_zc_rpc.constprop.10+0x1550/0x1550 [ 647.166259] ? v9fs_fid_lookup_with_uid+0x11d/0xb90 [ 647.171299] ? d_alloc+0x28b/0x380 [ 647.174848] ? lock_downgrade+0x846/0x900 [ 647.179007] ? v9fs_fid_add+0x240/0x240 [ 647.182987] ? kasan_check_read+0x11/0x20 [ 647.187147] ? do_raw_spin_unlock+0xa7/0x2f0 [ 647.191566] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 647.196172] v9fs_vfs_lookup+0x1f7/0x4a0 [ 647.200245] ? v9fs_vfs_lookup+0x1f7/0x4a0 [ 647.204488] ? d_alloc+0x290/0x380 [ 647.208041] ? v9fs_vfs_create+0x130/0x130 [ 647.212300] __lookup_hash+0x12e/0x190 [ 647.216206] filename_create+0x1e5/0x5b0 [ 647.220282] ? kern_path_mountpoint+0x40/0x40 [ 647.224811] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 647.230381] ? getname_flags+0x26e/0x5a0 [ 647.234456] do_symlinkat+0xfe/0x2d0 [ 647.238188] ? do_syscall_64+0x9a/0x820 [ 647.242183] ? __ia32_sys_unlink+0x50/0x50 [ 647.246435] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 647.251899] __x64_sys_symlinkat+0x73/0xb0 [ 647.256141] do_syscall_64+0x1b9/0x820 [ 647.260031] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 647.265399] ? syscall_return_slowpath+0x5e0/0x5e0 [ 647.270847] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 647.275699] ? trace_hardirqs_on_caller+0x310/0x310 [ 647.280720] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 647.285745] ? prepare_exit_to_usermode+0x291/0x3b0 [ 647.290783] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 647.295663] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 647.300871] RIP: 0033:0x457569 [ 647.304084] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 21:36:57 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x500) [ 647.322996] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 647.330721] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 647.337998] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 647.345282] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 647.352562] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 647.359845] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 21:36:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x12]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 647.436334] input: syz1 as /devices/virtual/input/input1779 [ 647.473116] binder: 3107:3108 got transaction with invalid offset (18, min 0 max 24) or object. [ 647.483142] input: syz1 as /devices/virtual/input/input1780 [ 647.515071] binder_alloc: binder_alloc_mmap_handler: 3107 20001000-20004000 already mapped failed -16 [ 647.529406] binder: BINDER_SET_CONTEXT_MGR already set [ 647.543680] binder_alloc: 3107: binder_alloc_buf, no vma 21:36:57 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xff02000000000000]}) [ 647.560601] binder: 3107:3108 ioctl 40046207 0 returned -16 21:36:57 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0xf, 0x0, [0x40000003]}) 21:36:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xa00000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:58 executing program 2 (fault-call:14 fault-nth:7): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:58 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8e0}, 'syz0\x00'}) [ 647.670530] binder: 3121:3123 got transaction with invalid offset (720575940379279360, min 0 max 24) or object. 21:36:58 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x3e8) [ 647.735740] binder_alloc: binder_alloc_mmap_handler: 3121 20001000-20004000 already mapped failed -16 [ 647.745492] binder: BINDER_SET_CONTEXT_MGR already set [ 647.803311] binder_release_work: 8 callbacks suppressed [ 647.803318] binder: undelivered TRANSACTION_ERROR: 29201 [ 647.822327] binder: 3121:3123 ioctl 40046207 0 returned -16 [ 647.831148] input: syz1 as /devices/virtual/input/input1781 [ 647.859889] FAULT_INJECTION: forcing a failure. [ 647.859889] name failslab, interval 1, probability 0, space 0, times 0 [ 647.871709] CPU: 0 PID: 3135 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 647.878913] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 647.888367] Call Trace: [ 647.890975] dump_stack+0x1c4/0x2b4 [ 647.894642] ? dump_stack_print_info.cold.2+0x52/0x52 [ 647.899849] ? graph_lock+0x170/0x170 [ 647.903676] should_fail.cold.4+0xa/0x17 [ 647.907757] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 647.912873] ? find_held_lock+0x36/0x1c0 [ 647.912895] ? kasan_check_write+0x14/0x20 [ 647.912913] ? prep_compound_page+0x26c/0x390 [ 647.912934] ? set_pageblock_migratetype+0x40/0x40 [ 647.912958] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 647.925736] ? trace_hardirqs_on+0x310/0x310 [ 647.925761] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 647.925778] ? graph_lock+0x170/0x170 [ 647.925798] ? get_page_from_freelist+0x488b/0x5340 [ 647.925832] __should_failslab+0x124/0x180 [ 647.936284] should_failslab+0x9/0x14 [ 647.936303] kmem_cache_alloc+0x47/0x730 [ 647.936319] ? print_usage_bug+0xc0/0xc0 [ 647.936332] ? lock_downgrade+0x900/0x900 [ 647.936350] ? check_preemption_disabled+0x48/0x200 [ 647.936377] radix_tree_node_alloc.constprop.18+0x1f7/0x370 [ 647.986080] radix_tree_extend+0x294/0x660 [ 647.990338] ? radix_tree_node_alloc.constprop.18+0x370/0x370 [ 647.996260] ? __kernel_text_address+0xd/0x40 [ 648.000779] ? unwind_get_return_address+0x61/0xa0 [ 648.005743] idr_get_free+0x83d/0xec0 [ 648.009556] ? save_stack+0xa9/0xd0 [ 648.013198] ? ida_pre_get+0x130/0x130 [ 648.017089] ? p9_client_walk+0x124/0xb30 [ 648.021238] ? __lookup_hash+0x12e/0x190 [ 648.025316] ? filename_create+0x1e5/0x5b0 [ 648.029557] ? do_symlinkat+0xfe/0x2d0 [ 648.033448] ? __x64_sys_symlinkat+0x73/0xb0 [ 648.037861] ? do_syscall_64+0x1b9/0x820 [ 648.041928] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 648.047300] ? mark_held_locks+0x130/0x130 [ 648.051539] ? print_usage_bug+0xc0/0xc0 [ 648.055606] ? __lock_acquire+0x7ec/0x4ec0 [ 648.059882] ? graph_lock+0x170/0x170 [ 648.063691] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 648.069238] ? check_preemption_disabled+0x48/0x200 [ 648.074258] ? check_preemption_disabled+0x48/0x200 [ 648.079298] idr_alloc_u32+0x201/0x3f0 [ 648.083194] ? __fprop_inc_percpu_max+0x2d0/0x2d0 [ 648.088045] ? p9_idpool_get+0x23/0x90 [ 648.091945] idr_alloc+0x111/0x1b0 [ 648.095499] ? idr_alloc_u32+0x3f0/0x3f0 [ 648.099571] ? do_raw_spin_lock+0xc1/0x200 [ 648.103820] p9_idpool_get+0x3d/0x90 [ 648.107543] p9_client_prepare_req.part.8+0xec/0xc30 [ 648.112677] ? delete_node+0x30e/0xd20 [ 648.116569] ? unwind_get_return_address+0x61/0xa0 [ 648.121515] ? p9_free_req.isra.7+0x140/0x140 [ 648.126014] ? idr_destroy+0x1c0/0x1c0 [ 648.129917] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 648.136043] ? replace_slot+0x151/0x520 [ 648.140037] p9_client_rpc+0x1c2/0x1480 [ 648.144016] ? radix_tree_descend+0x2e0/0x2e0 [ 648.148527] ? p9_client_prepare_req.part.8+0xc30/0xc30 [ 648.153902] ? find_held_lock+0x36/0x1c0 [ 648.157993] ? find_held_lock+0x36/0x1c0 [ 648.162083] ? mark_held_locks+0xc7/0x130 [ 648.166242] ? _raw_spin_unlock_irq+0x27/0x80 [ 648.170747] ? _raw_spin_unlock_irq+0x27/0x80 [ 648.175278] ? lockdep_hardirqs_on+0x421/0x5c0 [ 648.179878] ? trace_hardirqs_on+0xbd/0x310 [ 648.184221] ? kasan_check_read+0x11/0x20 [ 648.188389] ? p9_fid_create+0x1e2/0x2b0 [ 648.192471] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 648.197935] ? kasan_check_write+0x14/0x20 [ 648.202181] ? do_raw_spin_lock+0xc1/0x200 [ 648.206435] p9_client_walk+0x208/0xb30 [ 648.210420] ? find_held_lock+0x36/0x1c0 [ 648.214504] ? p9_client_zc_rpc.constprop.10+0x1550/0x1550 [ 648.220139] ? v9fs_fid_lookup_with_uid+0x11d/0xb90 [ 648.225168] ? d_alloc+0x28b/0x380 [ 648.228726] ? lock_downgrade+0x846/0x900 [ 648.232884] ? v9fs_fid_add+0x240/0x240 [ 648.236872] ? kasan_check_read+0x11/0x20 [ 648.241040] ? do_raw_spin_unlock+0xa7/0x2f0 [ 648.245463] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 648.250079] v9fs_vfs_lookup+0x1f7/0x4a0 [ 648.254152] ? v9fs_vfs_lookup+0x1f7/0x4a0 [ 648.258573] ? d_alloc+0x290/0x380 [ 648.262126] ? v9fs_vfs_create+0x130/0x130 [ 648.266384] __lookup_hash+0x12e/0x190 [ 648.270288] filename_create+0x1e5/0x5b0 [ 648.274365] ? kern_path_mountpoint+0x40/0x40 [ 648.278886] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 648.284963] ? getname_flags+0x26e/0x5a0 [ 648.289058] do_symlinkat+0xfe/0x2d0 [ 648.292785] ? do_syscall_64+0x9a/0x820 [ 648.296780] ? __ia32_sys_unlink+0x50/0x50 [ 648.301038] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 648.306527] __x64_sys_symlinkat+0x73/0xb0 [ 648.310804] do_syscall_64+0x1b9/0x820 [ 648.314723] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 648.320100] ? syscall_return_slowpath+0x5e0/0x5e0 [ 648.325034] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 648.329886] ? trace_hardirqs_on_caller+0x310/0x310 [ 648.334909] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 648.339933] ? prepare_exit_to_usermode+0x291/0x3b0 [ 648.344959] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 648.349825] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 648.355040] RIP: 0033:0x457569 [ 648.358254] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 648.377187] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 648.384920] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 648.392196] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 648.399469] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 21:36:58 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7f040000]}) 21:36:58 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x3e, 0x0, [0x40000003]}) [ 648.406745] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 648.414014] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 648.446039] input: syz1 as /devices/virtual/input/input1782 21:36:58 executing program 2 (fault-call:14 fault-nth:8): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:36:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:36:58 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x7a00000000000000}, 'syz0\x00'}) [ 648.570312] binder: 3149:3152 got transaction with invalid offset (100663296, min 0 max 24) or object. 21:36:58 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x2, 0x0, [0x40000003]}) [ 648.642116] FAULT_INJECTION: forcing a failure. [ 648.642116] name failslab, interval 1, probability 0, space 0, times 0 [ 648.653374] CPU: 1 PID: 3154 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 648.660570] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 648.660578] Call Trace: [ 648.660608] dump_stack+0x1c4/0x2b4 [ 648.660648] ? dump_stack_print_info.cold.2+0x52/0x52 [ 648.660686] should_fail.cold.4+0xa/0x17 [ 648.660710] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 648.660749] ? find_held_lock+0x36/0x1c0 [ 648.660779] ? __debug_object_init+0x57d/0x1290 [ 648.694705] ? lock_downgrade+0x900/0x900 [ 648.694721] ? lock_downgrade+0x900/0x900 [ 648.694740] ? print_usage_bug+0xc0/0xc0 [ 648.694754] ? graph_lock+0x170/0x170 [ 648.694775] ? trace_hardirqs_off+0xb8/0x310 [ 648.703579] ? kasan_check_read+0x11/0x20 [ 648.703599] ? do_raw_spin_unlock+0xa7/0x2f0 [ 648.703627] ? trace_hardirqs_on+0x310/0x310 [ 648.703643] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 648.703659] ? kasan_check_write+0x14/0x20 [ 648.724208] __should_failslab+0x124/0x180 [ 648.724230] should_failslab+0x9/0x14 [ 648.724250] kmem_cache_alloc+0x47/0x730 [ 648.741874] radix_tree_node_alloc.constprop.18+0x1f7/0x370 [ 648.741899] radix_tree_extend+0x294/0x660 [ 648.741923] ? radix_tree_node_alloc.constprop.18+0x370/0x370 [ 648.753990] ? kasan_check_read+0x11/0x20 [ 648.754010] ? do_raw_spin_unlock+0xa7/0x2f0 [ 648.754029] ? trace_hardirqs_on+0x310/0x310 [ 648.754065] idr_get_free+0x83d/0xec0 [ 648.764011] ? __lock_acquire+0x7ec/0x4ec0 [ 648.764039] ? ida_pre_get+0x130/0x130 [ 648.764053] ? __lock_acquire+0x7ec/0x4ec0 [ 648.764081] ? print_usage_bug+0xc0/0xc0 [ 648.774093] ? mark_held_locks+0x130/0x130 [ 648.774110] ? __lock_acquire+0x7ec/0x4ec0 [ 648.774127] ? lock_downgrade+0x900/0x900 [ 648.774145] ? check_preemption_disabled+0x48/0x200 [ 648.774168] ? rcu_read_unlock_special.part.39+0x11f0/0x11f0 [ 648.779340] binder: BINDER_SET_CONTEXT_MGR already set [ 648.782963] ? kasan_check_read+0x11/0x20 [ 648.782992] idr_alloc_u32+0x201/0x3f0 [ 648.783014] ? __fprop_inc_percpu_max+0x2d0/0x2d0 [ 648.783037] ? p9_idpool_get+0x23/0x90 [ 648.791071] idr_alloc+0x111/0x1b0 [ 648.791091] ? idr_alloc_u32+0x3f0/0x3f0 [ 648.791111] ? do_raw_spin_lock+0xc1/0x200 [ 648.791136] p9_idpool_get+0x3d/0x90 [ 648.803910] binder: 3149:3163 got transaction with invalid offset (100663296, min 0 max 24) or object. [ 648.807523] p9_client_prepare_req.part.8+0xec/0xc30 [ 648.807546] ? is_bpf_text_address+0xac/0x170 [ 648.807567] ? check_preemption_disabled+0x48/0x200 [ 648.807587] ? p9_free_req.isra.7+0x140/0x140 [ 648.807602] ? graph_lock+0x170/0x170 [ 648.807631] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 648.807650] ? rcu_bh_qs+0xc0/0xc0 [ 648.816022] ? rcu_bh_qs+0xc0/0xc0 [ 648.816038] ? unwind_dump+0x190/0x190 [ 648.816062] p9_client_rpc+0x1c2/0x1480 [ 648.816090] ? p9_client_prepare_req.part.8+0xc30/0xc30 [ 648.816109] ? v9fs_fid_find+0x24b/0x2f0 [ 648.816127] ? lock_downgrade+0x900/0x900 [ 648.826924] ? kasan_check_read+0x11/0x20 [ 648.826943] ? do_raw_spin_unlock+0xa7/0x2f0 21:36:59 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x810000c0]}) [ 648.826962] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 648.826978] ? kasan_check_write+0x14/0x20 [ 648.826994] ? do_raw_spin_lock+0xc1/0x200 [ 648.827014] ? _raw_spin_unlock+0x2c/0x50 [ 648.827032] ? v9fs_fid_find+0x250/0x2f0 [ 648.827052] ? v9fs_session_init.cold.3+0x73/0x73 [ 648.827070] ? smk_tskacc+0x3dd/0x520 [ 648.843774] binder: undelivered TRANSACTION_ERROR: 29201 [ 648.845211] ? v9fs_fid_lookup_with_uid+0x11d/0xb90 [ 648.845239] p9_client_symlink+0xf3/0x600 [ 648.845259] ? p9_client_readlink+0x5c0/0x5c0 21:36:59 executing program 2 (fault-call:14 fault-nth:9): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 648.850013] binder: 3149:3152 ioctl 40046207 0 returned -16 [ 648.852676] ? smk_curacc+0x7f/0xa0 [ 648.852710] v9fs_vfs_symlink_dotl+0x209/0x520 [ 648.852731] ? v9fs_vfs_atomic_open_dotl+0xc00/0xc00 [ 648.857005] binder: undelivered TRANSACTION_ERROR: 29201 [ 648.861019] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 648.861036] ? security_inode_permission+0xd2/0x100 [ 648.861055] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 648.879286] ? security_inode_symlink+0xde/0x110 [ 648.879307] vfs_symlink+0x37a/0x5d0 [ 648.879328] do_symlinkat+0x242/0x2d0 [ 648.879345] ? do_syscall_64+0x9a/0x820 [ 648.879365] ? __ia32_sys_unlink+0x50/0x50 [ 648.879385] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 648.879406] __x64_sys_symlinkat+0x73/0xb0 [ 648.888910] do_syscall_64+0x1b9/0x820 [ 648.888928] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 648.888951] ? syscall_return_slowpath+0x5e0/0x5e0 [ 648.893563] input: syz1 as /devices/virtual/input/input1783 [ 648.897241] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 648.897262] ? trace_hardirqs_on_caller+0x310/0x310 21:36:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 648.897280] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 648.897298] ? prepare_exit_to_usermode+0x291/0x3b0 [ 648.897320] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 648.897344] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 648.897361] RIP: 0033:0x457569 [ 648.906174] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 648.906184] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a 21:36:59 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x40000]}) [ 648.906201] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 648.906211] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 648.906220] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 648.906230] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 648.906239] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 649.144500] binder: 3172:3173 got transaction with invalid offset (24576, min 0 max 24) or object. 21:36:59 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x54, 0x0, [0x40000003]}) [ 649.190987] binder_transaction: 6 callbacks suppressed [ 649.191008] binder: 3172:3173 transaction failed 29201/-22, size 24-8 line 3033 [ 649.205205] input: syz1 as /devices/virtual/input/input1784 [ 649.215914] binder_alloc: binder_alloc_mmap_handler: 3172 20001000-20004000 already mapped failed -16 [ 649.270326] binder: BINDER_SET_CONTEXT_MGR already set [ 649.283695] FAULT_INJECTION: forcing a failure. [ 649.283695] name failslab, interval 1, probability 0, space 0, times 0 [ 649.294932] CPU: 0 PID: 3178 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 649.294954] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 649.294960] Call Trace: [ 649.295024] dump_stack+0x1c4/0x2b4 [ 649.295052] ? dump_stack_print_info.cold.2+0x52/0x52 [ 649.295088] should_fail.cold.4+0xa/0x17 [ 649.295111] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 649.295130] ? rcu_read_unlock_special.part.39+0x11f0/0x11f0 [ 649.295147] ? graph_lock+0x170/0x170 [ 649.295178] ? print_usage_bug+0xc0/0xc0 [ 649.345911] ? __lock_acquire+0x7ec/0x4ec0 [ 649.348727] binder: 3172:3173 ioctl 40046207 0 returned -16 [ 649.350167] ? __lock_is_held+0xb5/0x140 [ 649.350182] ? __account_cfs_rq_runtime+0x790/0x790 [ 649.350210] ? __lock_acquire+0x7ec/0x4ec0 [ 649.369249] ? graph_lock+0x170/0x170 [ 649.373065] ? graph_lock+0x170/0x170 [ 649.376911] __should_failslab+0x124/0x180 [ 649.381163] should_failslab+0x9/0x14 [ 649.384990] kmem_cache_alloc+0x47/0x730 [ 649.386694] binder: undelivered TRANSACTION_ERROR: 29201 [ 649.389062] ? print_usage_bug+0xc0/0xc0 [ 649.389080] ? __debug_object_init+0x57d/0x1290 [ 649.389099] ? lock_downgrade+0x900/0x900 [ 649.394722] binder_alloc: 3172: binder_alloc_buf, no vma [ 649.398608] radix_tree_node_alloc.constprop.18+0x1f7/0x370 [ 649.398643] radix_tree_extend+0x294/0x660 [ 649.398668] ? radix_tree_node_alloc.constprop.18+0x370/0x370 [ 649.398688] ? find_held_lock+0x36/0x1c0 [ 649.432808] ? graph_lock+0x170/0x170 [ 649.436641] idr_get_free+0x83d/0xec0 [ 649.440469] ? find_held_lock+0x36/0x1c0 [ 649.444555] ? ida_pre_get+0x130/0x130 [ 649.448449] ? lock_downgrade+0x900/0x900 [ 649.452605] ? trace_hardirqs_off+0xb8/0x310 [ 649.457023] ? kasan_check_read+0x11/0x20 [ 649.461176] ? do_raw_spin_unlock+0xa7/0x2f0 [ 649.465592] ? print_usage_bug+0xc0/0xc0 [ 649.469668] ? kasan_check_write+0x14/0x20 [ 649.473908] ? do_raw_spin_lock+0xc1/0x200 [ 649.478151] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 649.483696] ? check_preemption_disabled+0x48/0x200 [ 649.488726] ? trace_hardirqs_off+0xb8/0x310 [ 649.493141] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 649.498433] idr_alloc_u32+0x201/0x3f0 [ 649.502333] ? __fprop_inc_percpu_max+0x2d0/0x2d0 [ 649.507187] ? p9_idpool_get+0x23/0x90 [ 649.511090] idr_alloc+0x111/0x1b0 [ 649.514641] ? idr_alloc_u32+0x3f0/0x3f0 [ 649.518715] ? do_raw_spin_lock+0xc1/0x200 [ 649.522969] p9_idpool_get+0x3d/0x90 [ 649.526697] p9_client_prepare_req.part.8+0xec/0xc30 [ 649.531804] ? rcu_bh_qs+0xc0/0xc0 [ 649.535348] ? unwind_dump+0x190/0x190 [ 649.539249] ? p9_free_req.isra.7+0x140/0x140 [ 649.543749] ? is_bpf_text_address+0xd3/0x170 [ 649.548254] ? kernel_text_address+0x79/0xf0 [ 649.552666] ? __kernel_text_address+0xd/0x40 [ 649.557177] ? unwind_get_return_address+0x61/0xa0 [ 649.562111] ? __save_stack_trace+0x8d/0xf0 [ 649.566441] p9_client_rpc+0x1c2/0x1480 [ 649.570430] ? p9_client_prepare_req.part.8+0xc30/0xc30 [ 649.575809] ? save_stack+0x43/0xd0 [ 649.579435] ? __kasan_slab_free+0x102/0x150 [ 649.583842] ? kasan_slab_free+0xe/0x10 [ 649.587821] ? kfree+0xcf/0x230 [ 649.591105] ? print_usage_bug+0xc0/0xc0 [ 649.595165] ? filename_create+0x1e5/0x5b0 [ 649.599402] ? do_symlinkat+0xfe/0x2d0 [ 649.603812] ? __x64_sys_symlinkat+0x73/0xb0 [ 649.608224] ? do_syscall_64+0x1b9/0x820 [ 649.612291] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 649.617661] ? trace_hardirqs_off+0xb8/0x310 [ 649.622070] ? kasan_check_read+0x11/0x20 [ 649.626240] ? do_raw_spin_unlock+0xa7/0x2f0 [ 649.630655] ? trace_hardirqs_on+0x310/0x310 [ 649.635070] ? kasan_check_write+0x14/0x20 [ 649.639318] ? mark_held_locks+0xc7/0x130 [ 649.643478] ? kfree+0x107/0x230 [ 649.646847] ? kfree+0x107/0x230 [ 649.650220] ? lockdep_hardirqs_on+0x421/0x5c0 [ 649.654815] ? p9_client_walk+0x5ce/0xb30 [ 649.658985] p9_client_clunk+0x93/0x180 [ 649.663009] p9_client_walk+0x5d6/0xb30 [ 649.667006] ? p9_client_zc_rpc.constprop.10+0x1550/0x1550 [ 649.672643] ? v9fs_fid_lookup_with_uid+0x11d/0xb90 [ 649.677666] ? d_alloc+0x28b/0x380 [ 649.681212] ? lock_downgrade+0x846/0x900 [ 649.685366] ? v9fs_fid_add+0x240/0x240 [ 649.689351] ? kasan_check_read+0x11/0x20 [ 649.693501] ? do_raw_spin_unlock+0xa7/0x2f0 [ 649.697914] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 649.702517] v9fs_vfs_lookup+0x1f7/0x4a0 [ 649.706582] ? v9fs_vfs_lookup+0x1f7/0x4a0 [ 649.710839] ? d_alloc+0x290/0x380 [ 649.714391] ? v9fs_vfs_create+0x130/0x130 [ 649.718650] __lookup_hash+0x12e/0x190 [ 649.722545] filename_create+0x1e5/0x5b0 [ 649.726627] ? kern_path_mountpoint+0x40/0x40 [ 649.731146] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 649.736689] ? getname_flags+0x26e/0x5a0 [ 649.740755] do_symlinkat+0xfe/0x2d0 [ 649.744471] ? do_syscall_64+0x9a/0x820 [ 649.748458] ? __ia32_sys_unlink+0x50/0x50 [ 649.752698] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 649.758173] __x64_sys_symlinkat+0x73/0xb0 [ 649.762422] do_syscall_64+0x1b9/0x820 [ 649.766316] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 649.771703] ? syscall_return_slowpath+0x5e0/0x5e0 [ 649.776641] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 649.781663] ? trace_hardirqs_on_caller+0x310/0x310 [ 649.786685] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 649.791710] ? prepare_exit_to_usermode+0x291/0x3b0 [ 649.796851] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 649.801706] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 649.806897] RIP: 0033:0x457569 21:37:00 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1a000000) [ 649.810095] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 649.829009] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 649.836734] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 649.844009] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 649.851283] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 649.858565] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 649.865835] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 21:37:00 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xce]}) [ 649.971783] binder: 3172:3174 transaction failed 29189/-3, size 24-8 line 2970 21:37:00 executing program 2 (fault-call:14 fault-nth:10): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:00 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x77, 0x0, [0x40000003]}) 21:37:00 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x8000a0}, 'syz0\x00'}) [ 650.013529] binder: undelivered TRANSACTION_ERROR: 29189 21:37:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x1200]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:00 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x1b000000) 21:37:00 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x9e]}) [ 650.181833] input: syz1 as /devices/virtual/input/input1785 [ 650.221572] FAULT_INJECTION: forcing a failure. [ 650.221572] name failslab, interval 1, probability 0, space 0, times 0 [ 650.232818] CPU: 1 PID: 3207 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 650.232834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 650.232844] Call Trace: [ 650.251975] dump_stack+0x1c4/0x2b4 [ 650.255626] ? dump_stack_print_info.cold.2+0x52/0x52 [ 650.255660] should_fail.cold.4+0xa/0x17 [ 650.255683] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 650.255717] ? find_held_lock+0x36/0x1c0 [ 650.255740] ? __debug_object_init+0x57d/0x1290 [ 650.255757] ? lock_downgrade+0x900/0x900 [ 650.255769] ? lock_downgrade+0x900/0x900 [ 650.255787] ? print_usage_bug+0xc0/0xc0 [ 650.255798] ? graph_lock+0x170/0x170 [ 650.255811] ? trace_hardirqs_off+0xb8/0x310 [ 650.255823] ? kasan_check_read+0x11/0x20 [ 650.255839] ? do_raw_spin_unlock+0xa7/0x2f0 [ 650.255855] ? trace_hardirqs_on+0x310/0x310 [ 650.255874] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 650.265130] ? kasan_check_write+0x14/0x20 [ 650.265163] __should_failslab+0x124/0x180 [ 650.265189] should_failslab+0x9/0x14 [ 650.272848] binder_alloc: binder_alloc_mmap_handler: 3206 20001000-20004000 already mapped failed -16 [ 650.274354] kmem_cache_alloc+0x47/0x730 [ 650.274387] radix_tree_node_alloc.constprop.18+0x1f7/0x370 [ 650.280797] binder: BINDER_SET_CONTEXT_MGR already set [ 650.283197] radix_tree_extend+0x294/0x660 [ 650.283224] ? radix_tree_node_alloc.constprop.18+0x370/0x370 [ 650.283240] ? kasan_check_read+0x11/0x20 [ 650.283259] ? do_raw_spin_unlock+0xa7/0x2f0 [ 650.283281] ? trace_hardirqs_on+0x310/0x310 21:37:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6c]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 650.296157] binder: 3206:3211 ioctl 40046207 0 returned -16 [ 650.299695] idr_get_free+0x83d/0xec0 [ 650.299721] ? __lock_acquire+0x7ec/0x4ec0 [ 650.299746] ? ida_pre_get+0x130/0x130 [ 650.299760] ? __lock_acquire+0x7ec/0x4ec0 [ 650.299786] ? print_usage_bug+0xc0/0xc0 [ 650.308355] ? mark_held_locks+0x130/0x130 [ 650.308370] ? __lock_acquire+0x7ec/0x4ec0 [ 650.308386] ? lock_downgrade+0x900/0x900 [ 650.308404] ? check_preemption_disabled+0x48/0x200 [ 650.308428] ? rcu_read_unlock_special.part.39+0x11f0/0x11f0 [ 650.308439] ? kasan_check_read+0x11/0x20 [ 650.308464] idr_alloc_u32+0x201/0x3f0 [ 650.308492] ? __fprop_inc_percpu_max+0x2d0/0x2d0 [ 650.308510] ? p9_idpool_get+0x23/0x90 [ 650.308534] idr_alloc+0x111/0x1b0 [ 650.308551] ? idr_alloc_u32+0x3f0/0x3f0 [ 650.314462] binder_alloc: 3206: binder_alloc_buf, no vma [ 650.317584] ? do_raw_spin_lock+0xc1/0x200 [ 650.317612] p9_idpool_get+0x3d/0x90 [ 650.317645] p9_client_prepare_req.part.8+0xec/0xc30 [ 650.317667] ? is_bpf_text_address+0xac/0x170 [ 650.317688] ? check_preemption_disabled+0x48/0x200 [ 650.317707] ? p9_free_req.isra.7+0x140/0x140 [ 650.317726] ? graph_lock+0x170/0x170 [ 650.322268] binder: 3206:3213 transaction failed 29189/-3, size 24-8 line 2970 [ 650.326199] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 650.326216] ? rcu_bh_qs+0xc0/0xc0 [ 650.326233] ? rcu_bh_qs+0xc0/0xc0 [ 650.326247] ? unwind_dump+0x190/0x190 [ 650.326271] p9_client_rpc+0x1c2/0x1480 [ 650.326296] ? p9_client_prepare_req.part.8+0xc30/0xc30 [ 650.326313] ? v9fs_fid_find+0x24b/0x2f0 [ 650.326331] ? lock_downgrade+0x900/0x900 [ 650.326352] ? kasan_check_read+0x11/0x20 [ 650.326365] ? do_raw_spin_unlock+0xa7/0x2f0 [ 650.326379] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 650.326395] ? kasan_check_write+0x14/0x20 [ 650.326414] ? do_raw_spin_lock+0xc1/0x200 [ 650.343214] binder: undelivered TRANSACTION_ERROR: 29189 [ 650.343634] ? _raw_spin_unlock+0x2c/0x50 [ 650.383396] ? v9fs_fid_find+0x250/0x2f0 [ 650.395328] ? v9fs_session_init.cold.3+0x73/0x73 [ 650.403603] ? smk_tskacc+0x3dd/0x520 [ 650.403645] ? v9fs_fid_lookup_with_uid+0x11d/0xb90 [ 650.403672] p9_client_symlink+0xf3/0x600 [ 650.403692] ? p9_client_readlink+0x5c0/0x5c0 [ 650.412158] ? smk_curacc+0x7f/0xa0 [ 650.412193] v9fs_vfs_symlink_dotl+0x209/0x520 [ 650.412216] ? v9fs_vfs_atomic_open_dotl+0xc00/0xc00 [ 650.412237] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 650.449532] binder: 3218:3219 got transaction with invalid offset (108, min 0 max 24) or object. [ 650.452061] ? security_inode_permission+0xd2/0x100 [ 650.452083] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 650.452099] ? security_inode_symlink+0xde/0x110 [ 650.452119] vfs_symlink+0x37a/0x5d0 [ 650.633435] do_symlinkat+0x242/0x2d0 [ 650.637241] ? do_syscall_64+0x9a/0x820 [ 650.641222] ? __ia32_sys_unlink+0x50/0x50 [ 650.645463] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 650.650933] __x64_sys_symlinkat+0x73/0xb0 [ 650.655175] do_syscall_64+0x1b9/0x820 [ 650.659067] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 650.664440] ? syscall_return_slowpath+0x5e0/0x5e0 [ 650.669390] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 650.674248] ? trace_hardirqs_on_caller+0x310/0x310 [ 650.679272] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 650.684297] ? prepare_exit_to_usermode+0x291/0x3b0 [ 650.689327] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 650.694188] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 650.699380] RIP: 0033:0x457569 [ 650.702579] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 650.721503] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 650.729222] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 650.736521] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 650.743801] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 650.751080] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 650.758358] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 650.774902] binder: 3218:3219 transaction failed 29201/-22, size 24-8 line 3033 21:37:01 executing program 2 (fault-call:14 fault-nth:11): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 650.788827] input: syz1 as /devices/virtual/input/input1786 [ 650.827377] binder_alloc: binder_alloc_mmap_handler: 3218 20001000-20004000 already mapped failed -16 [ 650.876998] binder: BINDER_SET_CONTEXT_MGR already set [ 650.889327] binder: 3218:3219 ioctl 40046207 0 returned -16 [ 650.900397] binder_alloc: 3218: binder_alloc_buf, no vma 21:37:01 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x27, 0x0, [0x40000003]}) 21:37:01 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x4000000) [ 650.931226] binder: 3218:3229 transaction failed 29189/-3, size 24-8 line 2970 [ 650.958590] binder: undelivered TRANSACTION_ERROR: 29201 [ 650.967569] binder: undelivered TRANSACTION_ERROR: 29189 21:37:01 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc79}, 'syz0\x00'}) 21:37:01 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x10100c000000000]}) 21:37:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x7400000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 651.001290] FAULT_INJECTION: forcing a failure. [ 651.001290] name failslab, interval 1, probability 0, space 0, times 0 [ 651.045647] CPU: 1 PID: 3232 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #63 [ 651.052887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 651.062246] Call Trace: [ 651.064860] dump_stack+0x1c4/0x2b4 [ 651.068523] ? dump_stack_print_info.cold.2+0x52/0x52 [ 651.073745] should_fail.cold.4+0xa/0x17 [ 651.077820] ? smack_d_instantiate+0x136/0xea0 [ 651.082422] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 651.087549] ? mutex_trylock+0x2b0/0x2b0 [ 651.091632] ? graph_lock+0x170/0x170 [ 651.095440] ? debug_mutex_init+0x2d/0x60 [ 651.099591] ? graph_lock+0x170/0x170 [ 651.103403] ? print_usage_bug+0xc0/0xc0 [ 651.107473] ? find_held_lock+0x36/0x1c0 [ 651.111549] ? __lock_is_held+0xb5/0x140 [ 651.115638] ? ___might_sleep+0x1ed/0x300 [ 651.119791] ? arch_local_save_flags+0x40/0x40 [ 651.124393] __should_failslab+0x124/0x180 [ 651.128648] should_failslab+0x9/0x14 [ 651.132455] kmem_cache_alloc_trace+0x2d7/0x750 [ 651.137133] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 651.141725] ? kasan_check_write+0x14/0x20 [ 651.145970] smk_fetch.part.24+0x5a/0xf0 [ 651.150038] smack_d_instantiate+0x94e/0xea0 [ 651.154463] ? smk_fetch.part.24+0xf0/0xf0 [ 651.158707] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 651.163649] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 651.168851] security_d_instantiate+0x5c/0xf0 [ 651.173358] d_instantiate+0x5e/0xa0 [ 651.177081] v9fs_vfs_symlink_dotl+0x315/0x520 [ 651.181677] ? v9fs_vfs_atomic_open_dotl+0xc00/0xc00 [ 651.186794] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 651.192335] ? security_inode_permission+0xd2/0x100 [ 651.197359] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 651.202902] ? security_inode_symlink+0xde/0x110 [ 651.207667] vfs_symlink+0x37a/0x5d0 [ 651.211392] do_symlinkat+0x242/0x2d0 [ 651.215194] ? do_syscall_64+0x9a/0x820 [ 651.219176] ? __ia32_sys_unlink+0x50/0x50 [ 651.223421] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 651.228886] __x64_sys_symlinkat+0x73/0xb0 [ 651.233147] do_syscall_64+0x1b9/0x820 [ 651.237060] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 651.242432] ? syscall_return_slowpath+0x5e0/0x5e0 [ 651.247363] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 651.252217] ? trace_hardirqs_on_caller+0x310/0x310 [ 651.257245] ? prepare_exit_to_usermode+0x291/0x3b0 [ 651.262274] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 651.267549] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 651.272744] RIP: 0033:0x457569 [ 651.275943] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 651.294855] RSP: 002b:00007f4e83fc4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 651.302577] RAX: ffffffffffffffda RBX: 00007f4e83fc4c90 RCX: 0000000000457569 [ 651.309868] RDX: 00000000200005c0 RSI: 0000000000000007 RDI: 0000000020000540 [ 651.317138] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 651.324414] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83fc56d4 [ 651.331691] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 0000000000000008 [ 651.386949] input: syz1 as /devices/virtual/input/input1787 [ 651.400827] binder: 3246:3248 got transaction with invalid offset (8358680908399640576, min 0 max 24) or object. 21:37:01 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0010000]}) [ 651.428845] binder: 3246:3248 transaction failed 29201/-22, size 24-8 line 3033 [ 651.445142] input: syz1 as /devices/virtual/input/input1788 [ 651.459085] binder_alloc: binder_alloc_mmap_handler: 3246 20001000-20004000 already mapped failed -16 21:37:01 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x58, 0x0, [0x40000003]}) [ 651.486830] binder: BINDER_SET_CONTEXT_MGR already set [ 651.492317] binder: 3246:3248 ioctl 40046207 0 returned -16 [ 651.498394] binder_alloc: 3246: binder_alloc_buf, no vma [ 651.520753] binder: 3246:3255 transaction failed 29189/-3, size 24-8 line 2970 21:37:01 executing program 2 (fault-call:14 fault-nth:12): socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 651.546854] binder: undelivered TRANSACTION_ERROR: 29201 [ 651.555731] binder: undelivered TRANSACTION_ERROR: 29189 21:37:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xffffffff00000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:02 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x600000000000000}, 'syz0\x00'}) 21:37:02 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0010112]}) 21:37:02 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = openat(0xffffffffffffff9c, &(0x7f0000000140)='./file0/file0\x00', 0x601, 0x1) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, &(0x7f00000001c0), &(0x7f0000000200)=0x4) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 651.750115] binder: 3270:3271 got transaction with invalid offset (-4294967296, min 0 max 24) or object. [ 651.773171] input: syz1 as /devices/virtual/input/input1789 21:37:02 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x15, 0x0, [0x40000003]}) [ 651.797708] binder: 3270:3271 transaction failed 29201/-22, size 24-8 line 3033 [ 651.829730] input: syz1 as /devices/virtual/input/input1790 21:37:02 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 651.881900] binder_alloc: binder_alloc_mmap_handler: 3270 20001000-20004000 already mapped failed -16 21:37:02 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4800000000000000]}) 21:37:02 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="0400ed19cef11a6bfdf6a0d7"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x2) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) setsockopt(r0, 0x800000008, 0x2, &(0x7f0000000440)="f88d67d5026aa3a39912e1b58f80a562fb82488509c24392888b4a9282e7ebef85edb1809a433646d4f2fb40d0585baa51282ddc3b406204fa772dd1c8280982eba22f000000000000004e5125e03f9cc95e0bad3bcdd7fcffcab7e79edacd68bf6f19092569d01a85a9faa9409d65366b413429ad5129e9a020d6ecfbf729adbaba047f8958eddf76fb0aa6cd636e2c9af6c79facb8da385b0151a1e0ececb4b0eef483dfbc0f4cd503e951d5ef5b829cb73248e9f3b3b1d11b00a22ff017db224d9287143599babeca63ade567beb71d062a96bad53f87067a09f0", 0x94) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) r3 = accept4$inet6(0xffffffffffffff9c, &(0x7f0000000200)={0xa, 0x0, 0x0, @mcast2}, &(0x7f0000000240)=0x1c, 0x80000) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(0xffffffffffffff9c, 0x84, 0x66, &(0x7f00000002c0)={0x0, 0x9}, &(0x7f0000000300)=0x8) setsockopt$inet_sctp6_SCTP_RESET_STREAMS(r3, 0x84, 0x77, &(0x7f0000000340)={r4, 0x1, 0x2, [0x6, 0x3]}, 0xc) r5 = socket$inet_sctp(0x2, 0x5, 0x84) getsockopt$inet_sctp_SCTP_MAX_BURST(r5, 0x84, 0x14, &(0x7f0000000140)=@assoc_value, &(0x7f00000001c0)=0x8) ioctl$sock_FIOGETOWN(r3, 0x8903, &(0x7f0000000180)=0x0) getpgrp(r6) ioctl$PPPIOCGFLAGS(r3, 0x8004745a, &(0x7f0000000540)) [ 651.926992] binder: BINDER_SET_CONTEXT_MGR already set [ 651.942819] binder: 3270:3271 ioctl 40046207 0 returned -16 21:37:02 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd7f8}, 'syz0\x00'}) 21:37:02 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x13, 0x0, [0x40000003]}) 21:37:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6c000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:02 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7a010000]}) 21:37:02 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000080)={0x3, 0x4d, 0xfffffffffffffffd}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 652.191672] input: syz1 as /devices/virtual/input/input1791 [ 652.222545] binder: 3308:3312 got transaction with invalid offset (1811939328, min 0 max 24) or object. 21:37:02 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x72, 0x0, [0x40000003]}) [ 652.256847] input: syz1 as /devices/virtual/input/input1792 [ 652.263400] binder: 3308:3312 transaction failed 29201/-22, size 24-8 line 3033 [ 652.339889] binder_alloc: binder_alloc_mmap_handler: 3308 20001000-20004000 already mapped failed -16 [ 652.378803] binder: BINDER_SET_CONTEXT_MGR already set 21:37:02 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000140)=ANY=[@ANYBLOB="776889f5170bfc036da51cc7172ee49f79db572f792ad0bea4c2d6ccd2af24505ed5624390"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)={[{}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}]}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 652.394033] binder: 3308:3312 ioctl 40046207 0 returned -16 [ 652.416110] binder_alloc: 3308: binder_alloc_buf, no vma 21:37:02 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0xffffffffffffffff) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000700)={0xa0, 0x19, 0x0, {0x1140, {}, 0x0, 0x0, 0x0, 0x1}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:02 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x88ffffffff}, 'syz0\x00'}) 21:37:02 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x24, 0x0, [0x40000003]}) [ 652.467608] binder: 3308:3323 transaction failed 29189/-3, size 24-8 line 2970 21:37:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x4c00]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:02 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x86010000]}) [ 652.611186] input: syz1 as /devices/virtual/input/input1793 21:37:03 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x2e, 0x0, [0x40000003]}) [ 652.674037] binder: 3340:3345 got transaction with invalid offset (19456, min 0 max 24) or object. [ 652.712313] 9pnet: Insufficient options for proto=fd 21:37:03 executing program 1: r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vsock\x00', 0x8000, 0x0) setsockopt$bt_BT_VOICE(r0, 0x112, 0xb, &(0x7f00000001c0)=0x8, 0x2) setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000440)=ANY=[@ANYBLOB="23742a80969e9ef57b26121a003f680b0174bf09ebd1e44e4eb5b44813b44afd6b4dd66c4add77fded737067d51fa8d7f04b01953c39f0a288df707c40f633857ea53522", @ANYRES32=r0, @ANYPTR64, @ANYPTR], 0x4, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) ioctl$EXT4_IOC_GROUP_ADD(r1, 0x40286608, &(0x7f0000000100)={0x15cd200000000, 0x2, 0x80000001, 0xffffffff, 0xffffffff, 0x3}) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) socketpair$inet_udp(0x2, 0x2, 0x0, &(0x7f00000002c0)) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000180)={0x5}) fsetxattr$trusted_overlay_redirect(r1, &(0x7f0000000200)='trusted.overlay.redirect\x00', &(0x7f0000000240)='./file0/file0\x00', 0xe, 0x0) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_CREATE_IRQCHIP(r2, 0xae60) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 652.739583] 9pnet: Insufficient options for proto=fd [ 652.750984] binder_alloc: binder_alloc_mmap_handler: 3340 20001000-20004000 already mapped failed -16 [ 652.769575] input: syz1 as /devices/virtual/input/input1794 [ 652.788705] 9pnet: Insufficient options for proto=fd [ 652.800519] binder: BINDER_SET_CONTEXT_MGR already set [ 652.828808] 9pnet: Insufficient options for proto=fd [ 652.834098] binder: 3340:3345 ioctl 40046207 0 returned -16 21:37:03 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3a000000]}) 21:37:03 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x53, 0x0, [0x40000003]}) [ 652.856350] binder_release_work: 3 callbacks suppressed [ 652.856357] binder: undelivered TRANSACTION_ERROR: 29201 [ 652.892060] binder: undelivered TRANSACTION_ERROR: 29189 21:37:03 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x2, {0x2, [{}, {}]}}, 0xffffffffffffffa0) getsockname(r0, &(0x7f0000000400)=@ax25, &(0x7f0000000080)=0x80) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x4c]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:03 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdff8000000000000}, 'syz0\x00'}) [ 653.047297] binder: 3372:3373 got transaction with invalid offset (76, min 0 max 24) or object. [ 653.104178] input: syz1 as /devices/virtual/input/input1795 [ 653.124627] binder_alloc: binder_alloc_mmap_handler: 3372 20001000-20004000 already mapped failed -16 21:37:03 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) r3 = syz_open_dev$vcsa(&(0x7f0000000080)='/dev/vcsa#\x00', 0x1, 0x800) ioctl$DMA_BUF_IOCTL_SYNC(r3, 0x40086200, &(0x7f0000000180)=0x6) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f00000002c0)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000004c0)=ANY=[@ANYBLOB="0b000000291100000000006e5164ff8542dc7ffeea5f354ffb2c1df890b071ff24f350dec168fd39128b94698ac4f89d94f3f4f34b78bcddb246db2a3ffad442cc"], 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{0x0, 0x2}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:03 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x100c0]}) 21:37:03 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x71, 0x0, [0x40000003]}) [ 653.156088] input: syz1 as /devices/virtual/input/input1796 [ 653.164653] binder: BINDER_SET_CONTEXT_MGR already set 21:37:03 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) io_setup(0x6, &(0x7f0000000140)=0x0) r4 = openat$mixer(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/mixer\x00', 0x400000, 0x0) io_submit(r3, 0x1, &(0x7f0000000340)=[&(0x7f0000000300)={0x0, 0x0, 0x0, 0x1, 0x2, r2, &(0x7f00000001c0)="eb6afa3d5ffa2dd79928b0da11ca15869d62d0b948f6505b3c7ea643247e4a2fa06a429c168388daf85748bf6db4ce5074b6dd0118fcfa94b501f05ecbf7ede8608291902f07df21558e6e68529729e8a6b08ff90105ea14bcd0752ce3f2571f0d2ae62e48fdf2f6be33bbfefd3637800e5a6f59135ced57ab4025ac066961257ce1c9d852a141d65ad9cd08de3c1081b65e724ed80d2cc4de086ca0fb", 0x9d, 0x0, 0x0, 0x2, r4}]) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 653.227520] binder: undelivered TRANSACTION_ERROR: 29201 [ 653.241872] binder: 3372:3373 ioctl 40046207 0 returned -16 21:37:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x7]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:03 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1700]}) 21:37:03 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd8f8000000000000}, 'syz0\x00'}) 21:37:03 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x14, 0x0, [0x40000003]}) 21:37:03 executing program 2: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000080)={[], 0x0, 0x241}) ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000340)={0x1, 0x0, @pic={0x0, 0x7fff, 0x0, 0x0, 0x1}}) ioctl$KVM_RUN(r2, 0xae80, 0x0) socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r5, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r4}, 0x2c, {'wfdno', 0x3d, r5}}) write$P9_RREADDIR(r5, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r5, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r5, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r5, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r5, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r5, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r4}, 0x2c, {'wfdno', 0x3d, r5}, 0x2c, {[{@access_uid={'access'}}]}}) r6 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r6, &(0x7f00000005c0)='./file0\x00') [ 653.447026] binder: 3402:3406 got transaction with invalid offset (7, min 0 max 24) or object. [ 653.508866] input: syz1 as /devices/virtual/input/input1797 [ 653.519574] binder_alloc: binder_alloc_mmap_handler: 3402 20001000-20004000 already mapped failed -16 [ 653.555732] input: syz1 as /devices/virtual/input/input1798 [ 653.567812] binder: BINDER_SET_CONTEXT_MGR already set [ 653.595658] binder: 3402:3406 ioctl 40046207 0 returned -16 21:37:04 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) pipe(&(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) bind$bt_l2cap(r3, &(0x7f00000001c0)={0x1f, 0x800, {0x5, 0x6, 0x4, 0xe1c, 0x400, 0x7}, 0x1, 0x1}, 0xe) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 653.607011] binder_alloc: 3402: binder_alloc_buf, no vma 21:37:04 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x4f, 0x0, [0x40000003]}) 21:37:04 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x400000b0]}) [ 653.699802] binder: undelivered TRANSACTION_ERROR: 29201 [ 653.716567] binder: undelivered TRANSACTION_ERROR: 29189 21:37:04 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd9f80000}, 'syz0\x00'}) 21:37:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x4800000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:04 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) r3 = geteuid() lstat(&(0x7f0000000000)='./file0\x00', &(0x7f0000000400)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) write$P9_RGETATTR(r2, &(0x7f0000000700)={0xa0, 0x19, 0x2, {0x0, {0x0, 0x0, 0x2}, 0x2, r3, r4, 0x1e3d, 0x1f, 0x7be9, 0x493c, 0xa7f8, 0x9, 0x7, 0x8, 0x1000, 0xff, 0x3, 0x7, 0x3, 0x401, 0xffff}}, 0xa0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140, {}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}}, 0xa0) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') 21:37:04 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x44, 0x0, [0x40000003]}) 21:37:04 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = syz_open_dev$vcsa(&(0x7f0000000140)='/dev/vcsa#\x00', 0x24000000000000, 0x40) ioctl$TUNSETFILTEREBPF(r2, 0x800454e1, &(0x7f00000001c0)=r1) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000200)={0x0, 0x6}, &(0x7f0000000240)=0x8) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r2, 0x84, 0x6, &(0x7f00000002c0)={r4, @in={{0x2, 0x4e21, @local}}}, 0x84) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 653.888400] input: syz1 as /devices/virtual/input/input1799 [ 653.920483] binder: 3444:3448 got transaction with invalid offset (5188146770730811392, min 0 max 24) or object. 21:37:04 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x9901]}) [ 654.007869] binder_alloc: binder_alloc_mmap_handler: 3444 20001000-20004000 already mapped failed -16 [ 654.038506] input: syz1 as /devices/virtual/input/input1800 [ 654.052927] binder: BINDER_SET_CONTEXT_MGR already set 21:37:04 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000080)='team_slave_0\x00', 0x10) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 654.104779] binder: 3444:3448 ioctl 40046207 0 returned -16 [ 654.133664] binder: undelivered TRANSACTION_ERROR: 29201 21:37:04 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x1a, 0x0, [0x40000003]}) [ 654.149990] binder: undelivered TRANSACTION_ERROR: 29189 21:37:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x8000000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:04 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1e01]}) 21:37:04 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x88}, 'syz0\x00'}) 21:37:04 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) r3 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000004c0)=ANY=[@ANYBLOB="0bf5000029010000000491976fc63732090080000000000000a35edff0f9b6c2047148f55a65e664db24884711986c64415b47f4615867a3d7dfbea6c6e8f1bf94"], 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000000700)={{{@in=@loopback, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @remote}}, 0x0, @in=@broadcast}}, &(0x7f0000000080)=0xe8) lstat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000400)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_open_dev$sndmidi(&(0x7f00000002c0)='/dev/snd/midiC#D#\x00', 0x1b, 0x2) write$P9_RGETATTR(r2, &(0x7f0000000940)={0xa0, 0x19, 0x1, {0x20, {0x1, 0x3, 0x7}, 0x12, r4, r5, 0x40, 0x9, 0xfffffffffffffffc, 0x10000, 0x1, 0x6, 0x81, 0x80, 0x3, 0x45a, 0x0, 0x2, 0x8, 0x0, 0x2}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r6 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) r7 = openat$full(0xffffffffffffff9c, &(0x7f0000000380)='/dev/full\x00', 0x0, 0x0) ioctl$EVIOCSABS2F(r7, 0x401845ef, &(0x7f00000003c0)={0x3, 0x7fb, 0x80000000, 0x60000000000, 0x4, 0x3}) symlinkat(&(0x7f0000000540)='./file0\x00', r6, &(0x7f00000005c0)='./file0\x00') [ 654.350689] binder: 3482:3485 got transaction with invalid offset (-9223372036854775808, min 0 max 24) or object. 21:37:04 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) fcntl$F_GET_RW_HINT(r1, 0x40b, &(0x7f0000000140)) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:04 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x6a, 0x0, [0x40000003]}) [ 654.416513] binder_transaction: 7 callbacks suppressed [ 654.416533] binder: 3482:3485 transaction failed 29201/-22, size 24-8 line 3033 21:37:04 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xde01]}) [ 654.480167] binder_alloc: binder_alloc_mmap_handler: 3482 20001000-20004000 already mapped failed -16 [ 654.503461] binder: BINDER_SET_CONTEXT_MGR already set [ 654.510208] binder: 3482:3485 ioctl 40046207 0 returned -16 [ 654.516752] binder_alloc: 3482: binder_alloc_buf, no vma [ 654.531494] binder: 3482:3488 transaction failed 29189/-3, size 24-8 line 2970 [ 654.585672] binder: undelivered TRANSACTION_ERROR: 29201 [ 654.593353] binder: undelivered TRANSACTION_ERROR: 29189 21:37:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x14000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:05 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) mount$9p_fd(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000180)='9p\x00', 0x20, &(0x7f0000000700)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_client='access=client'}, {@cachetag={'cachetag', 0x3d, '9p\x00'}}, {@msize={'msize', 0x3d, 0x3}}], [{@fsmagic={'fsmagic', 0x3d, 0x2}}]}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') fcntl$setpipe(r0, 0x407, 0x5) r5 = syz_open_dev$mice(&(0x7f00000002c0)='/dev/input/mice\x00', 0x0, 0x2000) ioctl$sock_inet_SIOCADDRT(r5, 0x890b, &(0x7f0000000400)={0x927, {0x2, 0x4e24}, {0x2, 0x4e22, @loopback}, {0x2, 0x4e21, @rand_addr=0x1e9}, 0x204, 0x3, 0x20, 0x8, 0x9, &(0x7f0000000380)='syzkaller0\x00', 0x9, 0x7, 0x7}) [ 654.632490] input: syz1 as /devices/virtual/input/input1801 21:37:05 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x59, 0x0, [0x40000003]}) [ 654.704107] input: syz1 as /devices/virtual/input/input1802 21:37:05 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1f0001c000000000]}) [ 654.762944] binder: 3509:3514 got transaction with invalid offset (335544320, min 0 max 24) or object. 21:37:05 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x7}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) r3 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000140)='/dev/ppp\x00', 0x484081, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffff9c, &(0x7f0000000200)={0x0, 0x18, 0xfa00, {0x3, &(0x7f00000001c0)={0xffffffffffffffff}, 0x13f, 0x1}}, 0x20) write$RDMA_USER_CM_CMD_REJECT(r3, &(0x7f0000000440)={0x9, 0x108, 0xfa00, {r4, 0xef, "36d1a5", "6dcc388beceddd2a4bdad01dd3ec153a805145e75233ec369a478911a737700dad478ae7a0e9105d74fd4df5ab049eb8c727a44e61135f581954645705686b2170374fc809afb5b406d1e2e04372a9b84bdb8b4987e01ba522a673402fec316587bd64ae8f799dba85bb56df4142406c62c68768f82a0ef535e576c2806440e269cb72af3aac89ccdb2baf21cec2d9f3cffbf892c1c5f2017a58ca80d111d498c258cd04452c6fa7dd22f7e41b91442334a3c9db08d825d21e08c1ddf54e046323bab192e9b928967b0cc41b0f77d35950e77390d551d7cb365d7f4ea82d56c8e9c9886482870a26ec3e49dbcf56fc6a9bba11901d9bb2b2ca811e020b1f748d"}}, 0x110) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 654.817027] binder: 3509:3514 transaction failed 29201/-22, size 24-8 line 3033 [ 654.840823] binder_alloc: binder_alloc_mmap_handler: 3509 20001000-20004000 already mapped failed -16 [ 654.869277] binder: BINDER_SET_CONTEXT_MGR already set 21:37:05 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x9801000000000000, [0x40000003]}) 21:37:05 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd1f8}, 'syz0\x00'}) 21:37:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x12000000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 654.889883] binder: 3509:3514 ioctl 40046207 0 returned -16 [ 654.898537] binder_alloc: 3509: binder_alloc_buf, no vma [ 654.908390] binder: 3509:3520 transaction failed 29189/-3, size 24-8 line 2970 [ 654.918274] binder: undelivered TRANSACTION_ERROR: 29201 21:37:05 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') r4 = syz_open_dev$vcsa(&(0x7f0000000080)='/dev/vcsa#\x00', 0xf87, 0x20002) getsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(0xffffffffffffffff, 0x84, 0x72, &(0x7f0000000180)={0x0, 0x6, 0x20}, &(0x7f00000002c0)=0xc) setsockopt$inet_sctp6_SCTP_ASSOCINFO(r4, 0x84, 0x1, &(0x7f0000000380)={r5, 0x6, 0xfffffffffffffffc, 0x101, 0x1, 0xb84}, 0x14) [ 655.022278] input: syz1 as /devices/virtual/input/input1803 [ 655.081074] binder: 3533:3535 got transaction with invalid offset (301989888, min 0 max 24) or object. [ 655.101243] input: syz1 as /devices/virtual/input/input1804 [ 655.128319] binder: 3533:3535 transaction failed 29201/-22, size 24-8 line 3033 21:37:05 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x24d564b]}) 21:37:05 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x14d564b00000000, [0x40000003]}) 21:37:05 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)) r0 = syz_open_dev$sndpcmp(&(0x7f0000000380)='/dev/snd/pcmC#D#p\x00', 0x9, 0x20400) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400201) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000080)=ANY=[@ANYBLOB="08000100000000000000000000000000000000000013f8b63070c4f66db8d4d100f207002e2f66696c65a5a5fa7e6f309c067c855e"], 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x1, 0x6f, 0x0, {0x2, [{}, {0x40}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000180)='./file0\x00', 0x408000, 0x50) mknodat(r3, &(0x7f00000002c0)='./file0\x00', 0x82, 0x9) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 655.165844] binder_alloc: binder_alloc_mmap_handler: 3533 20001000-20004000 already mapped failed -16 [ 655.224212] binder_alloc: 3533: binder_alloc_buf, no vma [ 655.234269] binder: BINDER_SET_CONTEXT_MGR already set [ 655.268107] binder: 3533:3535 ioctl 40046207 0 returned -16 [ 655.303003] binder: 3533:3545 transaction failed 29189/-3, size 24-8 line 2970 21:37:05 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xffffffffa0008000}, 'syz0\x00'}) 21:37:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x500]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:05 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1100, [0x40000003]}) 21:37:05 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7901]}) [ 655.495795] input: syz1 as /devices/virtual/input/input1805 [ 655.557342] binder: 3568:3569 got transaction with invalid offset (1280, min 0 max 24) or object. [ 655.598975] input: syz1 as /devices/virtual/input/input1806 [ 655.605609] binder: 3568:3569 transaction failed 29201/-22, size 24-8 line 3033 [ 655.643839] binder_alloc: binder_alloc_mmap_handler: 3568 20001000-20004000 already mapped failed -16 [ 655.683809] binder: BINDER_SET_CONTEXT_MGR already set [ 655.691569] binder_alloc: 3568: binder_alloc_buf, no vma [ 655.695491] binder: 3568:3569 ioctl 40046207 0 returned -16 [ 655.697717] binder: 3568:3575 transaction failed 29189/-3, size 24-8 line 2970 21:37:06 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r1, 0x4010ae67, &(0x7f0000000140)={0x15004, 0x11c000}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:06 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB="7472616e733da6642c7266646e6f3d96267da1f5c29b3d6f5004a351ce2d0f4df18e5d23ffec2ebf74c5c7d9f82a72013260569c7e19caeed1244444a7a2f22a9aba", @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2, @ANYBLOB=',\x00']) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:06 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x170101c000000000]}) 21:37:06 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0010112, [0x40000003]}) 21:37:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:06 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc7f8000000000000}, 'syz0\x00'}) [ 655.838402] binder: 3581:3583 got transaction with invalid offset (6, min 0 max 24) or object. [ 655.865881] 9pnet: Could not find request transport: ¦d [ 655.903604] 9pnet: Could not find request transport: ¦d [ 655.913024] binder: 3581:3583 transaction failed 29201/-22, size 24-8 line 3033 21:37:06 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3b00000000000000]}) [ 655.956492] binder_alloc: binder_alloc_mmap_handler: 3581 20001000-20004000 already mapped failed -16 21:37:06 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x830000c000000000, [0x40000003]}) 21:37:06 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RLERRORu(r2, &(0x7f0000000380)={0x10, 0x7, 0x1, {{0x3, '9p\x00'}, 0xe}}, 0x10) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) lsetxattr$security_capability(&(0x7f0000000080)='./file0\x00', &(0x7f0000000180)='security.capability\x00', &(0x7f00000002c0)=@v2={0x2000000, [{0x1ff}, {0x5, 0xe200}]}, 0x14, 0x0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2, @ANYBLOB="2c760000008000000000", @ANYRESDEC=0x0, @ANYBLOB=',\x00']) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 655.999268] input: syz1 as /devices/virtual/input/input1807 [ 656.007339] binder: BINDER_SET_CONTEXT_MGR already set [ 656.019469] binder: 3581:3583 ioctl 40046207 0 returned -16 [ 656.040837] input: syz1 as /devices/virtual/input/input1808 21:37:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x7a]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 656.076894] binder_alloc: 3581: binder_alloc_buf, no vma [ 656.101539] binder: 3581:3605 transaction failed 29189/-3, size 24-8 line 2970 21:37:06 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000140)='/dev/hwrng\x00', 0x200000, 0x0) getsockname$unix(r2, &(0x7f00000001c0)=@abs, &(0x7f0000000240)=0x6e) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r3, 0xae80, 0x0) 21:37:06 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0xb, 0x29, 0x1}, 0xffffff48) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:06 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe0f8000000000000}, 'syz0\x00'}) 21:37:06 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3b000000]}) [ 656.280037] input: syz1 as /devices/virtual/input/input1809 [ 656.297367] binder: 3621:3625 got transaction with invalid offset (122, min 0 max 24) or object. 21:37:06 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xde01000000000000, [0x40000003]}) [ 656.365727] input: syz1 as /devices/virtual/input/input1810 [ 656.374155] binder_alloc: binder_alloc_mmap_handler: 3621 20001000-20004000 already mapped failed -16 [ 656.417918] binder: BINDER_SET_CONTEXT_MGR already set [ 656.423339] binder: 3621:3625 ioctl 40046207 0 returned -16 21:37:06 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x11000000]}) [ 656.465596] binder_alloc: 3621: binder_alloc_buf, no vma 21:37:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xffffff7f00000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:06 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="0400ed19ce0c62fc3e45548f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:06 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x4000000000000000}, 'syz0\x00'}) 21:37:06 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x70001c000000000, [0x40000003]}) [ 656.636202] binder: 3655:3658 got transaction with invalid offset (-554050781184, min 0 max 24) or object. 21:37:07 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xe006]}) [ 656.691967] binder: BINDER_SET_CONTEXT_MGR already set [ 656.704438] binder_alloc: 3655: binder_alloc_buf, no vma [ 656.714537] input: syz1 as /devices/virtual/input/input1811 [ 656.740373] binder: 3655:3658 ioctl 40046207 0 returned -16 [ 656.750414] input: syz1 as /devices/virtual/input/input1812 21:37:07 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x7f040000, [0x40000003]}) 21:37:07 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}, 0xfffffffffffffef9) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) setxattr$trusted_overlay_origin(&(0x7f0000000440)='./file0\x00', &(0x7f00000004c0)='trusted.overlay.origin\x00', &(0x7f0000000700)='y\x00', 0x2, 0x2) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) getsockopt$IP_VS_SO_GET_TIMEOUT(r0, 0x0, 0x486, &(0x7f0000000080), &(0x7f0000000100)=0xc) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r4 = creat(&(0x7f0000000800)='./file0\x00', 0x4) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) ioctl$SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT(r2, 0xc0a85352, &(0x7f0000000740)={{0x6, 0x86}, 'port0\x00', 0x80, 0x20, 0xbb99, 0x5, 0x3, 0xfffffffffffffff9, 0x2, 0x0, 0x1, 0x200}) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) ioctl$SNDRV_TIMER_IOCTL_STOP(r4, 0x54a1) write$P9_RREADDIR(r3, &(0x7f0000000a00)=ANY=[@ANYBLOB="2a000000290100000000000000000000000000000000000000000000000000000007002e2f66696c65300f80f8027930b8d89cb64b1ad17de3a6c00ec60e966f8f7cb0bbe604ce08"], 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB="2c7766e77fe429", @ANYRESHEX=r3, @ANYBLOB=',access=', @ANYRESDEC=0x0, @ANYBLOB=',\x00']) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000180)='./file0\x00', r5, &(0x7f0000000380)='./file0\x00') r6 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000400)='net/rfcomm\x00') getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x75, &(0x7f0000000500)={0x0, 0x5}, &(0x7f0000000540)=0x8) ioctl$DRM_IOCTL_GET_UNIQUE(r6, 0xc0106401, &(0x7f00000008c0)={0x81, &(0x7f0000000940)=""/129}) setsockopt$inet_sctp_SCTP_AUTH_DELETE_KEY(r6, 0x84, 0x19, &(0x7f00000005c0)={r7}, 0x8) 21:37:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x4c000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:07 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x500000000000000}, 'syz0\x00'}) 21:37:07 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4b564d00]}) [ 656.994119] 9pnet: Insufficient options for proto=fd 21:37:07 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vsock\x00', 0x80800, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) getsockopt$XDP_MMAP_OFFSETS(r3, 0x11b, 0x1, &(0x7f00000001c0), &(0x7f0000000240)=0x60) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:07 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x3a000000, [0x40000003]}) [ 657.018599] 9pnet: Insufficient options for proto=fd [ 657.033060] binder: 3688:3690 got transaction with invalid offset (1275068416, min 0 max 24) or object. [ 657.047947] input: syz1 as /devices/virtual/input/input1813 [ 657.084277] 9pnet: Insufficient options for proto=fd [ 657.102594] binder: BINDER_SET_CONTEXT_MGR already set [ 657.116466] input: syz1 as /devices/virtual/input/input1814 [ 657.139243] binder: 3688:3690 ioctl 40046207 0 returned -16 [ 657.139391] 9pnet: Insufficient options for proto=fd [ 657.150516] binder_alloc: 3688: binder_alloc_buf, no vma 21:37:07 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xa000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:07 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4b564d01]}) 21:37:07 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xa01, [0x40000003]}) 21:37:07 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xa000000}, 'syz0\x00'}) [ 657.305966] binder: 3715:3716 got transaction with invalid offset (167772160, min 0 max 24) or object. [ 657.330174] binder: BINDER_SET_CONTEXT_MGR already set [ 657.337223] binder_alloc: 3715: binder_alloc_buf, no vma [ 657.342879] binder: 3715:3716 ioctl 40046207 0 returned -16 21:37:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x60000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:07 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000180)='/dev/hwrng\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_MAX_BURST(r3, 0x84, 0x14, &(0x7f00000002c0)=@assoc_value, &(0x7f0000000380)=0x8) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) pipe2$9p(&(0x7f0000000080), 0x80800) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{0x0, 0x0, 0x3}, {}]}}, 0xfffffffffffffe48) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 657.459650] input: syz1 as /devices/virtual/input/input1815 21:37:07 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="2454870080d2000000000000"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000200)='/dev/snapshot\x00', 0x80000, 0x0) ioctl$KVM_ASSIGN_SET_INTX_MASK(r1, 0x4040aea4, &(0x7f0000000240)={0xfffffffffffffffc, 0x6, 0x10000, 0x4, 0x37da}) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) r4 = dup2(r3, r2) getsockname$inet6(r4, &(0x7f0000000140)={0xa, 0x0, 0x0, @ipv4={[], [], @rand_addr}}, &(0x7f00000001c0)=0x1c) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r3, 0xae80, 0x0) 21:37:07 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xa01000000000000]}) 21:37:07 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x199, [0x40000003]}) [ 657.534952] input: syz1 as /devices/virtual/input/input1816 [ 657.626845] binder: BINDER_SET_CONTEXT_MGR already set [ 657.652540] binder_alloc: 3735: binder_alloc_buf, no vma 21:37:08 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x6c00}, 'syz0\x00'}) 21:37:08 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0010000, [0x40000003]}) 21:37:08 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x99010000]}) [ 657.708970] binder: 3735:3740 ioctl 40046207 0 returned -16 21:37:08 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) socket$inet_tcp(0x2, 0x1, 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB="74726108733d66642c7266646e6f3d968dab6ce61726a8f36c6032b17384cc6fdfcc3593561456d0", @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2, @ANYBLOB=',access=', @ANYRESDEC=0x0, @ANYBLOB=',\x00']) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x2000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:08 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) modify_ldt$read(0x0, &(0x7f0000000440)=""/214, 0xd6) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) r3 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000140)='/dev/rfkill\x00', 0x20000, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) getsockopt$IP6T_SO_GET_ENTRIES(r3, 0x29, 0x41, &(0x7f00000001c0)={'filter\x00', 0x2a, "f80bc7a35e760bc2c9cfcf084907db1499cba8a056fa8d54fca74fd84a636e24bf6bf5db9ea786d624e6"}, &(0x7f0000000240)=0x4e) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 657.859223] input: syz1 as /devices/virtual/input/input1817 [ 657.929458] input: syz1 as /devices/virtual/input/input1818 [ 657.980296] binder_alloc_mmap_handler: 4 callbacks suppressed [ 657.980316] binder_alloc: binder_alloc_mmap_handler: 3766 20001000-20004000 already mapped failed -16 21:37:08 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4]}) 21:37:08 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xb0201c000000000, [0x40000003]}) [ 658.025898] binder: BINDER_SET_CONTEXT_MGR already set [ 658.032146] binder: 3766:3775 ioctl 40046207 0 returned -16 21:37:08 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0xffffffffffffff81, 0x6f, 0x1, {0x13b13b13b13b1237, [{0x0, 0x4}, {0x0, 0x0, 0x4000000000000002}]}}, 0x18) r3 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snapshot\x00', 0x880, 0x0) ioctl$TIOCSSOFTCAR(r3, 0x541a, &(0x7f0000000180)=0x7) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:08 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) [ 658.142228] binder_release_work: 17 callbacks suppressed [ 658.142235] binder: undelivered TRANSACTION_ERROR: 29201 21:37:08 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1b000000, [0x40000003]}) 21:37:08 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe6f8}, 'syz0\x00'}) 21:37:08 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0010010]}) 21:37:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x2000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 658.280999] input: syz1 as /devices/virtual/input/input1819 21:37:08 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 658.403936] input: syz1 as /devices/virtual/input/input1820 [ 658.423425] binder_alloc: binder_alloc_mmap_handler: 3812 20001000-20004000 already mapped failed -16 21:37:08 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xff0b000000000000]}) 21:37:08 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0000102, [0x40000003]}) 21:37:08 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) tee(r0, r1, 0xffe0000000000000, 0x8) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 658.506161] binder: BINDER_SET_CONTEXT_MGR already set [ 658.511498] binder: 3812:3813 ioctl 40046207 0 returned -16 [ 658.534728] binder: undelivered TRANSACTION_ERROR: 29201 21:37:08 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8dc}, 'syz0\x00'}) 21:37:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x74]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:09 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff}) socketpair(0x2, 0x80000, 0x401, &(0x7f0000000440)={0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f00000000c0)=0x0) r5 = getpgid(0x0) mkdir(&(0x7f00000004c0)='./file0\x00', 0x14) r6 = syz_open_dev$mouse(&(0x7f00000001c0)='/dev/input/mouse#\x00', 0x9, 0x2802) kcmp$KCMP_EPOLL_TFD(r4, r5, 0x7, r0, &(0x7f0000000400)={r6, r0, 0x7}) getresuid(&(0x7f0000000180), &(0x7f00000002c0), &(0x7f0000000300)) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000700)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@noextend='noextend'}, {@access_client='access=client'}, {@version_9p2000='version=9p2000'}, {@noextend='noextend'}, {@cache_mmap='cache=mmap'}]}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r7 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r7, &(0x7f00000005c0)='./file0\x00') [ 658.735306] input: syz1 as /devices/virtual/input/input1821 [ 658.765828] binder_alloc: binder_alloc_mmap_handler: 3841 20001000-20004000 already mapped failed -16 21:37:09 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2a00000000000000]}) [ 658.783285] input: syz1 as /devices/virtual/input/input1822 [ 658.819144] binder: BINDER_SET_CONTEXT_MGR already set [ 658.824475] binder: 3841:3845 ioctl 40046207 0 returned -16 21:37:09 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1a0, [0x40000003]}) 21:37:09 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) r3 = syz_open_dev$admmidi(&(0x7f0000000140)='/dev/admmidi#\x00', 0xffff, 0x80) setsockopt$inet6_MRT6_DEL_MFC_PROXY(r3, 0x29, 0xd3, &(0x7f00000001c0)={{0xa, 0x4e20, 0x9, @ipv4={[], [], @local}, 0x8001}, {0xa, 0x4e22, 0x72, @mcast1, 0xe74}, 0x6, [0x2, 0x2, 0xeff, 0xfffffffffffffff7, 0xffffffffffff8001, 0x4, 0x1, 0x9]}, 0x5c) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_PIT2(r3, 0x4070aea0, &(0x7f00000002c0)={[{0x101, 0x7, 0x18, 0x8, 0x5, 0x0, 0x1, 0x40, 0xb17, 0x8001, 0x1ff, 0x7, 0x4}, {0xfffffffffffffff8, 0xff, 0x3, 0x1, 0x400, 0x0, 0x7ff, 0x1f, 0x1000, 0x5258eebc, 0x7, 0x3e, 0x6}, {0x10000, 0xcdb9, 0x100, 0x0, 0x78, 0x7, 0x5, 0x800, 0xecfb, 0x10000, 0x4302, 0x8, 0x1}], 0x4}) 21:37:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x3]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 658.909680] binder: undelivered TRANSACTION_ERROR: 29201 [ 658.917369] binder: undelivered TRANSACTION_ERROR: 29189 21:37:09 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xfffffdfd}, 'syz0\x00'}) 21:37:09 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7f04000000000000]}) 21:37:09 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000180)='./file0\x00', 0x128) r4 = dup2(r0, r2) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r4, 0x6, 0x1d, &(0x7f0000000080)={0x7, 0xffffffff9fca60fa, 0x4, 0x7fe0000, 0x9}, 0x14) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) ioctl$TUNSETOFFLOAD(r4, 0x400454d0, 0xa) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r3, @ANYBLOB=',access=', @ANYRESDEC=0x0, @ANYBLOB="aeb3d0c8684743e2de56110999ba3732e20e858fb51430234c23b556c89cc56f23bbe184a4fa9a49acd2aa45498b3a5432d8d39cf25caa5da9740c7e630ea1c49ae1b53fe7ea086d129392c48f10fb0180c98304b89798b9f3e7173fcf0a3fd869dd0c802d303b65676cb318e081168457670823b092d300000000000000032394533ec521232c0d4835cdff770474aaabddb79d4d7f90cd7425b1035a5303109a729957a3a17a3a8fceb6963f4c3e926b5b9e7a4f00000000d8b783"]) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') [ 659.090551] binder_transaction: 4 callbacks suppressed [ 659.090564] binder: 3865:3871 got transaction with invalid offset (3, min 0 max 24) or object. [ 659.148149] input: syz1 as /devices/virtual/input/input1823 [ 659.163435] binder: BINDER_SET_CONTEXT_MGR already set [ 659.185873] binder_alloc: binder_alloc_mmap_handler: 3865 20001000-20004000 already mapped failed -16 21:37:09 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xff02000000000000, [0x40000003]}) [ 659.193238] binder: 3865:3871 ioctl 40046207 0 returned -16 [ 659.208559] input: syz1 as /devices/virtual/input/input1824 21:37:09 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) r3 = dup3(r1, r2, 0x80000) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r3, 0x402c5342, &(0x7f0000000400)={0x8, 0x7, 0x0, {0x0, 0x989680}, 0x1, 0x8b}) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') ioctl$TIOCGPTPEER(r3, 0x5441, 0x0) 21:37:09 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x175]}) [ 659.264098] binder: undelivered TRANSACTION_ERROR: 29201 [ 659.273908] binder: undelivered TRANSACTION_ERROR: 29189 21:37:09 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x100000) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) finit_module(r0, &(0x7f0000000140)='security.evm\x00', 0x3) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) chroot(&(0x7f00000001c0)='./file0\x00') ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)={[{}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x100000000000000}, {0x0, 0x0, 0x0, 0xfffffffffffffffe}]}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x60]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:09 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x200000000000000, [0x40000003]}) 21:37:09 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe6f80000}, 'syz0\x00'}) [ 659.494232] binder: 3902:3903 got transaction with invalid offset (96, min 0 max 24) or object. [ 659.533015] input: syz1 as /devices/virtual/input/input1825 [ 659.536410] binder_transaction: 16 callbacks suppressed 21:37:09 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x11]}) [ 659.536436] binder: 3902:3903 transaction failed 29201/-22, size 24-8 line 3033 [ 659.574545] input: syz1 as /devices/virtual/input/input1826 [ 659.627997] binder_alloc: binder_alloc_mmap_handler: 3902 20001000-20004000 already mapped failed -16 21:37:10 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x830000c0, [0x40000003]}) [ 659.670120] binder_alloc_new_buf_locked: 2 callbacks suppressed [ 659.670129] binder_alloc: 3902: binder_alloc_buf, no vma [ 659.698932] binder: BINDER_SET_CONTEXT_MGR already set [ 659.710495] binder: 3902:3903 ioctl 40046207 0 returned -16 21:37:10 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8b00000000000000]}) [ 659.723768] binder: undelivered TRANSACTION_ERROR: 29201 [ 659.729945] binder: 3902:3918 transaction failed 29189/-3, size 24-8 line 2970 [ 659.747396] binder: undelivered TRANSACTION_ERROR: 29189 21:37:10 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc3f8}, 'syz0\x00'}) 21:37:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x2000000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:10 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x10100c0, [0x40000003]}) [ 659.905698] input: syz1 as /devices/virtual/input/input1827 [ 659.906510] binder: 3930:3932 got transaction with invalid offset (2305843009213693952, min 0 max 24) or object. [ 659.942590] input: syz1 as /devices/virtual/input/input1828 [ 659.982457] binder: 3930:3932 transaction failed 29201/-22, size 24-8 line 3033 [ 660.020683] binder_alloc: binder_alloc_mmap_handler: 3930 20001000-20004000 already mapped failed -16 [ 660.066055] binder: BINDER_SET_CONTEXT_MGR already set [ 660.077458] binder: 3930:3932 ioctl 40046207 0 returned -16 [ 660.086634] binder_alloc: 3930: binder_alloc_buf, no vma [ 660.092319] binder: 3930:3941 transaction failed 29189/-3, size 24-8 line 2970 [ 660.108282] binder: undelivered TRANSACTION_ERROR: 29201 [ 660.115198] binder: undelivered TRANSACTION_ERROR: 29189 21:37:10 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x840000c0, [0x40000003]}) 21:37:10 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x10000000]}) 21:37:10 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd2f8000000000000}, 'syz0\x00'}) 21:37:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x48000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:10 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0xfffffffffffffd72}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f0000000080)='./file0\x00') 21:37:10 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="04cdec19ce0c62fc3e41548f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 660.273426] binder: 3952:3953 got transaction with invalid offset (1207959552, min 0 max 24) or object. [ 660.324272] input: syz1 as /devices/virtual/input/input1829 [ 660.343239] binder: 3952:3953 transaction failed 29201/-22, size 24-8 line 3033 21:37:10 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4b564d04]}) [ 660.384989] binder_alloc: binder_alloc_mmap_handler: 3952 20001000-20004000 already mapped failed -16 [ 660.432233] binder: BINDER_SET_CONTEXT_MGR already set [ 660.447525] binder: 3952:3953 ioctl 40046207 0 returned -16 [ 660.469174] input: syz1 as /devices/virtual/input/input1830 21:37:10 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2, @ANYBLOB="723149c40d118f01f03ea91b92ac60902e00"]) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f0000000080)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) r3 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000180)='/dev/vsock\x00', 0x42, 0x0) ioctl$SNDRV_SEQ_IOCTL_DELETE_PORT(r3, 0x40a85321, &(0x7f0000000700)={{0xffffffffffffff81}, 'port0\x00', 0x80, 0x0, 0x0, 0x0, 0x9, 0x200, 0x9, 0x0, 0x7, 0x9}) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:10 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x12000000, [0x40000003]}) [ 660.477992] binder_alloc: 3952: binder_alloc_buf, no vma [ 660.501156] binder: 3952:3975 transaction failed 29189/-3, size 24-8 line 2970 21:37:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xffffff7f]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:10 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = syz_open_dev$mice(&(0x7f00000001c0)='/dev/input/mice\x00', 0x0, 0x400000) ioctl$SNDRV_CTL_IOCTL_ELEM_LOCK(r0, 0x40405514, &(0x7f0000000200)={0x9, 0x3, 0x2, 0x3, 'syz0\x00', 0x1ff}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)) r4 = syz_open_dev$dspn(&(0x7f0000000140)='/dev/dsp#\x00', 0x0, 0x5) ioctl$TIOCSBRK(r4, 0x5427) ioctl$KVM_RUN(r0, 0xae80, 0x0) 21:37:10 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xd9010000]}) [ 660.639072] 9pnet: Insufficient options for proto=fd 21:37:11 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x20000, [0x40000003]}) [ 660.691356] binder: 3989:3992 got transaction with invalid offset (4294967167, min 0 max 24) or object. [ 660.697912] Unknown ioctl 1084773153 [ 660.724910] binder: 3989:3992 transaction failed 29201/-22, size 24-8 line 3033 21:37:11 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x48000000}, 'syz0\x00'}) [ 660.755101] binder_alloc: binder_alloc_mmap_handler: 3989 20001000-20004000 already mapped failed -16 [ 660.765588] Unknown ioctl 1084773153 [ 660.773330] 9pnet: Insufficient options for proto=fd [ 660.777705] binder: BINDER_SET_CONTEXT_MGR already set [ 660.792107] binder: 3989:3992 ioctl 40046207 0 returned -16 [ 660.811198] binder_alloc: 3989: binder_alloc_buf, no vma [ 660.832883] binder: 3989:3996 transaction failed 29189/-3, size 24-8 line 2970 21:37:11 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xdb010000]}) 21:37:11 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000002c0)='9p\x00', 0x0, &(0x7f0000000700)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file1\x00') r4 = getuid() lstat(&(0x7f0000000180)='./file0\x00', &(0x7f0000000400)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) lchown(&(0x7f0000000080)='./file1\x00', r4, r5) 21:37:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x600]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:11 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f00000001c0)={0x1}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 660.931184] input: syz1 as /devices/virtual/input/input1831 21:37:11 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x4b564d01, [0x40000003]}) [ 661.022779] binder: 4011:4014 got transaction with invalid offset (1536, min 0 max 24) or object. [ 661.071202] binder: 4011:4014 transaction failed 29201/-22, size 24-8 line 3033 [ 661.080439] input: syz1 as /devices/virtual/input/input1832 [ 661.097143] binder_alloc: binder_alloc_mmap_handler: 4011 20001000-20004000 already mapped failed -16 21:37:11 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8]}) [ 661.157939] binder: BINDER_SET_CONTEXT_MGR already set [ 661.189860] binder: 4011:4014 ioctl 40046207 0 returned -16 21:37:11 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) r3 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer2\x00', 0x40, 0x0) ioctl$EVIOCGUNIQ(r3, 0x80404508, &(0x7f0000000700)=""/149) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:11 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1d9, [0x40000003]}) [ 661.208282] binder_alloc: 4011: binder_alloc_buf, no vma [ 661.220125] binder: 4011:4033 transaction failed 29189/-3, size 24-8 line 2970 21:37:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x300]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:11 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8d5}, 'syz0\x00'}) 21:37:11 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4068aea3, &(0x7f00000001c0)={0x7b, 0x0, [0x7, 0x4, 0x7, 0x7]}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:11 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x800000c000000000]}) 21:37:11 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0010141, [0x40000003]}) [ 661.453262] binder: 4047:4051 got transaction with invalid offset (768, min 0 max 24) or object. [ 661.470942] input: syz1 as /devices/virtual/input/input1833 21:37:11 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB="7d019685cc7309fc26acd51ab2b36237", @ANYRESHEX=r2, @ANYBLOB=',\x00']) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r3 = syz_open_dev$usb(&(0x7f0000000080)='/dev/bus/usb/00#/00#\x00', 0xbf, 0x101000) setsockopt$packet_int(r3, 0x107, 0x13, &(0x7f0000000180)=0x80000000, 0x4) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 661.497825] binder_alloc: binder_alloc_mmap_handler: 4047 20001000-20004000 already mapped failed -16 [ 661.535086] input: syz1 as /devices/virtual/input/input1834 [ 661.546961] binder: BINDER_SET_CONTEXT_MGR already set [ 661.569586] binder: 4047:4051 ioctl 40046207 0 returned -16 [ 661.595926] binder_alloc: 4047: binder_alloc_buf, no vma 21:37:12 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x6e0]}) [ 661.659763] 9pnet: Insufficient options for proto=fd 21:37:12 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc0f80000}, 'syz0\x00'}) 21:37:12 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x221001c000000000, [0x40000003]}) 21:37:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6800]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:12 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB="2c0ccc200f6f3d77e7eb3b59657621f5891fa6f94ec5e8ba74e8f31c275ebca82bf4fe3344a4998b8001dd7a1e4bdf60014cbfd67e99b9f74e8c12658b96", @ANYRESHEX=r2, @ANYBLOB=',\x00']) write$P9_RREADDIR(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="2a000000290100000000000000000000000000000000000000000000000000000007002e2f66696c6530801431c76a9d21a583c3291d98d92cb1231f5d4b010f7c428a77d77fcde4e79761c24e54794f688d2fb2da7a3900000000f15675b414d801fa74a8a124aa93d68fa782139a5e905fe3a05e9a05130cec08972fe38f65db856872b83c9db78c35b81c8bae3b2f0719219738f7e17b66d44216eb09e3e471525e117a1b44229613e98926c6e4d8bde24196afe31b12960bb759fb6a2266d33cb7c281d3bbf45e00535e480112c8c7d12e8db7e13d52722dc24b91b821e4209847d6e1544f8d2daf9ebccff4a0c1ade3ac03eb2cac73d0"], 0x2a) r3 = accept4(r0, 0x0, &(0x7f0000000080), 0x800) getsockname$inet(r3, &(0x7f0000000180)={0x2, 0x0, @multicast1}, &(0x7f00000002c0)=0x10) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) ioctl$sock_inet_SIOCGIFPFLAGS(r3, 0x8935, &(0x7f0000000380)={'bond_slave_0\x00', 0x80}) write$P9_RREADDIR(r2, &(0x7f00000004c0)={0x2a, 0x29, 0x1, {0x0, [{{0x81, 0x4, 0x4}, 0x2b, 0x200, 0x7, './file0'}]}}, 0x2a) fcntl$setflags(r1, 0x2, 0x1) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') dup3(r1, r2, 0x80000) setsockopt$inet_tcp_TCP_CONGESTION(r3, 0x6, 0xd, &(0x7f00000001c0)='illinois\x00', 0x9) ioctl$PPPOEIOCDFWD(r3, 0xb101, 0x0) [ 661.835869] input: syz1 as /devices/virtual/input/input1835 [ 661.867893] binder: 4078:4084 got transaction with invalid offset (26624, min 0 max 24) or object. [ 661.893378] 9pnet: Insufficient options for proto=fd [ 661.908382] input: syz1 as /devices/virtual/input/input1836 [ 661.914663] binder: BINDER_SET_CONTEXT_MGR already set [ 661.933447] binder_alloc: 4078: binder_alloc_buf, no vma 21:37:12 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x100001c000000000, [0x40000003]}) 21:37:12 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xe006000000000000]}) [ 661.953611] 9pnet: Insufficient options for proto=fd [ 661.959781] binder: 4078:4084 ioctl 40046207 0 returned -16 21:37:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6000000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 662.133037] binder: 4100:4101 got transaction with invalid offset (6917529027641081856, min 0 max 24) or object. [ 662.179456] binder: BINDER_SET_CONTEXT_MGR already set [ 662.194654] binder: 4100:4101 ioctl 40046207 0 returned -16 [ 662.219048] binder_alloc: 4100: binder_alloc_buf, no vma 21:37:12 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000140)=ANY=[@ANYBLOB="0400ed19ce0c62fc3e41416138548f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$FS_IOC_GETFSMAP(r0, 0xc0c0583b, &(0x7f0000000440)={0x0, 0x0, 0x1, 0x0, [], [{0x10, 0xcc, 0x2, 0x100000000, 0x4, 0x2}, {0x5, 0xfffffffffffffff9, 0x8, 0xffffffff, 0x9fad, 0x7d}], [[]]}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x9}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:12 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) r3 = dup3(r2, r2, 0x80000) setsockopt$SO_RDS_MSG_RXPATH_LATENCY(r3, 0x114, 0xa, &(0x7f0000000080)={0x3, "ac72d5"}, 0x4) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:12 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xffffff7f}, 'syz0\x00'}) 21:37:12 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x3a00000000000000, [0x40000003]}) 21:37:12 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x221001c0]}) 21:37:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x7a00000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 662.376399] input: syz1 as /devices/virtual/input/input1837 [ 662.409976] binder: 4111:4122 got transaction with invalid offset (8791026472627208192, min 0 max 24) or object. [ 662.456554] input: syz1 as /devices/virtual/input/input1838 [ 662.484094] binder: BINDER_SET_CONTEXT_MGR already set [ 662.496286] binder_alloc: 4111: binder_alloc_buf, no vma 21:37:12 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) syz_mount_image$ceph(&(0x7f0000000080)='ceph\x00', &(0x7f0000000180)='./file0\x00', 0x1, 0x6, &(0x7f0000000940)=[{&(0x7f0000000400)="c9330b70ed49edb610956333ebb7d6e40ea9d6262e2d2f22e32228db0ea4dcc74b5a44b68b7c3318c584e47f8538cd91e1219ec07e405729fd8db056780642e12b9a353c5ef8f071f23d6802bd539792c109a857fbfe", 0x56}, {&(0x7f00000002c0)="a271d40a38dfb512b0a01a264781ca2efd2de3a730", 0x15, 0x1}, {&(0x7f00000004c0)="3cf5fd3d094c4f7d2d9b4a74c9a58b75e96339408bbdb185bcc024020fd765531d9866044807fefcc771c43f81cfb34ba3df9a5ab8d469f79ce76ecb7c52a09bb13b664ae9a94d604dd91ecb8b7a7adfcf8f0b29bd07", 0x56, 0x8}, {&(0x7f0000000380)="9da523fb00e36d712a41986e22ac28838138bc238ad212faab27634d561df10984127ef061fc39b2942efb", 0x2b, 0xfffffffffffffe01}, {&(0x7f0000000700), 0x0, 0x6}, {&(0x7f0000000740)="c07aa8305e2c210504eef5525b28f32e2f40834ec4bb39ecf21d115b520d58e85601c9995c26148e60066ad6b8e22d0013430acb9a0a0c7da2b0b9f852098c7a9fdf0d22385dda8aa84116c0b059e3d5091f1e0a98ff67c491a01a4953d81dc74d738c2621e609d01fa84d9670d7e2def8d9de4eba2f71656ab1ef947e0164562f96bf1d6bc93609bff3e0c29f5710151ba3c561aadc795f0aa0fd332b9763d84dd937f7bd6d6ad7d897b7e5670f99feb509050374341b02867d7d36f38d32d1a0373046a6bf9c76e379944f83eb8611834f03680eb8b8ba06b83c69db", 0xdd, 0x2}], 0x4800, &(0x7f00000008c0)='\x00') write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{0x80, 0xfffffffffffffffc}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000700)=0x0) ptrace(0x8, r3) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:12 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1b0001c0]}) 21:37:12 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x34000000, [0x40000003]}) [ 662.507334] binder: 4111:4122 ioctl 40046207 0 returned -16 21:37:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x7a000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:13 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xffff1f0000000000}, 'syz0\x00'}) 21:37:13 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x900d0000]}) [ 662.672768] ceph: device name is missing path (no : separator in /dev/loop2) [ 662.685541] binder_alloc: 4142: binder_alloc_buf, no vma [ 662.711689] binder: BINDER_SET_CONTEXT_MGR already set [ 662.754877] binder: 4142:4144 ioctl 40046207 0 returned -16 [ 662.797948] ceph: device name is missing path (no : separator in /dev/loop2) [ 662.864577] input: syz1 as /devices/virtual/input/input1839 [ 662.924370] input: syz1 as /devices/virtual/input/input1840 21:37:13 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = socket$nl_xfrm(0x10, 0x3, 0x6) close(r0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x100) getsockname$packet(0xffffffffffffff9c, &(0x7f0000000240)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f00000002c0)=0x14) ioctl$sock_inet6_SIOCADDRT(r1, 0x890b, &(0x7f0000000300)={@mcast1, @dev={0xfe, 0x80, [], 0xf}, @dev={0xfe, 0x80, [], 0x18}, 0xffffffff, 0xc5, 0x2, 0x500, 0x2, 0x20, r2}) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2) syz_kvm_setup_cpu$x86(r4, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r5, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r4, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r4, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r5, 0xae80, 0x0) 21:37:13 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1f0001c0, [0x40000003]}) 21:37:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x1400]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:13 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/vs/snat_reroute\x00', 0x2, 0x0) lstat(&(0x7f0000000380)='./file1\x00', &(0x7f0000000740)={0x0, 0x0, 0x0, 0x0, 0x0}) r3 = getgid() write$P9_RGETATTR(r1, &(0x7f0000000940)={0xa0, 0x19, 0x2, {0x210, {0x40, 0x0, 0x8}, 0x8, r2, r3, 0x0, 0x7, 0xaf7a000000, 0x7fff, 0x4, 0x1, 0x8000, 0xfffffffffffffff7, 0x80000000, 0x8e4, 0x9, 0x3, 0x10000, 0x870, 0x1d}}, 0xa0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r5, &(0x7f0000000700)={0xfffffffffffffe80}, 0x7) fstat(r0, &(0x7f0000000400)) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r4}, 0x2c, {'wfdno', 0x3d, r5}}) write$P9_RREADDIR(r5, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r5, &(0x7f0000000200)={0xa0, 0x19, 0x1, {0x0, {}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56}}, 0xa0) r6 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000180)='/dev/qat_adf_ctl\x00', 0x84080, 0x0) ioctl$PIO_FONT(r6, 0x4b61, &(0x7f00000002c0)="b89c90c6417f252469878011023841012cc0da75696d6766a3988fa843") write$P9_RWALK(r5, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r5, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r5, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r5, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r4}, 0x2c, {'wfdno', 0x3d, r5}, 0x2c, {[{@access_uid={'access'}}]}}) r7 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) write$P9_RRENAMEAT(r5, &(0x7f0000000080)={0x7, 0x4b, 0x1}, 0x7) symlinkat(&(0x7f0000000500)='./file0\x00', r7, &(0x7f00000004c0)='./file0\x00') 21:37:13 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8b00]}) 21:37:13 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x7400000000000000}, 'syz0\x00'}) [ 663.198431] input: syz1 as /devices/virtual/input/input1841 [ 663.209819] binder_alloc_mmap_handler: 4 callbacks suppressed [ 663.209838] binder_alloc: binder_alloc_mmap_handler: 4175 20001000-20004000 already mapped failed -16 [ 663.244807] input: syz1 as /devices/virtual/input/input1842 [ 663.308688] binder: BINDER_SET_CONTEXT_MGR already set 21:37:13 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x47f]}) 21:37:13 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000080)='./file0\x00', 0x400000000000000) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 663.332881] binder: 4175:4177 ioctl 40046207 0 returned -16 [ 663.361700] binder_release_work: 16 callbacks suppressed [ 663.361707] binder: undelivered TRANSACTION_ERROR: 29189 [ 663.373169] binder: undelivered TRANSACTION_ERROR: 29201 21:37:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x6c00]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:13 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x48}, 'syz0\x00'}) 21:37:13 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x14d564b00000000]}) 21:37:13 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x580001c0, [0x40000003]}) 21:37:13 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) accept$unix(r2, &(0x7f00000001c0)=@abs, &(0x7f0000000140)=0x6e) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 663.562282] binder_alloc: binder_alloc_mmap_handler: 4208 20001000-20004000 already mapped failed -16 [ 663.577498] input: syz1 as /devices/virtual/input/input1843 [ 663.579666] binder: BINDER_SET_CONTEXT_MGR already set [ 663.589219] binder: undelivered TRANSACTION_ERROR: 29201 [ 663.598848] binder: undelivered TRANSACTION_ERROR: 29189 [ 663.604857] binder: 4208:4212 ioctl 40046207 0 returned -16 21:37:14 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) lsetxattr$security_selinux(&(0x7f0000000180)='./file0\x00', &(0x7f00000002c0)='security.selinux\x00', &(0x7f0000000380)='system_u:object_r:syslog_conf_t:s0\x00', 0x23, 0x2) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000400)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x1, [{0x1, 0x0, 0xfffffffffffffffc}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000080)=ANY=[@ANYBLOB="2a00000029d1804d5db6af0100000000000000000000000000000000000000000000000000002007002e2f66696c6530"], 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 663.660298] input: syz1 as /devices/virtual/input/input1844 21:37:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x48]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:14 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xfe00, [0x40000003]}) 21:37:14 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0000101]}) [ 663.842108] binder_alloc: binder_alloc_mmap_handler: 4229 20001000-20004000 already mapped failed -16 21:37:14 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xccf80000}, 'syz0\x00'}) [ 663.885689] binder: BINDER_SET_CONTEXT_MGR already set [ 663.891687] binder: undelivered TRANSACTION_ERROR: 29201 [ 663.897947] binder: 4229:4231 ioctl 40046207 0 returned -16 [ 663.903876] binder: undelivered TRANSACTION_ERROR: 29189 21:37:14 executing program 2: setxattr$trusted_overlay_opaque(&(0x7f00000004c0)='./file0\x00', &(0x7f0000000500)='trusted.overlay.opaque\x00', &(0x7f00000007c0)='y\x00', 0x2, 0x3) socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000380)={0xffffffffffffffff, 0xffffffffffffffff}, 0x83ffc) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) fsetxattr(r1, &(0x7f0000000800)=@known='trusted.overlay.redirect\x00', &(0x7f0000001a80)='trans=fd,', 0x9, 0x1) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000180)={0x0, 0x0}, &(0x7f00000002c0)=0xc) r5 = syz_open_procfs(r3, &(0x7f0000001a40)='net/hci\x00') ioctl$KVM_XEN_HVM_CONFIG(r5, 0x4038ae7a, &(0x7f00000008c0)={0x2, 0x3fd, &(0x7f0000000940)="5f3de121cff4b2df3ea5c4b8a6b6bd27e8f51e7c12628ab4e91a0c15ea456897faa673001cfee9cdb07f383258f825f056fe1c88dc7217bb039b63d50dacd41608c05948881798404a4f00efd3e15fdd8caf2a1829e107ed120ea0a8d0429e36f26b3879fcdd9efca0f35b9881be7cc020f16c3401499b96202a978368607033171a7568be1baad718457b5153fcce5969d616e12a17ddb79b87540b87b909ac150b6c8c8c3f6bfc82bf7932b3ec591e338ddbbda1fce2d7c35b6527ac3828413b4fe5c52057e45f4fbe1fcc7969a397180f", &(0x7f0000000a40)="42a2748abea39f24713918b9b924402dc6e00737ed21dca5177d5a181c0f57b109ab425c175a554c0f10fcba7b30eecdc96874e331585e89b794486b4a3fde6a57685237a7b3b5d071baa962fcf997e724482daa3da4f6a2bb56c811743f903a9d048aa32cdbe66f78de20311ecf68c3ee02fbe36c64df57b4ec8c4d81a58b9676371abd388b009ade80ddfd1890768ef3a056174a7d75bd5c7cd82b5e2a2cc2d67f34b1d7c5dce5de742c12a77873f167f769299bf351f765e057de24335de17eb0706c8b086d62390c7afe92f0b4c814000551c02c392f43e8e74f714fad9ac29edf31f5d6af2e620a12496661647ec2b39f07e0202d08360cc22a5163fa0968673ca072590c0272b32aab1c5d7d1e17727d367b17a86a0e38247c95eb90df35ec49fac7d4c686b73642451404180ff9ca8b337a56873018c172ef225c499a9343201850955674e7aaa5290a38b610cee1636f0c46b4341a0f5ecdce58a3cfefac114934e0b3ccb59deb798e56e6642cd811e4b41112e253026ff5e18ff7f02b1bb6bd3c30281ac8874bc92fa37580495675c082f031b6570668d21c95a3d819a88a70235f67bb25f4777f9f5f462aaca330b3ea0a1ed50acfca2b2f2f54e50822fa048d7000fecb7ce918376dbc747abefac06d7bdc4fc116992928aa1a96d0011214f168fd7ccd79db5287eb4b8b39be3ed38c8d586dab232b03b69b62ad1a59d3c99e63898e796a23dca0ba2215b43f7f811bc3ad08d1cb1d00c2fe8894fcce0d058a869e6174bb4e2fe92178d04a316e0973f987b3dfd66acf20d1a614f1d18ee798a202c05959fcc2d4e77ca17ef292df381c0fc0177fc2b4fad182f8b2436c2112ac6b256d32c817f10e8569b0f6e3ff6b1185ca4a10b60788e607f00f6f34283e0a5e22f350bdeb25cf5cc1599ffee8159bb9e0ae10f296090e0ecce99c8d1d7338c1a370016965ccb47dc7204653c71519012311ee05ebbe2f99e32f37465c8ed17996b32b00e8fb97f342e8040667686cc7b5ea58ca6abdc30433ab957b324b6d16bad09f14b2ba9e390d3726185c9167255af8a5a53a7db3ae210b6d6f1598697236e2d836d27c298ccaa584826ebdf05aef6fd1494710fd9ca1c524ac0b898926e6154bc9aff176c79c940120cd32c4b6e14a5b0bc07e97bc3a6e2a6363e02328e9bdf21fd031845069c891d86e07c6ab39cc1b844d26cff1e508ba930438441e8174422adf1177ef9a6a3079e838ba17795e91af5e0381eeba55f9f0aad331973d008c55ca0ca0f501ba9ba2af7fc63b77e3663fdf476f6af0057ab84e7d6c0fa18a5439fdcebf1edcae4c0b9a64276cdcb2cfcf37bd6f836c73329088a7c8e5b7c0fc679441a594c6bc401bfb6ea1b3cd992320e177f2881f5e9ec1439791868f3c3522f90d32444d8a2156fd237d246ec1387230475d7652b6c1973bbcf8224b4e6f244499c3de5ac53b215920b63e7d06ac036502d00f95eda0880fdebeee266b58e980b5cd72165fc0e5198665d9e8fdae75f25a0b0c979da61511363041835b25ad92abc922f5f8acfdf0f13891d30de9f6d66b93326bc29b5b77d2915425a4eff7250849e5a525873baec8e64def4c9142eddd990beb697836046ed71c8b35adc1997f7b5239ecc40264a45be477136b5b759cb2b5e7d349823b52828694d1df2814c7c410e8e29759f06a8d2c27204c0834ce51b8d1201b6e1e47cf4dd90f7be6c04642d933625631fb992d932fc77704ef7a4995a435f0695a06cdc3a61d560e46b1d4b4e1bf5c87d6de517135a02fcb2b081bfe2dea183fc935e521956f2a9e3ee4c42496990a88ac55bd1b3439545ae37333a70d920c98af2b994cf1a80695fefcf613f799f307f17ca674d87f35c2a644b9011eacdbf231879c20a98711612f90931943beb603a6795c8a3929005f2b465aeb2d6368c19559646e73ab43bb72fff85ed7ef440918672c80c3f6ed370822a4eaaacad192c538eecc623b16403463a4359fed894668c925b866e6406d3f313cb5c0634f27e287cd44a169333b8cf9ed1b7d78abb88a01fdbb52b0552c4fe3b9aa19a3759c9234890ea0694b2b19abbeeb22019903a6d85e49ac6bbfdae94234fd2e2c5301052c306b94bb1c4110906f4b503fd7a0e8204244a60c5c3656b51bc4ba5c77ab0543eef2fb89da2d9aeb26f8ad7af5b2a3f1a2c1d4643e615cad683198c8299230753a74dc30a1e89c8808f9634dad080651de67e515c9e80df1841571965b379e820336b00ea12fd0d888078b3f02d916aeab0ae2e1f942a88d07e6d00556f1bf9f9ca7d9a94e44f9ef25b4b06984c2e14c97e17420afa8be420f8e4b777854e8d75653ec1bdf6eecd595bb4a6aafeb192b11d7c911b0099a3f703cd346039a7c990aa9148c94d319095432ae6c6040191a19a0528b5f0aa7202c58dd18d3238a1b56236042a77a3599c85fcfa0df24647881795b31ac3909b3b7aa549b379d727ef5ea7e592c585965946de9f32fb8a66010a87fff1791dec246561e99c212f26aa6d715853570fe1ac604a751b56716926f151348920efceba4f718c8e813fa733f7bd1504affa89f869b94eefa242b5e086a3c53359062e61dac2e54b7080fd41485843c240f9ae1a665d5cd1d3115f0f439d7e0dacd37ecd6b6f1a37ecc0ffbd0407a0c8037276db19e80da8d02467dbbd0e02d0331b82c963247bd0134ed7b98898a7bb5ada4b45507283f7f6ad18f4b2fd221de85b2a6d6b367255de172b64cba5fdb72df9a2e59b4fb894aa914d82443d314ebbf1a73f48295162ef6997d898c4c9546d20aa07e03482222ec8ab79c19194e79b09dd9837329a133a45d5345e4b57272e09cade85798dde1a06697365cd0bfc76c8a961a54d1391a124073a5b212b23ba38bcbdec3cfca514c14ef26f9876bb28554b8c5dfa81cee479ca0a0107f5f73abb9bad7c6f9b2cc8fec58bcebe6902a3442dc9cb5c8e8f0ff505cc99d2658954521d2316dec06f49f285118ba92e1727ac5b6a560c14c79227403e2f0c3b10d75b95ee58430e75622beb1bda4a4b96edce58f9e4a67a96cbe7881f298018116a0bac125fa80f4c50885cce37e9e5364c29e28cac79d83761eedd4c5fc3d7451af5d3bad62f26aff738f1ec02e9c581d1a6da11529b9517b0a49b07ffded2159e5ae3f28a5eb1ad81042315efdacfb3d0415192ec97bc0770bc3e10a8935f9bc66853294cdded98d4cd06f2b0ff5657b0c200deabc9e9b785d3970414be86592e175dec8c9c1317a332c5913f73d72bde2c4b724bcdca3eddc686a13873b2fe6e71e1c17947f874153c01d19fb422b987c5f71652c62304f3e0de1423b4513e98499d74a86a8f8a096606104489c3dea730867295007ae19e60acf282e40c85171958bba4cb177b38fb4e419f63855bf09615d56fe4c19fa5095fd2c8ef4efb9167b6c2b323961ce981d81eb2eeb36127986d76d544f38fdd4dc9a5167bac363ffa4448e9f95bbb58b0ee10e9cdd1841889b34f19f0571360e6f605e3b3a1c9044881e3f95044754c2870481602bf153111145726f63ed4fc68cdbbae97961a8e2b96b205708fa2a489a0f10ddaa147e6f0d5ce6fcf33cbaff021c298aea6745153b7ac2e545e8458d365db4145fd425ac546a605edfef2813b1b6e6608d8444c78242bb6cdeff8f789305842cd5b5df83c1a2904135b32c9ea70501ce6db40c352a47c8fd0a43d0b6d6443d13fa0c7f731ab42b1cc0c30ae009051316fbd7e1753fe62af91b59fb2dd631c8b099f34da6295a6a6269a0bf502f55f49855ac0179c438244fb019a8e7a951e9131e1f24fbf31822f31a29611ff4e61e1186817b334cb8455a5b43d72526f555e4482d3d28b54aa450eb0ede2a8ff1d1d14dea8dfbe781b922865b93f4bf2c0403f5a9f976d42769a63f7006cc437a9d82e242910dd23740f36428f5d5926f59593dde24470b8332beda7e19171d5f0b4e51fbc3dcaababfd966f2b04a1ec34bc6e20882b2b650a37c36c1f28e3eb65ba235b8b9d4eb7d104b78b8ff6a440fb4925bcb8859e0b10c372c560a53599e8eb925921c65b6556f6e1ac2fffc0dd215f734e9c12d421404669983a00a27178f26798dedf551e27ded4e3af7363a1dfd5188b8baa52d63a2079c08356398e9b803df7fda6cc340efeaeaabf37f6d495136c4ed2960ea2a6586800058b6c9eb8d2e2708a3bdd23e9ecbebbbc0c180f82fbb4f70f5839a75084c09742ae2f44f2395ac9a9fd3b4709756c79f9d920ea8e70a270df4ee583d7f063b81ac29f2ecbbf9f3aebf74e2ff5aa2080d08234e2fa988b8f5bc18e5408c8f2b61fdd26fe3d7141ca0ddc88b9922c7798f0a27f92bfce86693845f119c5ac44a9d001faa7dff85e3734c0bd1f6e6a7c38a837a93bf16879389cacb195eed7338c77e8c45fff92df404ad42c401081432579ea462697c39cda40129c29d5263aad5c20219375cff5f7afefca705f94a4ede10d768dc2beefa9e3a425fb2405ddd764ea8ec207e8ad5cd803ce8e8cf81062b81c9681c168eb8be039c0e5382259d164a9a856f18bfebd02253a8b2286fc951b62efa07ff883aa67bbd71fe5a5f8ff59ccac7940f2b9230e6346ac56f23a504a20114bcffbd88fa41c82e1ed200f686efcce803413cb62886b9277c8d2f1fe468557bdb00da1817a9b28c05f375cc692cfd0a6d41300a342808d02b9be7d3038724c7c4c81f425ac9931230ea0ed557ba9a18cbfd4ad3f48f6be0cabee020de91c04caf81f42edce921323a9d2518ca57c6f43041f9ca24969c035a51519c2e9d11fb9f58360c194bb8c5f6bfe2934b6fbb046eb8ce349181ace48176b8565a20e1c564fe3f08e22cb44d4b812f0b416d4f8dc47e61a7b37226bf70fdb916dde092b8a0b3da555e2660eef420fcd7107fda68f7d63c20d424baf27ec29de89d13576d9a674ca8acfe6568ac19c1f36a5bde468a2d7816289bcd9fefeba899872cd6e8c4e698e44cd613980ccc0b2cdb673aeaccc0de3d636704091d09bdacea065d16393a0529e08970e38c020d30779a3241080a27e2bbd57cf12bd0df308c2aadf5392890a000b7c37ed977a45bfee57b73eb5974bae12d7d03aa86b2ad72eac843ffd52457c8e3e7a960d0f962cc0784ac08a974a2ee51cc208cdda53321eda5f69db9faee863c7cdd8fea7cb39a000cf5d2b375d7e9e1d752e7bd38729e7268e700571f62b9f092483e45c156577acb5ec5eae2b355edfeab33f345ba8ebb010ea44c11ea717f8c84ade3368094692692b2cea7df03a0ea62f609525475b4e144e430a3e021fee65744e26d72aa9f2c8fc99ac6c6a6a9a56a62f667a00341c3ba72792716506afb7fe04cc91ee73019f7664fbb656489bffc678dd337ada4d057015a789d41ff75578b42a7d3f6858bcd2ef925d64b3331230bfccc5ee6a69539409145ce5e79477b4b8a5fd5cc57f2420565bbc187352188edfd1da8fefff93872a8e26ffba95b9cd6aa7d399d3fd3cc843b8c4dde810b64368ff0decb21825fade2c18b4ca0ded11402a90e601ef81237cdc42e168e0da77877bd7f3abec7d1bdf2f5cfa17cf4083cf693902c388b33e44b2b13f124d15d061f669fe717c77adfb918bf9d76203848590b0f1155b032509d1636810e82e6d5fe80641ea564c5eae9dac02bbb66e121d99d9dc331b850fcb2643562cde268cefd38c8938b65908e09a2a8f35bf7f0eb9201a90e53ce8738d420db89762a6c7d9962a6ff7ae8baaa41a51a8bc577b41d6464e3", 0xd2, 0x1000}) fstat(r1, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x0, 0x0}) mount$9p_fd(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000100)='9p\x00', 0x11, &(0x7f0000000700)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@afid={'afid', 0x3d, 0x6}}, {@cache_none='cache=none'}, {@version_L='version=9p2000.L'}, {@access_uid={'access', 0x3d, r4}}, {@cache_none='cache=none'}, {@posixacl='posixacl'}], [{@uid_lt={'uid<', r6}}]}}) r7 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r7, &(0x7f00000005c0)='./file0\x00') 21:37:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x4c00000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:14 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x9801000000000000]}) 21:37:14 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x140, [0x40000003]}) [ 663.994651] input: syz1 as /devices/virtual/input/input1845 [ 664.075117] input: syz1 as /devices/virtual/input/input1846 [ 664.096191] binder_transaction: 4 callbacks suppressed [ 664.096210] binder: 4250:4251 got transaction with invalid offset (5476377146882523136, min 0 max 24) or object. [ 664.153739] 9pnet: Insufficient options for proto=fd [ 664.169110] binder_alloc: binder_alloc_mmap_handler: 4250 20001000-20004000 already mapped failed -16 [ 664.185036] binder: BINDER_SET_CONTEXT_MGR already set [ 664.197809] binder: 4250:4251 ioctl 40046207 0 returned -16 21:37:14 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x2c, [0x40000003]}) 21:37:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x1400000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 664.224253] 9pnet: Insufficient options for proto=fd [ 664.224374] binder: undelivered TRANSACTION_ERROR: 29201 [ 664.236410] binder: undelivered TRANSACTION_ERROR: 29189 [ 664.251600] 9pnet: Insufficient options for proto=fd [ 664.324961] 9pnet: Insufficient options for proto=fd [ 664.350117] 9pnet: Insufficient options for proto=fd [ 664.366661] 9pnet: Insufficient options for proto=fd [ 664.372156] binder: 4269:4271 got transaction with invalid offset (1441151880758558720, min 0 max 24) or object. [ 664.402727] binder_alloc: binder_alloc_mmap_handler: 4269 20001000-20004000 already mapped failed -16 [ 664.412899] binder: BINDER_SET_CONTEXT_MGR already set [ 664.419704] binder: 4269:4271 ioctl 40046207 0 returned -16 [ 664.427204] binder: undelivered TRANSACTION_ERROR: 29201 [ 664.434089] binder: undelivered TRANSACTION_ERROR: 29189 21:37:14 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_ASSIGN_SET_MSIX_ENTRY(r1, 0x4010ae74, &(0x7f0000000140)={0x7fffffff, 0x800, 0x64}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x9, 0xd3b61b0c4124697, r1, 0x0) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:14 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x79010000]}) 21:37:14 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd7f80000}, 'syz0\x00'}) 21:37:14 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RSYMLINK(r2, &(0x7f0000000080)={0x14, 0x11, 0x2, {0x4, 0x2, 0x6}}, 0x14) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x300000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:14 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x7b01000000000000, [0x40000003]}) [ 664.578211] binder: 4285:4286 got transaction with invalid offset (216172782113783808, min 0 max 24) or object. [ 664.613216] input: syz1 as /devices/virtual/input/input1847 21:37:15 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) syz_open_dev$sndpcmp(&(0x7f0000000080)='/dev/snd/pcmC#D#p\x00', 0x4, 0x600) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:15 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x9e000000]}) [ 664.685147] input: syz1 as /devices/virtual/input/input1848 [ 664.688586] binder_transaction: 20 callbacks suppressed [ 664.688604] binder: 4285:4286 transaction failed 29201/-22, size 24-8 line 3033 21:37:15 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x2c00000000000000, [0x40000003]}) [ 664.738437] binder_alloc: binder_alloc_mmap_handler: 4285 20001000-20004000 already mapped failed -16 [ 664.785237] binder: BINDER_SET_CONTEXT_MGR already set [ 664.812893] binder: 4285:4286 ioctl 40046207 0 returned -16 21:37:15 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xd901]}) 21:37:15 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x20) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000080)='9p\x00', 0x0, &(0x7f0000000180)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) r3 = syz_open_dev$admmidi(&(0x7f00000001c0)='/dev/admmidi#\x00', 0x4, 0x1) ioctl$RTC_PIE_OFF(r3, 0x7006) write$P9_RWALK(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="230000006f010002000000000000000000000000000000000000000000000000000000cf24535c07106997ac16ed8c2cfdb74b4eec4a8b9c73fdeb12d052b21a652a9a37795fc0c4a2020d4e9e5a4c3b102c18b9a71b151e25f51520ae8f538f425eea2a7a70bcf796f1062be3304c9064106172d44abe925a15fad74fb41af70f250c9b895120a8bb76276ebe6fb8da9898ccf1f7d11e9d4ba75336d6879bd5e412ddbcc1fb41477b7a1bfed5a46ef3777d7f5f998ed0f7d865acf98330120b171b9aa606e4"], 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{0x4}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') pipe2$9p(&(0x7f00000002c0), 0x80000) [ 664.857214] binder_alloc_new_buf_locked: 5 callbacks suppressed [ 664.857222] binder_alloc: 4285: binder_alloc_buf, no vma 21:37:15 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8e1}, 'syz0\x00'}) [ 664.917130] binder: 4285:4311 transaction failed 29189/-3, size 24-8 line 2970 [ 665.036799] input: syz1 as /devices/virtual/input/input1849 [ 665.112537] input: syz1 as /devices/virtual/input/input1850 21:37:15 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) prctl$seccomp(0x16, 0x3, &(0x7f00000001c0)={0x6, &(0x7f0000000140)=[{0x1e, 0x8, 0x0, 0xffff}, {0x7fffffff, 0x4f6, 0x10001, 0x1}, {0x6, 0x0, 0x36c, 0x1f}, {0x9, 0x6, 0x9, 0x4}, {0x7, 0x7fffffff, 0x6, 0x800}, {0x82b, 0x7, 0x8, 0xffffffffffff04b1}]}) close(r0) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:15 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xde01, [0x40000003]}) 21:37:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x700]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:15 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) listen(r0, 0xf0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) r5 = syz_open_dev$mice(&(0x7f0000000080)='/dev/input/mice\x00', 0x0, 0x404040) ioctl$VT_DISALLOCATE(r5, 0x5608) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:15 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x221001c000000000]}) 21:37:15 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8db}, 'syz0\x00'}) [ 665.359795] binder: 4332:4339 got transaction with invalid offset (1792, min 0 max 24) or object. 21:37:15 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 665.423385] binder: 4332:4339 transaction failed 29201/-22, size 24-8 line 3033 [ 665.456690] binder_alloc: binder_alloc_mmap_handler: 4332 20001000-20004000 already mapped failed -16 21:37:15 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2ff]}) 21:37:15 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xff0b, [0x40000003]}) [ 665.481200] input: syz1 as /devices/virtual/input/input1851 [ 665.487456] binder: BINDER_SET_CONTEXT_MGR already set [ 665.506595] binder: 4332:4339 ioctl 40046207 0 returned -16 [ 665.521063] binder_alloc: 4332: binder_alloc_buf, no vma [ 665.565799] binder: 4332:4347 transaction failed 29189/-3, size 24-8 line 2970 [ 665.573696] input: syz1 as /devices/virtual/input/input1852 21:37:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x68]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:16 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$FS_IOC_GETFSLABEL(r1, 0x81009431, &(0x7f0000000440)) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:16 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8000a0ffffffff]}) 21:37:16 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x4001, [0x40000003]}) 21:37:16 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r3 = dup3(r0, r1, 0x0) getsockopt$bt_BT_VOICE(r3, 0x112, 0xb, &(0x7f0000000080)=0x8, &(0x7f0000000180)=0x2) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)=ANY=[@ANYBLOB="230000006f0100020000000000000000000680000000000000200000003c04c11ede4c"], 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 665.759015] binder: 4368:4369 got transaction with invalid offset (104, min 0 max 24) or object. [ 665.804566] binder: 4368:4369 transaction failed 29201/-22, size 24-8 line 3033 21:37:16 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xbef80000}, 'syz0\x00'}) [ 665.851008] binder_alloc: binder_alloc_mmap_handler: 4368 20001000-20004000 already mapped failed -16 21:37:16 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc001020b, [0x40000003]}) [ 665.901907] binder: BINDER_SET_CONTEXT_MGR already set [ 665.951823] binder: 4368:4369 ioctl 40046207 0 returned -16 [ 665.963247] binder: 4368:4381 transaction failed 29189/-22, size 24-8 line 2855 21:37:16 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000140)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0x9, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:16 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x150001c000000000]}) [ 665.996135] input: syz1 as /devices/virtual/input/input1853 [ 666.029606] input: syz1 as /devices/virtual/input/input1854 21:37:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x200000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:16 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) openat$smack_task_current(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/attr/current\x00', 0x2, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000940)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r3, @ANYBLOB="392c00ef266805a9bd7edf1128811cc146d6a76bd9fd1d3f9a40c30563403c111b3eacc79eab919da21c2aab09574528b54e716ff6113430c05dd4000ba47e1fa8240b90e39dbcaa3a4e2af7bc2c9d928c4b731edc6e68da22dd2be4e5389293"]) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000001c0)=ANY=[@ANYBLOB="0b00008cae0029010000000000"], 0xb) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f00000002c0)={r1}) r5 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000400)='IPVS\x00') sendmsg$IPVS_CMD_NEW_DEST(r4, &(0x7f00000004c0)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x120000}, 0xc, &(0x7f0000000440)={&(0x7f0000000700)={0x114, r5, 0x10, 0x70bd29, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_DEST={0x14, 0x2, [@IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x200}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xdf}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x2000000}, @IPVS_CMD_ATTR_DAEMON={0x38, 0x3, [@IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x20}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @local}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x4}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e24}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e21}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xff}, @IPVS_CMD_ATTR_SERVICE={0x30, 0x1, [@IPVS_SVC_ATTR_PROTOCOL={0x8}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x16}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x6}}, @IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0x100}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x38, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'nq\x00'}, @IPVS_SVC_ATTR_AF={0x8, 0x1, 0xa}, @IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0x88}, @IPVS_SVC_ATTR_AF={0x8, 0x1, 0xa}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@broadcast}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x1}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x7}, @IPVS_CMD_ATTR_DAEMON={0x24, 0x3, [@IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e23}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x5}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x911d}]}]}, 0x114}, 0x1, 0x0, 0x0, 0x1}, 0x10) ioctl$EXT4_IOC_GROUP_ADD(r0, 0x40286608, &(0x7f0000000080)={0x7, 0x0, 0x7, 0x7f, 0x33d, 0x5}) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r6 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r6, &(0x7f00000005c0)='./file0\x00') 21:37:16 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x80ffff00000000, [0x40000003]}) 21:37:16 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x170101c0]}) [ 666.213388] binder: 4405:4407 got transaction with invalid offset (144115188075855872, min 0 max 24) or object. 21:37:16 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe4f8000000000000}, 'syz0\x00'}) [ 666.258250] binder: 4405:4407 transaction failed 29201/-22, size 24-8 line 3033 [ 666.281702] binder_alloc: binder_alloc_mmap_handler: 4405 20001000-20004000 already mapped failed -16 [ 666.333487] binder: BINDER_SET_CONTEXT_MGR already set 21:37:16 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}, 0xfffffffffffffffe) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:16 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) r3 = syz_open_dev$admmidi(&(0x7f0000000140)='/dev/admmidi#\x00', 0x1, 0x102) ioctl$SG_GET_TIMEOUT(r3, 0x2202, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) bind$rds(r3, &(0x7f00000001c0)={0x2, 0x4e23, @remote}, 0x10) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 666.366601] binder: 4405:4407 ioctl 40046207 0 returned -16 [ 666.399553] input: syz1 as /devices/virtual/input/input1855 [ 666.406526] binder_alloc: 4405: binder_alloc_buf, no vma 21:37:16 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1700000000000000, [0x40000003]}) [ 666.425723] binder: 4405:4425 transaction failed 29189/-3, size 24-8 line 2970 [ 666.468505] input: syz1 as /devices/virtual/input/input1856 [ 666.509910] 9pnet: Insufficient options for proto=fd 21:37:16 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2a1001c0]}) [ 666.544036] 9pnet: Insufficient options for proto=fd 21:37:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x68000000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 666.566565] 9pnet: Insufficient options for proto=fd [ 666.584516] 9pnet: Insufficient options for proto=fd 21:37:17 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000940)=ANY=[@ANYBLOB="2a0000002901000000000000000000000000000000816f67df334a01475abbe319918bd10473d872409e892e0697000000000000000000000007002e2f44696c65302b81c7843b1880a661297db430efed005a2a3c291b15e99ffa0d9a0073dc8ae3fce8422ffeb1120038fe6633deb37fe0753eb374e3ff795bf575c2ab5f90d5d486a6694c59bcb30ab80921106312bfbe23c99d8ed2dfc2449c651557b10cdbcaf150f9223e773a4cc7cf5ac9c48432eca16a38b0f2f7e57b5923891fc3a954b8db5de4be2532ce08f567f33ffc97c9a5396798a124482f1cbf03e561179e7492ec1b84cb92a029bf08f1203fe01bf18bb44044938d961fb79703f4ea6ac762e945c832844f42c430a0f8f413369d972757371d39abbc7ba27d88a42afb569c02211bc866190ff879190286fb17c4bf5c6a25525751b6a92201473d5b7d28db50f4f56df9c45be3fd0a55d4bbecdba872d6a52d19cc8c861aad1ab2272b83f3f59b60f57cf9df7326b92a399ecf4b4ab94f19b669af756332974c4c9ecf55902687254935345ab54f7d2afe57654b78717991375b39dc7548b30588e064ec5fa22a4b548852bc4f772d00f8d7"], 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:17 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x88000000}, 'syz0\x00'}) 21:37:17 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1e01000000000000, [0x40000003]}) 21:37:17 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2000000]}) [ 666.737973] binder: 4450:4451 got transaction with invalid offset (1744830464, min 0 max 24) or object. 21:37:17 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="0400ed19ce0c620100ffff8f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) pipe(&(0x7f0000000140)={0xffffffffffffffff}) ioctl$LOOP_GET_STATUS(r3, 0x4c03, &(0x7f00000001c0)) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 666.784691] input: syz1 as /devices/virtual/input/input1857 [ 666.798347] binder: 4450:4451 transaction failed 29201/-22, size 24-8 line 3033 21:37:17 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB="88f600006e6f08", @ANYRESHEX=r2, @ANYBLOB=',\x00']) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) clock_gettime(0x0, &(0x7f00000041c0)={0x0, 0x0}) recvmmsg(r0, &(0x7f0000004040)=[{{&(0x7f0000000400)=@vsock, 0x80, &(0x7f0000000180)=[{&(0x7f0000000080)=""/47, 0x2f}, {&(0x7f0000000940)=""/4096, 0x1000}], 0x2, &(0x7f00000002c0)=""/23, 0x17, 0x5}, 0x1}, {{&(0x7f00000004c0)=@nfc, 0x80, &(0x7f0000002e80)=[{&(0x7f0000000380)=""/36, 0x24}, {&(0x7f0000000700)=""/63, 0x3f}, {&(0x7f0000000740)=""/217, 0xd9}, {&(0x7f0000001940)=""/254, 0xfe}, {&(0x7f0000001a40)=""/215, 0xd7}, {&(0x7f0000001b40)=""/247, 0xf7}, {&(0x7f0000001c40)=""/189, 0xbd}, {&(0x7f0000001d00)=""/67, 0x43}, {&(0x7f0000001d80)=""/4096, 0x1000}, {&(0x7f0000002d80)=""/231, 0xe7}], 0xa, &(0x7f0000002f40)=""/82, 0x52, 0x3c}, 0x9}, {{0x0, 0x0, &(0x7f0000003340)=[{&(0x7f00000008c0)=""/48, 0x30}, {&(0x7f0000002fc0)=""/61, 0x3d}, {&(0x7f0000003000)=""/119, 0x77}, {&(0x7f0000003080)=""/10, 0xa}, {&(0x7f00000030c0)=""/61, 0x3d}, {&(0x7f0000003100)=""/132, 0x84}, {&(0x7f00000031c0)=""/104, 0x68}, {&(0x7f0000003240)=""/226, 0xe2}], 0x8, &(0x7f00000033c0)=""/126, 0x7e, 0x7c81ba0a}, 0x4}, {{&(0x7f0000003440)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @broadcast}}}, 0x80, &(0x7f0000003780)=[{&(0x7f00000034c0)=""/11, 0xb}, {&(0x7f0000003500)=""/38, 0x26}, {&(0x7f0000003540)=""/182, 0xb6}, {&(0x7f0000003600)=""/213, 0xd5}, {&(0x7f0000003700)=""/68, 0x44}], 0x5, 0x0, 0x0, 0x81}, 0x7}, {{0x0, 0x0, &(0x7f0000003d40)=[{&(0x7f0000003800)=""/122, 0x7a}, {&(0x7f0000003880)=""/70, 0x46}, {&(0x7f0000003900)}, {&(0x7f0000003940)=""/3, 0x3}, {&(0x7f0000003980)=""/197, 0xc5}, {&(0x7f0000003a80)=""/172, 0xac}, {&(0x7f0000003b40)=""/115, 0x73}, {&(0x7f0000003bc0)=""/102, 0x66}, {&(0x7f0000003c40)=""/228, 0xe4}], 0x9, 0x0, 0x0, 0xb9f}, 0x6}, {{&(0x7f0000003e00)=@vsock={0x28, 0x0, 0x0, @hyper}, 0x80, &(0x7f0000003f40)=[{&(0x7f0000003e80)=""/192, 0xc0}], 0x1, &(0x7f0000003f80)=""/170, 0xaa, 0x8}, 0x4}], 0x6, 0x40010000, &(0x7f0000004200)={r3, r4+10000000}) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) ioctl$FS_IOC_GETVERSION(r5, 0x80087601, &(0x7f0000003900)) r6 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r6, &(0x7f00000005c0)='./file0\x00') [ 666.849700] input: syz1 as /devices/virtual/input/input1858 [ 666.877076] binder_alloc: binder_alloc_mmap_handler: 4450 20001000-20004000 already mapped failed -16 [ 666.922968] binder: BINDER_SET_CONTEXT_MGR already set 21:37:17 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x130101c0, [0x40000003]}) 21:37:17 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7601]}) [ 666.960811] binder: 4450:4451 ioctl 40046207 0 returned -16 [ 666.986303] binder: 4450:4473 transaction failed 29189/-22, size 24-8 line 2855 [ 667.002023] 9pnet: Insufficient options for proto=fd 21:37:17 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x790c0000}, 'syz0\x00'}) 21:37:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x4000000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 667.144474] binder: 4491:4493 got transaction with invalid offset (67108864, min 0 max 24) or object. 21:37:17 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xdb01000000000000, [0x40000003]}) 21:37:17 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$FS_IOC_GETFSLABEL(r1, 0x81009431, &(0x7f00000003c0)) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text32={0x20, &(0x7f0000000200)="660f3881789cb911090000b891afb215ba000000000f30660f38817ef8660fea9cfd00000000b9130600000f3266baf80cb8416b3f8eef66bafc0cec66b8cc000f00d8f30f5bf30f01753626260fe1b50000c0fe"}], 0x4f1, 0x0, &(0x7f00000001c0), 0x100000000000018b) ioctl$KVM_ASSIGN_DEV_IRQ(r1, 0x4040ae70, &(0x7f0000000140)={0x200000, 0x200, 0x3f, 0x703}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:17 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x179]}) [ 667.198848] input: syz1 as /devices/virtual/input/input1859 [ 667.240102] binder: BINDER_SET_CONTEXT_MGR already set [ 667.261875] binder_alloc: 4491: binder_alloc_buf, no vma [ 667.281819] input: syz1 as /devices/virtual/input/input1860 [ 667.284978] binder: 4491:4493 ioctl 40046207 0 returned -16 21:37:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x2]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:17 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0000103]}) 21:37:17 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x410101c0, [0x40000003]}) 21:37:17 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x1f00}, 'syz0\x00'}) [ 667.445012] binder: 4512:4515 got transaction with invalid offset (2, min 0 max 24) or object. [ 667.494934] binder: BINDER_SET_CONTEXT_MGR already set [ 667.526855] binder_alloc: 4512: binder_alloc_buf, no vma [ 667.547241] binder: 4512:4515 ioctl 40046207 0 returned -16 [ 667.567769] input: syz1 as /devices/virtual/input/input1861 [ 667.620010] input: syz1 as /devices/virtual/input/input1862 [ 667.784064] 9pnet: Insufficient options for proto=fd 21:37:18 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2, @ANYBLOB=',access=', @ANYRESDEC=0x0, @ANYBLOB="2c00477ee0d63f5781291c4644ea59dd8dff4525b61f2c"]) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:18 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) getsockopt$sock_cred(0xffffffffffffff9c, 0x1, 0x11, &(0x7f00000001c0)={0x0}, &(0x7f0000000240)=0xc) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000340)='/dev/null\x00', 0x4000, 0x0) setsockopt$nfc_llcp_NFC_LLCP_MIUX(r1, 0x118, 0x1, &(0x7f0000000380), 0x4) r2 = syz_open_procfs(r0, &(0x7f00000002c0)='io\x00') r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x3fff, 0x0) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r4, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r5, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r4, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$BLKPBSZGET(r2, 0x127b, &(0x7f0000000300)) ioctl$KVM_SET_PIT2(r4, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r5, 0xae80, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x40000, 0x0) 21:37:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x400000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:18 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x130101c0]}) 21:37:18 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x900d, [0x40000003]}) 21:37:18 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc4f8}, 'syz0\x00'}) [ 667.896457] input: syz1 as /devices/virtual/input/input1863 [ 667.905529] binder: 4535:4536 got transaction with invalid offset (288230376151711744, min 0 max 24) or object. 21:37:18 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x8b00, [0x40000003]}) 21:37:18 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = syz_open_dev$sndpcmc(&(0x7f0000000140)='/dev/snd/pcmC#D#c\x00', 0x10000, 0x2000) ioctl$KVM_SET_TSC_KHZ(r2, 0xaea2, 0xffffffffffffffc0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) write$FUSE_POLL(r2, &(0x7f00000001c0)={0x18, 0x0, 0x3, {0x8}}, 0x18) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 667.948734] binder: BINDER_SET_CONTEXT_MGR already set [ 667.964951] input: syz1 as /devices/virtual/input/input1864 21:37:18 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xff020000]}) [ 668.011573] binder: 4535:4536 ioctl 40046207 0 returned -16 21:37:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x500000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:18 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) pipe2$9p(&(0x7f0000000080), 0x80000) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) r4 = dup(r3) ioctl$KVM_GET_PIT(r4, 0xc048ae65, &(0x7f0000000400)) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:18 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd7f8000000000000}, 'syz0\x00'}) 21:37:18 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0000080, [0x40000003]}) [ 668.202747] binder: BINDER_SET_CONTEXT_MGR already set 21:37:18 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2c00]}) [ 668.240111] binder_alloc: 4568: binder_alloc_buf, no vma [ 668.264215] binder: 4568:4570 ioctl 40046207 0 returned -16 [ 668.279417] input: syz1 as /devices/virtual/input/input1865 [ 668.334340] input: syz1 as /devices/virtual/input/input1866 21:37:18 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)=ANY=[@ANYBLOB="2a0000002901000000010000000000000000000000000000000000000007002e2f66696c6530"], 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') r4 = syz_open_dev$usbmon(&(0x7f0000000080)='/dev/usbmon#\x00', 0x101, 0x301200) getsockopt$IP6T_SO_GET_REVISION_MATCH(r4, 0x29, 0x44, &(0x7f0000000180)={'ipvs\x00'}, &(0x7f00000002c0)=0x1e) 21:37:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x20000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:18 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x14d564b, [0x40000003]}) [ 668.479880] binder_alloc_mmap_handler: 4 callbacks suppressed [ 668.479899] binder_alloc: binder_alloc_mmap_handler: 4592 20001000-20004000 already mapped failed -16 21:37:18 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xcff80000}, 'syz0\x00'}) 21:37:18 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3a]}) [ 668.525580] binder: BINDER_SET_CONTEXT_MGR already set [ 668.559835] binder: 4592:4593 ioctl 40046207 0 returned -16 [ 668.586468] binder_alloc: 4592: binder_alloc_buf, no vma [ 668.628798] binder_release_work: 17 callbacks suppressed [ 668.628805] binder: undelivered TRANSACTION_ERROR: 29201 [ 668.636799] binder: undelivered TRANSACTION_ERROR: 29189 [ 668.670826] input: syz1 as /devices/virtual/input/input1867 [ 668.694678] input: syz1 as /devices/virtual/input/input1868 21:37:19 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)={[{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000, 0xfffffffffffffff7}]}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:19 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)=ANY=[@ANYBLOB="230000006f010002000000000000000000000000040000000000000000000000000000"], 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:19 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x4800, [0x40000003]}) 21:37:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x7400]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:19 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x10]}) 21:37:19 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8e3}, 'syz0\x00'}) [ 668.939803] binder_alloc: binder_alloc_mmap_handler: 4617 20001000-20004000 already mapped failed -16 [ 668.977459] binder: BINDER_SET_CONTEXT_MGR already set [ 668.998264] binder: 4617:4623 ioctl 40046207 0 returned -16 [ 669.011110] binder_alloc: 4617: binder_alloc_buf, no vma [ 669.017183] binder: undelivered TRANSACTION_ERROR: 29201 [ 669.029164] binder: undelivered TRANSACTION_ERROR: 29189 21:37:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xa00]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:19 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x7901, [0x40000003]}) 21:37:19 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xb700004000000000]}) 21:37:19 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) fsetxattr$security_evm(r0, &(0x7f0000000080)='security.evm\x00', &(0x7f0000000400)=@v2={0x3, 0x2, 0x12, 0x100000000, 0x3d, "600cc41210579888f43064f36081a99687d3304122afb4f3deeea0341afc0513fe7432870c1e8240f09d9ff86db76f4756f3a1ae7327d5faa9a62dae43"}, 0x47, 0x2) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@uname={'uname', 0x3d, '2,GPL'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f0000000180)='./file0\x00') [ 669.052324] input: syz1 as /devices/virtual/input/input1869 [ 669.087242] input: syz1 as /devices/virtual/input/input1870 [ 669.141760] binder_transaction: 3 callbacks suppressed [ 669.141774] binder: 4644:4647 got transaction with invalid offset (2560, min 0 max 24) or object. [ 669.185730] binder_alloc: binder_alloc_mmap_handler: 4644 20001000-20004000 already mapped failed -16 [ 669.196297] binder: BINDER_SET_CONTEXT_MGR already set [ 669.216401] binder_alloc: 4644: binder_alloc_buf, no vma [ 669.223529] binder: 4644:4647 ioctl 40046207 0 returned -16 21:37:19 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xb7000040]}) [ 669.237714] binder: undelivered TRANSACTION_ERROR: 29201 [ 669.245119] binder: undelivered TRANSACTION_ERROR: 29189 21:37:19 executing program 1: r0 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000140)='/dev/snapshot\x00', 0x4000, 0x0) ioctl$KVM_SET_FPU(r0, 0x41a0ae8d, &(0x7f0000000440)={[], 0xfffffffffffff4c1, 0x8, 0x6, 0x0, 0x0, 0x11f001}) setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="0400ed19cee362fc4741548f"], 0xc, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x2) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f00000001c0)={0x5}) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r0, 0xae80, 0x0) ioctl$SCSI_IOCTL_START_UNIT(r0, 0x5) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f00000002c0)={[0x7ff, 0xfd, 0x1ff, 0x2fbb, 0x5, 0xc45, 0x8, 0x0, 0x154, 0x7, 0xa, 0x8, 0x1000, 0x2, 0x2, 0x8001], 0x10f003, 0x40000}) 21:37:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0xfffffdfd]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:19 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xcd00000000000000, [0x40000003]}) 21:37:19 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd6f80000}, 'syz0\x00'}) [ 669.408392] binder: 4660:4663 got transaction with invalid offset (4294966781, min 0 max 24) or object. 21:37:19 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r3 = syz_open_procfs(0x0, &(0x7f0000000080)='net/ipv6_route\x00') ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT(r3, 0x404c534a, &(0x7f0000000400)={0x0, 0x8fc, 0xfffffffffffffffd}) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:19 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x800000c0]}) [ 669.483703] input: syz1 as /devices/virtual/input/input1871 [ 669.505722] binder_alloc: binder_alloc_mmap_handler: 4660 20001000-20004000 already mapped failed -16 [ 669.515260] binder: BINDER_SET_CONTEXT_MGR already set 21:37:19 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x120101c000000000, [0x40000003]}) [ 669.548746] binder: 4660:4663 ioctl 40046207 0 returned -16 [ 669.554802] binder_alloc: 4660: binder_alloc_buf, no vma [ 669.560858] binder: undelivered TRANSACTION_ERROR: 29201 [ 669.571161] input: syz1 as /devices/virtual/input/input1872 [ 669.576710] binder: undelivered TRANSACTION_ERROR: 29189 21:37:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x4]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:20 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc9f8000000000000}, 'syz0\x00'}) 21:37:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xda0, [0x40000003]}) 21:37:20 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$int_in(r0, 0x5452, &(0x7f0000000140)=0x1ff) [ 669.751741] binder: 4694:4695 got transaction with invalid offset (4, min 0 max 24) or object. 21:37:20 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc200]}) 21:37:20 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x3, [{{}, 0x2, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000900)='9p\x00', 0xfffffffffffffffc, &(0x7f0000000400)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) get_thread_area(&(0x7f0000000000)={0xffffffff, 0x20001000, 0x4000, 0xfff, 0x6, 0xffffffffffff7fff, 0x0, 0x5, 0x7ff, 0x5}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 669.802834] binder_transaction: 15 callbacks suppressed [ 669.802854] binder: 4694:4695 transaction failed 29201/-22, size 24-8 line 3033 [ 669.883475] binder_alloc: binder_alloc_mmap_handler: 4694 20001000-20004000 already mapped failed -16 [ 669.903194] input: syz1 as /devices/virtual/input/input1873 [ 669.928584] input: syz1 as /devices/virtual/input/input1874 21:37:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x187, [0x40000003]}) [ 669.976916] binder: BINDER_SET_CONTEXT_MGR already set [ 669.976941] binder_alloc: 4694: binder_alloc_buf, no vma 21:37:20 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0010140]}) [ 670.037755] binder: undelivered TRANSACTION_ERROR: 29201 [ 670.039681] binder: 4694:4708 transaction failed 29189/-3, size 24-8 line 2970 [ 670.051253] binder: 4694:4695 ioctl 40046207 0 returned -16 21:37:20 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r4 = fcntl$dupfd(r0, 0x0, r0) write$USERIO_CMD_SEND_INTERRUPT(r4, &(0x7f0000000080)={0x2, 0x5}, 0x2) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') [ 670.102072] binder: undelivered TRANSACTION_ERROR: 29189 21:37:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x14]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:20 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe5f8}, 'syz0\x00'}) 21:37:20 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) fchdir(r2) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x175, [0x40000003]}) [ 670.251269] binder: 4733:4735 got transaction with invalid offset (20, min 0 max 24) or object. [ 670.267507] binder: 4733:4735 transaction failed 29201/-22, size 24-8 line 3033 21:37:20 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0011022]}) 21:37:20 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio\x00', 0x2400, 0x0) setsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(r1, 0x84, 0x8, &(0x7f0000000180)=0x8, 0x4) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140, {0x200}, 0x96, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 670.321377] binder_alloc: binder_alloc_mmap_handler: 4733 20001000-20004000 already mapped failed -16 [ 670.356285] input: syz1 as /devices/virtual/input/input1875 [ 670.402507] input: syz1 as /devices/virtual/input/input1876 [ 670.408061] binder: BINDER_SET_CONTEXT_MGR already set [ 670.423739] binder: 4733:4735 ioctl 40046207 0 returned -16 [ 670.440186] binder_alloc: 4733: binder_alloc_buf, no vma [ 670.475513] binder: 4733:4754 transaction failed 29189/-3, size 24-8 line 2970 21:37:20 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xb0201c0, [0x40000003]}) 21:37:20 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="0400ed19ce0c62fc3e41549f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x5]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:20 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2000000000000]}) 21:37:21 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8bc}, 'syz0\x00'}) 21:37:21 executing program 2: socketpair$unix(0x1, 0x100000002, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) r3 = syz_open_dev$mice(&(0x7f00000002c0)='/dev/input/mice\x00', 0x0, 0x40) symlinkat(&(0x7f0000000180)='./file0\x00', r3, &(0x7f0000000380)='./file0\x00') write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 670.678757] binder: 4768:4769 got transaction with invalid offset (5, min 0 max 24) or object. [ 670.720477] binder: 4768:4769 transaction failed 29201/-22, size 24-8 line 3033 [ 670.732813] input: syz1 as /devices/virtual/input/input1877 [ 670.766905] binder_alloc: binder_alloc_mmap_handler: 4768 20001000-20004000 already mapped failed -16 [ 670.794214] binder: BINDER_SET_CONTEXT_MGR already set [ 670.806392] input: syz1 as /devices/virtual/input/input1878 21:37:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc100, [0x40000003]}) [ 670.835818] binder: 4768:4769 ioctl 40046207 0 returned -16 [ 670.858915] binder_alloc: 4768: binder_alloc_buf, no vma 21:37:21 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r3 = getegid() write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1, {0x0, {0xfffffffffffffffe}, 0x0, 0x0, r3, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfff, 0x0, 0x0, 0x0, 0xfffffffffffffeff, 0x0, 0x400000000000000, 0x1}}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) getsockopt$inet6_dccp_int(r4, 0x21, 0xa, &(0x7f0000000080), &(0x7f0000000180)=0x4) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:21 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x48000000]}) [ 670.903503] binder: 4768:4788 transaction failed 29189/-3, size 24-8 line 2970 21:37:21 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f00000001c0)=ANY=[@ANYBLOB="a5d1273428c69f94391c086de82f7ab89f14c433557d94964f288052bb6381faab8e1d876ca51940d91c64d111beee3945727b995d62ec771959d339e3440f107f9341083feb097227f0b126716952d4dc94770e0b9792459dc47300e877"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) socketpair$inet_udp(0x2, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$IPT_SO_GET_REVISION_MATCH(r3, 0x0, 0x42, &(0x7f0000000140)={'ipvs\x00'}, &(0x7f0000000240)=0x1e) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x100000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:21 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xffffff97}, 'syz0\x00'}) 21:37:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc001102a, [0x40000003]}) [ 671.078697] binder: 4802:4803 got transaction with invalid offset (72057594037927936, min 0 max 24) or object. [ 671.089368] binder: 4802:4803 transaction failed 29201/-22, size 24-8 line 3033 [ 671.112417] binder_alloc: binder_alloc_mmap_handler: 4802 20001000-20004000 already mapped failed -16 21:37:21 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000440)={0xffffffffffffffff, 0xffffffffffffffff}, 0x803) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000080)='./file0\x00', 0x18) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) r3 = getuid() getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000700)={{{@in6=@remote, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in6=@remote}}, &(0x7f0000000380)=0xe8) mount$9p_fd(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000300)='9p\x00', 0x0, &(0x7f0000000940)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r0}, 0x2c, {[{@loose='loose'}], [{@context={'context', 0x3d, 'system_u'}}, {@euid_eq={'euid', 0x3d, r3}}, {@smackfshat={'smackfshat', 0x3d, 'GPL{$cpusetmd5summime_type'}}, {@fowner_lt={'fowner<', r4}}, {@mask={'mask', 0x3d, 'MAY_READ'}}]}}) r5 = syz_open_dev$sndpcmc(&(0x7f0000000180)='/dev/snd/pcmC#D#c\x00', 0xfffffffffffffffc, 0x103840) faccessat(r5, &(0x7f00000002c0)='./file0\x00', 0x2, 0x800) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r6 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r6, &(0x7f00000005c0)='./file0\x00') [ 671.152044] binder: BINDER_SET_CONTEXT_MGR already set [ 671.162322] binder: 4802:4803 ioctl 40046207 0 returned -16 [ 671.181206] binder_alloc: 4802: binder_alloc_buf, no vma [ 671.186941] binder: 4802:4806 transaction failed 29189/-3, size 24-8 line 2970 21:37:21 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8004]}) 21:37:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x1200000000000000]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 671.207770] input: syz1 as /devices/virtual/input/input1879 [ 671.298203] input: syz1 as /devices/virtual/input/input1880 21:37:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x8b000000, [0x40000003]}) [ 671.338571] binder: 4827:4828 got transaction with invalid offset (1297036692682702848, min 0 max 24) or object. 21:37:21 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc001001f]}) [ 671.387559] 9pnet: Insufficient options for proto=fd [ 671.406728] 9pnet: Insufficient options for proto=fd [ 671.413997] binder: 4827:4828 transaction failed 29201/-22, size 24-8 line 3033 21:37:21 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000440)={0x0, 0x0}, &(0x7f00000004c0)=0xc) stat(&(0x7f0000000500)='./file0\x00', &(0x7f0000000700)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) mount$9p_fd(0x0, &(0x7f0000000080)='./file0/file0\x00', &(0x7f0000000180)='9p\x00', 0x2080c, &(0x7f0000000940)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r0}, 0x2c, {[{@uname={'uname', 0x3d, 'rfdno'}}, {@cache_loose='cache=loose'}, {@cache_none='cache=none'}, {@aname={'aname'}}, {@cache_loose='cache=loose'}, {@aname={'aname', 0x3d, 'wfdno'}}, {@dfltuid={'dfltuid'}}, {@access_uid={'access', 0x3d, r4}}, {@dfltuid={'dfltuid', 0x3d, r5}}, {@noextend='noextend'}], [{@obj_role={'obj_role', 0x3d, '$'}}, {@dont_measure='dont_measure'}]}}) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) r7 = dup2(r0, r1) mount$9p_fd(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f0000000380)='9p\x00', 0x20, &(0x7f0000000a40)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r0}, 0x2c, {[{@fscache='fscache'}, {@dfltgid={'dfltgid', 0x3d, r6}}, {@dfltuid={'dfltuid', 0x3d, r4}}, {@aname={'aname', 0x3d, 'security,trusted,(*#ppp1procsystemselinuxeth1\'wlan0'}}], [{@fscontext={'fscontext', 0x3d, 'sysadm_u'}}, {@fsname={'fsname', 0x3d, '%*posix_acl_access'}}, {@smackfshat={'smackfshat', 0x3d, 'cache=none'}}]}}) getsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(r7, 0x84, 0x12, &(0x7f0000000780), &(0x7f00000007c0)=0x4) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)=ANY=[@ANYBLOB="2a00000029010000000000000000000000000000fa00000000000000000000000007002e2f66696c6530"], 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r8 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r8, &(0x7f00000005c0)='./file0\x00') [ 671.459317] binder_alloc: binder_alloc_mmap_handler: 4827 20001000-20004000 already mapped failed -16 [ 671.459518] binder: BINDER_SET_CONTEXT_MGR already set [ 671.484554] binder_alloc: 4827: binder_alloc_buf, no vma 21:37:21 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000140)=ANY=[@ANYBLOB="0400ed19115d6e304e9e91f20c62123e41548f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) recvmsg$kcm(0xffffffffffffff9c, &(0x7f0000000600)={&(0x7f0000000300)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @ipv4={[], [], @multicast2}}}}, 0x80, &(0x7f0000000500)=[{&(0x7f0000000440)=""/105, 0x69}, {&(0x7f00000004c0)=""/16, 0x10}], 0x2, &(0x7f0000000540)=""/187, 0xbb, 0xa27}, 0x10002) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f00000006c0)={&(0x7f0000000640)=""/104, 0x0, 0x1000, 0xde7d}, 0x18) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)={[{}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x3}]}) ioctl$FITRIM(r0, 0xc0185879, &(0x7f00000001c0)={0x2bf, 0x3, 0x1}) r4 = openat$cgroup_ro(r2, &(0x7f0000000100)='cpuacct.usage_percpu\x00', 0x0, 0x0) setsockopt$inet_msfilter(r4, 0x0, 0x29, &(0x7f0000000240)={@dev={0xac, 0x14, 0x14, 0x13}, @loopback, 0x1, 0x1, [@multicast1]}, 0x14) ioctl$sock_inet_sctp_SIOCINQ(r4, 0x541b, &(0x7f0000000200)) ioctl$KVM_RUN(r2, 0xae80, 0x0) setsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(r4, 0x84, 0x8, &(0x7f00000002c0)=0x3, 0x4) [ 671.504134] binder: 4827:4828 ioctl 40046207 0 returned -16 [ 671.519009] binder: 4827:4834 transaction failed 29189/-3, size 24-8 line 2970 21:37:21 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd8f80000}, 'syz0\x00'}) 21:37:21 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x810000c0, [0x40000003]}) 21:37:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x7000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:22 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) r3 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcs\x00', 0x0, 0x0) getdents64(r3, &(0x7f0000000400)=""/84, 0x54) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 671.679282] input: syz1 as /devices/virtual/input/input1881 21:37:22 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc1]}) [ 671.744187] binder: 4857:4858 got transaction with invalid offset (117440512, min 0 max 24) or object. 21:37:22 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xdb01, [0x40000003]}) [ 671.785234] input: syz1 as /devices/virtual/input/input1882 [ 671.819302] binder_alloc: binder_alloc_mmap_handler: 4857 20001000-20004000 already mapped failed -16 21:37:22 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') sync_file_range(r0, 0x4, 0x7f, 0x2) [ 671.862048] binder: BINDER_SET_CONTEXT_MGR already set [ 671.877508] binder: 4857:4858 ioctl 40046207 0 returned -16 [ 671.900316] binder_alloc: 4857: binder_alloc_buf, no vma 21:37:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x74000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:22 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0000083]}) 21:37:22 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x4, [0x40000003]}) 21:37:22 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8cc}, 'syz0\x00'}) [ 672.066407] binder: 4881:4882 got transaction with invalid offset (1946157056, min 0 max 24) or object. [ 672.123684] binder: BINDER_SET_CONTEXT_MGR already set [ 672.159440] input: syz1 as /devices/virtual/input/input1883 [ 672.175111] binder: 4881:4882 ioctl 40046207 0 returned -16 [ 672.204867] input: syz1 as /devices/virtual/input/input1884 [ 672.222322] binder_alloc: 4881: binder_alloc_buf, no vma 21:37:22 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000800)=ANY=[@ANYBLOB="e7ffecf89e43c273d27c728b4340f4775419ce0d59fc3e2e548f689ccb4e5288002936f4dc1972a5cdbb1ff894420f3d81b55d8cbb35a5d5a7b73ec85ab89abe9abf982c65f1ff25817e1f67c55d7774d36651615ad0f95defb14bf57034717cba7ada7c28a0c48b6b1b4321badbe8c43368960100968e7f5e8d6b8f7b12fddd9c8325f8b86091169b7d132eec4c6908dd52fb5f652a455fa5cfb1041e72daf265ce140e4da5ef07305a19dfe718f09f3daebb506c523525da0c45806b5ab0b560090adc0fefaf0000055ddfa26541ccec486d9042f36ce686702a7d7702d38b0bc3f1b18d6ae7ca996b26e0f5b7f1393706be6079119acc83e60495b96f588f4cf1ae640c01ebe632ec2f8b71445772e8324f7da8fae45d870303431130ee309b8a0f7d76a2511341a8c5ed5869cacf9eb156f490d223b64861067e59a4d5021005b917b1b8481c000000000000000000"], 0xc, 0x0) socketpair$packet(0x11, 0x3, 0x300, &(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) pwritev(r0, &(0x7f00000007c0)=[{&(0x7f0000000640)="6b74380321dd4949f19e9977116afda900dad7c6913897babef2a13840d7c7130311cbd4164cd9bc54c22333af649872a165d377ae841fed4f41499eed436a17ab3fee0b1a0cf016b044d99e6e41748cfe99d071aeff0afe209db23a8ee62b0231031077a5739fd38ffd66338c88371727e7772a5eae8b80243585b958f729d0ef1729", 0x83}, {&(0x7f0000000700)="9353b9375c44674be0663d0862d72a679f4d7a51f5544b1dd1dcdb65b3b38b9a2a5ee4b263d1925d5c74e1b4465113eb9949a7069f05e22628a3f4c93a0e1d07423f4d0f41c254bba42a770e7982d4e7baeaa420b0ceb4febe785a976639713c3687108aa0b6520ba9a7dfb24974086ae244e8d05dc6a03c610f20a72d6e5f4c16322cefc12a9390250927ab5af4133c375e11257be9640074c9bcae243aac0a2b08", 0xa2}], 0x2, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) rt_sigsuspend(&(0x7f0000000200)={0x8}, 0x8) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) r4 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000140)='/dev/rtc0\x00', 0x604282, 0x0) ioctl$RTC_PLL_SET(r4, 0x40207012, &(0x7f00000001c0)={0x5, 0x6, 0x1, 0x6db, 0x0, 0x80000000}) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r3, 0xae80, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r4, &(0x7f00000002c0)={0x0, 0x18, 0xfa00, {0x2, &(0x7f0000000240)={0xffffffffffffffff}, 0x2, 0x1000}}, 0x20) write$RDMA_USER_CM_CMD_QUERY_ROUTE(r4, &(0x7f0000000300)={0x5, 0x10, 0xfa00, {&(0x7f0000000440), r5, 0x2}}, 0x18) 21:37:22 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3400000000000000]}) 21:37:22 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) socketpair$inet6_udplite(0xa, 0x2, 0x88, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) getsockopt$inet6_IPV6_XFRM_POLICY(r4, 0x29, 0x23, &(0x7f0000000700)={{{@in=@rand_addr, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @rand_addr}}, 0x0, @in6}}, &(0x7f0000000180)=0xe8) mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000940)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r0}, 0x2c, {[{@access_uid={'access'}}], [{@measure='measure'}, {@dont_hash='dont_hash'}, {@defcontext={'defcontext', 0x3d, 'staff_u'}}, {@dont_measure='dont_measure'}, {@audit='audit'}, {@euid_gt={'euid>', r5}}, {@dont_hash='dont_hash'}, {@rootcontext={'rootcontext', 0x3d, 'sysadm_u'}}, {@smackfsfloor={'smackfsfloor', 0x3d, 'access'}}]}}) r6 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r6, &(0x7f00000005c0)='./file0\x00') 21:37:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x1000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:22 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x186, [0x40000003]}) 21:37:22 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf000000}, 'syz0\x00'}) [ 672.552990] input: syz1 as /devices/virtual/input/input1885 [ 672.573577] binder: 4912:4914 got transaction with invalid offset (16777216, min 0 max 24) or object. 21:37:23 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x1) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) write$P9_RMKDIR(r2, &(0x7f0000000080)={0x14, 0x49, 0x1, {0x4, 0x3, 0x2}}, 0x14) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 672.623061] binder: BINDER_SET_CONTEXT_MGR already set [ 672.630868] input: syz1 as /devices/virtual/input/input1886 [ 672.649936] binder_alloc: 4912: binder_alloc_buf, no vma [ 672.659295] binder: 4912:4914 ioctl 40046207 0 returned -16 21:37:23 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8601]}) 21:37:23 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x80000, [0x40000003]}) 21:37:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x5000000]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:23 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0000082]}) 21:37:23 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xddf8000000000000}, 'syz0\x00'}) [ 672.901237] binder: BINDER_SET_CONTEXT_MGR already set [ 672.927058] binder_alloc: 4936: binder_alloc_buf, no vma [ 672.962195] binder: 4936:4938 ioctl 40046207 0 returned -16 [ 673.005731] input: syz1 as /devices/virtual/input/input1887 [ 673.050691] input: syz1 as /devices/virtual/input/input1888 21:37:23 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = syz_open_dev$mice(&(0x7f00000001c0)='/dev/input/mice\x00', 0x0, 0x800) ioctl$KVM_DEASSIGN_DEV_IRQ(r0, 0x4040ae75, &(0x7f0000000200)={0xfffffffffffffff9, 0xffffffff00000000, 0x775e, 0x701}) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r3, 0xae80, 0x0) r4 = syz_open_dev$dmmidi(&(0x7f0000000140)='/dev/dmmidi#\x00', 0x80000001, 0x111400) ioctl$KDSETMODE(r4, 0x4b3a, 0x0) 21:37:23 executing program 2: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) r3 = getuid() getgroups(0x3, &(0x7f0000000180)=[0xee00, 0xee01, 0xee00]) write$P9_RGETATTR(r2, &(0x7f0000000940)={0xa0, 0x19, 0x2, {0x4, {0x8, 0x2}, 0x84, r3, r4, 0x4, 0x1a, 0x5, 0x4, 0x5, 0x0, 0x80, 0x7, 0x4, 0x7, 0x20, 0x3, 0x1, 0x8a6, 0x4}}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RWRITE(r1, &(0x7f0000000080)={0xb, 0x77, 0x2}, 0xb) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RXATTRCREATE(r2, &(0x7f0000000400)={0x7, 0x21, 0x2}, 0x7) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) lsetxattr$security_selinux(&(0x7f0000000500)='./file0\x00', &(0x7f0000000800)='security.selinux\x00', &(0x7f00000008c0)='system_u:object_r:random_device_t:s0\x00', 0x25, 0x1) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000000700)={{{@in=@local, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast2}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000380)={'team0\x00', r5}) r6 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r6, &(0x7f00000005c0)='./file0\x00') r7 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000440)='/dev/qat_adf_ctl\x00', 0x84000, 0x0) ioctl$KVM_GET_CLOCK(r7, 0x8030ae7c, &(0x7f00000004c0)) 21:37:23 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xce, [0x40000003]}) 21:37:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x4800]}}], 0x0, 0x0, &(0x7f0000000400)}) 21:37:23 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xd90]}) 21:37:23 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf00}, 'syz0\x00'}) [ 673.567575] input: syz1 as /devices/virtual/input/input1889 [ 673.593212] binder_alloc_mmap_handler: 3 callbacks suppressed [ 673.593231] binder_alloc: binder_alloc_mmap_handler: 4968 20001000-20004000 already mapped failed -16 [ 673.611894] binder: BINDER_SET_CONTEXT_MGR already set [ 673.636633] input: syz1 as /devices/virtual/input/input1890 [ 673.654338] binder: 4968:4972 ioctl 40046207 0 returned -16 21:37:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x400101c000000000, [0x40000003]}) [ 673.685214] binder_alloc: 4968: binder_alloc_buf, no vma [ 673.708679] binder_release_work: 16 callbacks suppressed [ 673.708687] binder: undelivered TRANSACTION_ERROR: 29201 21:37:24 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) accept(r0, &(0x7f00000004c0)=@generic, &(0x7f0000000440)=0x80) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) r5 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp\x00', 0x10000, 0x0) sendmsg$nl_route(r5, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x10000004}, 0xc, &(0x7f0000000380)={&(0x7f00000002c0)=@ipv6_newrule={0x3c, 0x20, 0x402, 0x70bd29, 0x25dfdbfb, {0xa, 0x30, 0x0, 0x2, 0x40, 0x0, 0x0, 0x6, 0x10000}, [@FIB_RULE_POLICY=@FRA_SUPPRESS_PREFIXLEN={0x8, 0xe, 0x1}, @FIB_RULE_POLICY=@FRA_IIFNAME={0x14, 0x3, 'veth0_to_bond\x00'}]}, 0x3c}, 0x1, 0x0, 0x0, 0x40011}, 0x800) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:24 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x80ffff00000000]}) 21:37:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x7a00]}}], 0x0, 0x0, &(0x7f0000000400)}) [ 673.733681] binder: undelivered TRANSACTION_ERROR: 29189 21:37:24 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8da}, 'syz0\x00'}) [ 673.843915] binder_alloc: binder_alloc_mmap_handler: 4991 20001000-20004000 already mapped failed -16 [ 673.885522] binder: BINDER_SET_CONTEXT_MGR already set 21:37:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x400101c0, [0x40000003]}) [ 673.905908] binder: 4991:4992 ioctl 40046207 0 returned -16 [ 673.934688] binder: undelivered TRANSACTION_ERROR: 29201 [ 673.943287] binder: undelivered TRANSACTION_ERROR: 29189 [ 673.969899] input: syz1 as /devices/virtual/input/input1891 [ 674.022310] input: syz1 as /devices/virtual/input/input1892 21:37:24 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc001102a]}) 21:37:24 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$EXT4_IOC_GROUP_ADD(r0, 0x40286608, &(0x7f0000000140)={0x8000, 0x9, 0x35f1, 0x4, 0xc86d, 0xffffffff}) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f00000001c0)={0x0, 0x2, 0x0, 0x1000, &(0x7f0000ffc000/0x1000)=nil}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x500, 0x0, &(0x7f0000000400)}) 21:37:24 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f00000002c0)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80804) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000400)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 674.130493] binder: 5016:5017 got transaction with invalid handle, 0 [ 674.147054] binder_alloc: binder_alloc_mmap_handler: 5016 20001000-20004000 already mapped failed -16 [ 674.164392] binder: BINDER_SET_CONTEXT_MGR already set 21:37:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0010058, [0x40000003]}) [ 674.176778] binder: 5016:5017 ioctl 40046207 0 returned -16 21:37:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x300, 0x0, &(0x7f0000000400)}) 21:37:24 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8c6}, 'syz0\x00'}) [ 674.259974] 9pnet: Insufficient options for proto=fd [ 674.285583] 9pnet: Insufficient options for proto=fd 21:37:24 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xffffffffa0008000]}) 21:37:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x4b564d00, [0x40000003]}) [ 674.339690] 9pnet: Insufficient options for proto=fd [ 674.347602] binder: 5034:5040 got transaction with invalid handle, 0 [ 674.376320] input: syz1 as /devices/virtual/input/input1893 [ 674.380708] 9pnet: Insufficient options for proto=fd [ 674.394496] binder_alloc: binder_alloc_mmap_handler: 5034 20001000-20004000 already mapped failed -16 [ 674.410579] binder: BINDER_SET_CONTEXT_MGR already set [ 674.436455] binder: 5034:5040 ioctl 40046207 0 returned -16 21:37:24 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = accept4(r0, &(0x7f0000000400), &(0x7f0000000080)=0x80, 0x800) setsockopt$EBT_SO_SET_ENTRIES(r4, 0x0, 0x80, &(0x7f00000004c0)=@nat={'nat\x00', 0x19, 0x3, 0x410, [0x20000940, 0x0, 0x0, 0x20000a50, 0x20000a80], 0x0, &(0x7f0000000180), &(0x7f0000000940)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0x0, 0x20, 0x0, 'gre0\x00', 'bridge_slave_1\x00', 'lo\x00', 'tunl0\x00', @dev={[], 0xf}, [0xff, 0xff, 0xff], @empty, [0x0, 0xff, 0xff, 0xff, 0xff, 0xff], 0x70, 0xa8, 0xe0}, [@snat={'snat\x00', 0x10, {{@broadcast, 0xffffffffffffffff}}}]}, @snat={'snat\x00', 0x10, {{@broadcast, 0xfffffffffffffffd}}}}]}, {0x0, '\x00', 0x1, 0xfffffffffffffffc}, {0x0, '\x00', 0x1, 0xffffffffffffffff}, {0x0, '\x00', 0x1, 0xffffffffffffffff, 0x2, [{{{0x11, 0x62, 0x15, 'ip6gre0\x00', 'veth1_to_bridge\x00', 'vlan0\x00', 'ip6gretap0\x00', @broadcast, [0xff, 0xff, 0x0, 0x0, 0x0, 0xff], @random="29431a0c2935", [0x0, 0x0, 0x0, 0x0, 0xff], 0xd8, 0xd8, 0x110, [@cgroup0={'cgroup\x00', 0x8, {{0x540b, 0x1}}}, @mac={'mac\x00', 0x10, {{@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}}}]}}, @arpreply={'arpreply\x00', 0x10, {{@random="ef93c1338168", 0xffffffffffffffff}}}}, {{{0x5, 0x10, 0x9100, 'nr0\x00', 'bridge_slave_0\x00', 'veth1_to_bond\x00', 'ip6_vti0\x00', @random="5488e27f04e5", [0xff], @random="0c8483182770", [0x0, 0xff, 0xff, 0xff, 0xff, 0xff], 0xf0, 0x128, 0x160, [@realm={'realm\x00', 0x10, {{0x6ae, 0x7ff}}}, @limit={'limit\x00', 0x20, {{0x9, 0x9, 0x100000001, 0x6, 0x4, 0x4}}}]}, [@arpreply={'arpreply\x00', 0x10, {{@random="7b9cf20bf641"}}}]}, @arpreply={'arpreply\x00', 0x10, {{@empty, 0xffffffffffffffff}}}}]}]}, 0x488) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') [ 674.466950] input: syz1 as /devices/virtual/input/input1894 21:37:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x4, 0x0, &(0x7f0000000400)}) 21:37:24 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) r3 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000140)='/dev/mixer\x00', 0x10000, 0x0) r4 = gettid() getresuid(&(0x7f00000015c0)=0x0, &(0x7f0000001600), &(0x7f0000001640)) getresgid(&(0x7f0000001680)=0x0, &(0x7f00000016c0), &(0x7f0000001700)) ioctl$sock_FIOGETOWN(0xffffffffffffffff, 0x8903, &(0x7f0000001b00)=0x0) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000001b40)={0x0, 0x0}, &(0x7f0000001b80)=0xc) getgroups(0x1, &(0x7f0000001bc0)=[0x0]) sendmmsg$unix(r3, &(0x7f0000001c80)=[{&(0x7f00000001c0)=@file={0x1, './file0\x00'}, 0x6e, &(0x7f0000001540)=[{&(0x7f0000000440)="0427dbcbc92b523c789da107cb0e98f7436c75ed251532f3ca17630b14da7bd8b8bdf7df643bc9b3698c7f31e331bbe86e66d285724b575063f99df50d5108f3d403b81e8ab34d6951f90da8190b420e6c41db9b4906d094f30ad146378149eb4296d89f9b8aa687ce0d733bc94df54bd1b03a36b229bcf462cf966492eab3e560127bd6e7db663d167562444e5c8370e14d2909ddb8142482a263b48186f97697fc8b7bdb534645f90ec7e54a1c8c9f4056ca2994f6f9c46ed9afdf9c7d6370968fd2051ef409978094c73ccf3c58f58f6e36efb9dcbbc5", 0xd8}, {&(0x7f0000000240)}, {&(0x7f0000000540)="cd6ccabe557eab9e470768cac14b24ac21aeb54dfb64a2803a134e56d6357a3949c712ff80ce13248711328a57652488ca35c9b5b545b394c5bd63589259f905459eb6a4e68787f29819f85fd1d264a4276d861cc9f9cb4a6eb5e2f5fdc4895519ee37eb0ecc6ad0d35a53a60bcee43eec9303517a5a6f9ef4f62e3f527772e8aaf36560d1aebe004f319a7264751c39914fa4594890e2b7db62277cf56c49832b0264bc65ebce6a6050a058b766ee6657f04008285bbdffcb057ac4307ed511d354170c1b755e972ff654044e796b53846e935baf52edfa8b92a89e4a957c0883ad5d640a17490533d0a273da83f7b98a1942e2a22417ffc101e696f6d7563740532239e7c43e7dba8d7715076fc86997fae3374c04d5e968fbb6fda98ba29e126b345f7698adb18f08b851e464e95ac4135647fffb9a01b931d8cf7563aba65865ff1978682c85c25f9d53f5353425eb87cf7dc70e258a6c63c3367e20146ff5339cfe76dca39ca558a591ff0d90d96645e2fa3b3239da709a52ce3ed63b8716f1bbde1d4485c1db6c93d0461d850adfee5fda4df7c3f1f31a49fe7d79509812490c9c39acccab6a45efa7aed99d056b9a683642d83726bac34a3e4ec4b7f75a2bf4f826b20e0b681dff886c4a8a17203f96f3a8647c2e2c2200264b85fbb53ec7056cfb4bdd9481599f1cda14e27154545e989bbd4006f996a038d86d6daa9eeb2cbeb989007e3cd77649da4433daa822a14b42c57c52a13d30dbc988f5c2e02ef76fb227581b2e610a7ee3f4a82e3d53c1ff880b8ea775fee2673180e14dca5ba2284c1eefa49939c59f0b449f049be8d436093245e74a2802f9fcdb9a0191b64624fb72ad6d92d42e8482a2cd361eaa809862185ddeb0f4af7bc67946daa0794463c84f57c0eca325aa34635f06bcdfa67024d1d84b7f3ec525293f22cba996924662d5e95c0aeb791ad0e11d77059866d59505f63a614d3bed6b372eb7f3a3867603ada80a800e6a550d3203a48a5d7d6f5396500301975c52ffdf32340b85a068a16764cc60c694659c68bf8c04e2204dfcdd02b8f7a9d6958823970e74b911c3846927a1579aee579ec7d4c59adff3541a7789cc84b79ca7c7b055062fbf2fbcc1a15cab48f6427e5534dc7a31738aa6c1a022e3aed700541360fd2bdc9bb8cc16d210c2771771bcea283a6c670d3e454d631db1a57fcfbc77627ce058be22bbfa47afff74c23d0969c54531fc75ed9229d15c156848d2d70f2541e0a15209f73110caece7694693dfb0d30bedf7c0445f635010f2c4729a0ddf09b86bbbf91fd850569baa1d91ba5b5e640e5278135954885f55bfcd22f83be55112aaa197dcb239a29c9307de3afafc1095fdd69ec1a93d8718a4d3dca92c48ba1995453b9bb3d9582c709467a36f85ea12226b60ee5f655858e6a9c412deec00d1d6107e5afac9896dfde650846e262803a8dcf0549bbb90e165a1d83d1c56be2ef18fd71a072982f1e9833f09f152c87546c5b3d7213dcf88ce491c8e0350e91a4137df85f19e34a33d4ef3da68f6d152803a33538957d90a581850492958d2d95793cbf7cf4de15a881bc9aa00aa3c2403f90965807699513da59e06925f882560f3e4a0ba81ed8a7672c6b5ccb8547e3462529202c0b740eac9d07814c1fd9d66901f0c624e08e94ab7647ddfade4a4a03ff202521d37a1c3ac178e95f65ff6c4989d0fcc01f5f129ee52a59b091b70bd2b3afaf50f1852914282a5b341d6b10e4139671000fe73bbca7d100c8b4f76f93cb65f6c8b24d86a35ba91e3925093a9b4b1c2c348c1624460c495f3fc63056a3ce6145ff104eabb38d3bcbb9dde1ca62e53f40144c511f0cff7e5701ffa498b6ffe2bb0572d848846d53fe82486d3fbe62d553e8609304f62aeb8f7c2ddeefd6284dc63f4562c4d13e47cfdff05460b92feb7bdb0f830a44770ee10fe1e6db84be8e66e5819661125c3905b56b16ce432b6cb06dd22e2487f24f33b6edab999eb99a640dc649b6277c7da16c9e3301aec2e686513822f575b86bba14e2d65aba4d66c707f00ad691a73dbe05c8e3c62c3fbec4a011dac6300b68153da275c6cb12bc6e128165d3afcc661cadce9bcc3c6226b0abffcffbbd8d66155874cc4a8ce8599cb6111f0382d648bf01543ba32f25c8fb0c326cef5fcf016f048a1a30cbd0e054a239e81306758007b450e0ea70118984e018d97f19a72cdb8cc32dbf245f0fc32895c6ae4cd78232e2a398f8fc70ab20409839d19f0ea45c4d337a93e5bd58cba96dff0da14748da4f793b3fe7cbd7ea5ec6254129e9852a22602ae22fbe69a724d925ed27d848c44cf2c0ffd8f65ef0ff14a03e9512eb4e323ccf731970ad809d665f02c640e284425891cf079708b447580a2ea56512fd1e81b646b4d3fb8bf3e1edb47a7a5af14742785f8769ca5ba52d989c932c574861d8092366c287c63e4535a51020748e0db00884f5151e547ceb38dd000b192191f5b1d1f1559252bc100e6c98c51ea235325b355c7dae8e7d34b5ca89cab4438d4bae4fa24f5aeade764e97b0d8a850c4f3f653caaccda073f14c86f820df30996b5cc39e2fc0da867541fda743f260f8f7d401c2cac01fd30fd173462dd84ae7da132cc4527773d29e1eed3d382cdd81467e05eef1d98d57cf924509fa9688908fdfeefe5911d6fa9d71d8de65a54f08042a9dd76f0e8de385e832dc963f5ac3f18b87efcbb16473c75d24abf9017d96af7c7de5fec495f1207b553db1d05ea2114867f7555d37f9ba1cdb6ced24e2fd62e27f66a05fc68b86ec222b796b5ae33e2dfd0e15d0afdd4b8ebae8cc320ca378965c4ed382f5985c69bda76f543b6bb959973e9f792c2ac69150497dbc85cfd5075094e7dbe38aef158424f48f23850b9d0582b344b67e880b5771c778ba0c7101da7f5113fb0ca93c8ea318ede6034acab166770ad021e9d4ec435e3d8d0f35378935b4d06cda46710f8b0d695ad5b53250fa2c577620f21354599edce9af138d32428d5d73a64f7d7eac3ea721679b7749d6df568bc73fd298ba89f25ad9817a5ff077de01ffd41c8b700b41320225b35eecd7322713aa24250a6ec921fe5cfa88089aebf1fcada8ec3340554eb11133623b3eca7e03f03e1c9c768c2fd7ed412033cf4fbc0e1f0b46b4e21757532845023dd04784afb164040a744db84da43e06f36d06cfb48d7a23cdd41a644972ebbfccfc64105bf76f300e99e396940d78612e4743b08424f546b56c7acb07861bbc349063dfc57893900e7ff5d6760d5b247f4d0ee9d417149e73d90fda820594789cf7274240325e5caf2796fba61bcfbfc684db87bb5ab6d4f76c8fdf72b10738dec8179c8cd8b309d499bf9e9d20fa8ecea8aad4aae6cc9d1f0dd26a354d633f81ad782bf9f4d73e47549f7c255def41e6a47fca7d03b6dac989ca8bb62645087fb152647731d1b3df727c3a29d6378619acf71526e52d6a42d2b9b10c0189beda800ebe800b9ad624602de6952f17226414cc123d9635380732ff1cafb7cc3f8945964a597ff7d9ac6a311f6b7db61c713c5e3b0a87e4409a39cf11a9d93c2dc2a4c17a9701a2262cdf41a103c5f0d1ae91825540c74c9ce1dee895b7dc756fc68b8f4d7a91005223ea4f683de9f5826c9456ff56b19abf1969dad904940a693a4fecec2562d1fd5ab5d5b3532851e34c1fecbf9eb9f005bc036302a50fa30e5f4fb0f65e5cbb0052a3e25fb47a11ac20babba27b926cd7fe53cd349a2a267d42035f295cb63e3e5497c7dedb4717d29095a874c536738a47354aa2b6e01f55b8f184a1b451fffa390716c9b0fdaf7acd502e3caae8416cc138dd41ef6c2731a2712328074a3987092fcc68d48943dc4c37f3b4fe0d7a4714cb8185721c68fdf1ca908352003effc2098dd89e1a17ccb76747862e660b67e4ed9c33452edca2f3a35361e53ebceebf636bbd7ea45134b8aea6be283ffde566722df2b247282c00690f86557ee3d9037dfec072f90ca92f06378d6c75e7c5444b31a28072fc3352b41906b0bac5a5335722188d32aafdc6311fa169af86afc1752a2f263ed82edfa02048a70de9fe9fafa9f7102d70c145a2f0352b43a3606cdd7ee9d5d036463c848a811b0f326b47e43a4341f54ea5ba40fd33407144a207647259e46fbfb4c9b7e7e8b7238322b1ee30e0be86afe5ea94793ffc6b36e766b8d6898ac8268e42d4fcab156de215f670c76a72d9faf5da5d55de0ec3e75884db89f1b637b8d579b453fda9d54bc19bb447b6d3615e4f9271851d9718daf8898c8533fee322978e19cbcec7f029daea5127c6198ca4f65feab88a4712a90fc1692467cef8533bb4c76d36b9b31612458458b321d9799c30dc8b4d2c8aa6fb0c028aae784f3885fec55090fd544f942f755aad20469f6d6fa0ef238ea50b5feef278dbf1b9506da287aba6b31bc5a37f13262df5171086c06205711fe39adbcd883551d3858d374cd4e07ad63ba5d74abc45acd3db52a2da9383d132b5ce4bc522bd4ed74c6e88e5a72d1296126eaf67ed17c5724652fbd4b6678692a7294f3614f0d5f06194ff259b9ad79ca77b899b49089b039c744738fe77684d7235e079c3b56194a9473d093976a2843d023be05cba5538ce0a597b222919242d6f82f6d656fea6e2c717411713396f871313ff90564631ae6defe7ac4676a7195cfb03b7a3072230be57677302cfc48099a22f9dd1f8f112c4af63b87c6b4433fa3aedd719dacf9ac76b56d16fdd5d5b7a68f499db28b8801befed465b7f0708cc2481cba8afcbfce98310c312c4623b83bac34abff77042fe191c5945c3e6a1013c259d15e8751d3320ffdff85ae003ccae59cc48b85ad03ebc4d84524ce0bdf0ea128c5ed62fc00ea556f39a449bf85b0192f73b3a71824a34b9f54896c21cb23014821c3e045a7532ac050f1e848ca5c8eed01c00f36122ea9225c0b62b4017e8670a32ee6b39d2b0dbb38f92777fdd8dd4b406f766e34f018df66cc713d8ef199052a69ec4f882d401531ad04ca740217127c7158546d8a1abca570fa4a66e79ccd619d11e682ca0c4d4576bd4993f536bdb2215e12d3698a4bd410183abd92e8da98f8830b9e84e53b7b616408ff595ef259ded4c1dda69dcebeef6e63853f3f579ddda1beb1799f9b905237f30d3a685a981b23c60e3397dc94d59e70b4b5523e7a28eefc38eb2d0799fff770cc356b07e4037b1eea973fd7b1d14d586fed8a0e46ab0f783662d819e255fa12052205f7d298f1cbf3d7e56362728e9975839f41bc33cf3d1effcbc559bfba287c031534ab0015514d13594a1762f021f6863412431ff8680987fbf829096f1c11762a4acb706b9bddcbd546f84b24845bba2a081f2ee43c56c34a8ab1902d9827846f6b81818e527f4579a78d9ad8775f68646620db7772a45fe4d4691f3b7202ff9b2d5611d7d82bf65af4c4ca4ee1a89a917213cb6cf385a3fd22b6fd54e95e7b97b380ec8563b0353608cd0da43a012fc7c462434d003251b70e0155e7df94c53844bc00f8879cb0f46402fbc3ccc2be76e28b0a3f2fac85abc708911da70bd6ae2f5e09391b462e27b4ce4d4237137b12dda590fc28959f0455d586a705fffe3628c0d234113635363dd0d2c686d54d3ec081cf57c06425e31690a89647d522b74b403338fe1eafc46022982aca3b3e5ce6923252e9835c1058d0c5622debdb22f89dc8cdfb53ce60411cf7154e2ab29ef0372e6d6b86333b0fea420aa93475ea9ebcc74608dfa2", 0x1000}, {&(0x7f00000002c0)="1eb1f9bc29cd912f61c735a5a905ca9876e3a2d3", 0x14}, {&(0x7f0000000300)="2730118aa04e8140e0cbd33cf189703e5b3dc5740439b193edeb424cb985e5d2e2893aa1e39e8363ee283ae2daf880c11d6d3b0d91f04b67b6d1d8193c19424335bb98bb8b4d0d5d7ffc9f4ec730929ae2cee77a52a9fe39dbbf4556c2f97b2804ea1d129837", 0x66}], 0x5, &(0x7f0000001740)=[@cred={0x20, 0x1, 0x2, r4, r5, r6}, @rights={0x28, 0x1, 0x1, [r0, r1, r1, r1, r0]}], 0x48, 0x80}, {&(0x7f00000017c0)=@file={0x0, './file0\x00'}, 0x6e, &(0x7f0000001ac0)=[{&(0x7f0000001840)="a59566f4fb0177ec2f194afc286132732f3070ea4cb75e5f1a08f7ffa74541e90d513c80c334c1291e1ed11a76e969a4ad40035e2be74397170a1a7130a9718829fa60426c979d8179dc802cd4b7a6d18c046407ab68bc5ece462dfcd15d789144b31448fff41d2c8897d9290700998520981b129b46ab4a4fe8e4b31bd33caec7d8a340d980aade11709d06e48e0500c6c590642e2835f31cc161674a640243abbfba530a97d8028e483781a17f621fad2d3c1a6f21777cbb6fa24e625ee9acb9a61271ad9dc30329a0edf1546b8ef371dda2b6965a877c2d0b2b", 0xdb}, {&(0x7f0000001940)="3233ad45c50dd63437afbb6d58715735d0af0979852c86416f192c247df17e8412d4fee92d977e3bd2c354d58891372033e11bd442eb9fc30a0909d62421ab58bf3cac4a769f110086aba2521b721284ead2e636e6dc85190a48d1231ed0509faa3bd9be77389569b8155d9de068aff02b40e0e95e862682284617c0b1a2e41ff7d9098b2314cc0b8a548999826b58b8efabe32e36715957c5e28fb583b54c009d61521bebe973", 0xa7}, {&(0x7f0000001a00)="5f9e1397510c0b6a1c325fd67be86aece9baa413f0824bcc47cfa533c6cc3d53a5157e8b35db93640ae0656459d4304fe6311c25d707a7923137cd8a9cb001434ff7612cbea1b926722eab4b22408aaf45755a73d7264d182e12c1413afa48b0b710e523d793c4a06fbbd6b6583eea0987d4aa71b49b6b8b47c504d23ae3c16cb97bebae841866e0bb793bd695b8169209ab97810d5f251efe2e6d79bc1f9c2cd5e4", 0xa2}], 0x3, &(0x7f0000001c00)=[@rights={0x20, 0x1, 0x1, [r2, r1, r1, r1]}, @cred={0x20, 0x1, 0x2, r7, r8, r9}, @rights={0x38, 0x1, 0x1, [r0, r0, r2, r1, r2, r0, r0, r1, r1]}], 0x78, 0x4000040}], 0x2, 0x4080) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000240)={0x6, r3, 0x1}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:24 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1200000000000000, [0x40000003]}) 21:37:25 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xde01000000000000]}) 21:37:25 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc8f80000}, 'syz0\x00'}) [ 674.646971] binder: 5058:5060 got transaction with invalid handle, 0 [ 674.678618] binder_alloc: binder_alloc_mmap_handler: 5058 20001000-20004000 already mapped failed -16 [ 674.723969] binder: BINDER_SET_CONTEXT_MGR already set 21:37:25 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = socket$inet_sctp(0x2, 0x5, 0x84) getsockopt$inet_sctp_SCTP_GET_PEER_ADDR_INFO(0xffffffffffffffff, 0x84, 0xf, &(0x7f0000000700)={0x0, @in6={{0xa, 0x4e21, 0x0, @remote, 0x2}}, 0xffffffff, 0x5, 0x7f, 0x6, 0x2}, &(0x7f0000000080)=0x98) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r3, 0x84, 0xa, &(0x7f0000000180)={0x5, 0x0, 0x8000, 0x3, 0x2, 0x8, 0x1, 0x2, r4}, 0x20) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') [ 674.754330] binder: 5058:5060 ioctl 40046207 0 returned -16 [ 674.801298] input: syz1 as /devices/virtual/input/input1895 [ 674.813391] binder_transaction: 17 callbacks suppressed [ 674.813410] binder: 5058:5078 transaction failed 29189/-3, size 24-8 line 2970 21:37:25 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x820000c000000000]}) 21:37:25 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1e010000, [0x40000003]}) [ 674.842605] input: syz1 as /devices/virtual/input/input1896 [ 674.853769] binder: undelivered TRANSACTION_ERROR: 29201 [ 674.865755] binder: undelivered TRANSACTION_ERROR: 29189 21:37:25 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000140)='/proc/sys/net/ipv4/vs/conntrack\x00', 0x2, 0x0) fchmodat(r3, &(0x7f00000001c0)='./file0\x00', 0x1) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x1200000000000000, 0x0, &(0x7f0000000400)}) 21:37:25 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x3f00}, 'syz0\x00'}) 21:37:25 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xd901000000000000]}) 21:37:25 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0010140, [0x40000003]}) 21:37:25 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) bpf$OBJ_GET_PROG(0x7, &(0x7f0000000180)={&(0x7f0000000080)='./file0\x00', 0x0, 0x10}, 0x10) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 675.111095] binder: 5099:5101 got transaction with invalid handle, 0 [ 675.147365] input: syz1 as /devices/virtual/input/input1897 [ 675.162791] binder: 5099:5101 transaction failed 29201/-22, size 24-8 line 3062 [ 675.184199] input: syz1 as /devices/virtual/input/input1898 [ 675.220161] binder_alloc: binder_alloc_mmap_handler: 5099 20001000-20004000 already mapped failed -16 [ 675.266771] binder: BINDER_SET_CONTEXT_MGR already set [ 675.272635] binder: 5099:5101 ioctl 40046207 0 returned -16 [ 675.288441] binder_alloc_new_buf_locked: 4 callbacks suppressed [ 675.288449] binder_alloc: 5099: binder_alloc_buf, no vma 21:37:25 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x800000c0, [0x40000003]}) 21:37:25 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1b0001c000000000]}) 21:37:25 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) r3 = syz_open_dev$midi(&(0x7f0000000540)='/dev/midi#\x00', 0x9, 0x1) r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000001bc0)='/dev/net/tun\x00', 0x80, 0x0) ioctl$sock_SIOCGPGRP(r3, 0x8904, &(0x7f0000001c00)=0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000001c40)={{{@in=@local, @in=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@loopback}, 0x0, @in=@loopback}}, &(0x7f0000001d40)=0xe8) getgroups(0x8, &(0x7f0000001d80)=[0xffffffffffffffff, 0xee00, 0xee00, 0x0, 0xee00, 0xffffffffffffffff, 0xee00, 0xee01]) ioctl$TIOCGPGRP(r3, 0x540f, &(0x7f0000001dc0)=0x0) fstat(r3, &(0x7f0000001e00)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000001e80)={0x0, 0x0, 0x0}, &(0x7f0000001ec0)=0xc) r11 = fcntl$getown(r3, 0x9) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000001f00)={0x0, 0x0}, &(0x7f0000001f40)=0xc) fstat(r3, &(0x7f0000001f80)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$TIOCGSID(r3, 0x5429, &(0x7f0000002000)=0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(r3, 0x29, 0x22, &(0x7f0000002040)={{{@in6, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in6=@loopback}}, &(0x7f0000002140)=0xe8) lstat(&(0x7f0000002180)='./file1\x00', &(0x7f00000021c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) sendmsg$unix(r3, &(0x7f0000002380)={&(0x7f0000001ac0)=@file={0x1, './file1\x00'}, 0x6e, &(0x7f00000004c0)=[{&(0x7f0000001b40)="98165e9a362068562281aeb7e36cb406661d0d0404613d46bb0e77f8517265943d8be66134eef1eca0e80ef17758ad13ec1bb242a1cef7417722e5c20f3862a071fd2e7abc8229fc4a", 0x49}], 0x1, &(0x7f0000002240)=[@rights={0x18, 0x1, 0x1, [r3]}, @rights={0x30, 0x1, 0x1, [r3, r4, r3, r3, r3, r3, r3, r3]}, @rights={0x20, 0x1, 0x1, [r3, r3, r3, r3]}, @rights={0x18, 0x1, 0x1, [r3]}, @cred={0x20, 0x1, 0x2, r5, r6, r7}, @cred={0x20, 0x1, 0x2, r8, r9, r10}, @cred={0x20, 0x1, 0x2, r11, r12, r13}, @cred={0x20, 0x1, 0x2, r14, r15, r16}], 0x100, 0x800}, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, r3, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) vmsplice(r3, &(0x7f00000007c0)=[{&(0x7f00000019c0)="83948375d6b319b5ac3ba7a45d33307aa05ced1a85311c61bd8453ff6bb355272c220dabc891b257e3bb83ad5cdd6f5ad628497cc2f993b5f9add671b08760af4adbf98be7532bc2b9f20808097f6805f79c43b8cd29596501b69900bd5f40d393fbc4723fe647e49ba852b41c6114e917ffa800065ce0b3fedb292eac76b9478d5b78841b9c235704e18d9006c290805905de65a6f5d4e7068e3a846f0567b0af19e7e5cbaf5abdaca8fb0577364f460c73f717b3ed5f7c79ce222b4bf04e8469ada3a1ea54860c4b1c34969aebd82cc23b5f009d9911aa3c30341f", 0xdc}], 0x1, 0x1) ioctl$LOOP_CTL_GET_FREE(0xffffffffffffffff, 0x4c82) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000000880), &(0x7f00000008c0)=0xc) pipe2(&(0x7f0000000440), 0x0) ioctl$IOC_PR_CLEAR(r3, 0x401070cd, &(0x7f0000000580)={0x80}) [ 675.347671] binder: 5099:5120 transaction failed 29189/-3, size 24-8 line 2970 21:37:25 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x4000}, 'syz0\x00'}) 21:37:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0xfdfdffff00000000, 0x0, &(0x7f0000000400)}) 21:37:25 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) sendmsg$unix(r0, &(0x7f0000000380)={&(0x7f0000000400)=@file={0x1, './file0\x00'}, 0x6e, &(0x7f0000000b00)=[{&(0x7f0000000700)="2d30320c3878946ae19c41e57fd96a27bf038178289154a38152eca19150d050b8cc3a8f57320d92801f57355e75b12c35ed10abde601ebe33771508c9714de61be98db75ffdc225cd5ecce4d9de477e847da0eeab41b30320075ff3e6736fadf7ee71b17cffe2b9bfc5180beeafcf85bea7434b0f59987dfcfb7618c4a60b8eda3cf6f02365888e980f093f21b0dfbdf988541cbf05acf811f8d34e18b049ead62b1468706b71253492e0505d1793d728f552a9ab6a085850444a6733522bede261b215bc86bb76a93e348d2645072c91f0a22c13e547537302e059160b33334f585561b6ab7ba874fa9eb76cb33c32ae4c6a5e3e93dee29a13", 0xfa}, {&(0x7f00000004c0)="bfbaf25ec4371de82c85f60fa3453092e03b4de0833f6660c05a146ec62714b77ad8ed316baed765bf5114625f20a0b952bdd8713ba2179e4b3f191704377ea683b4cb8dfd4df859710f536920fd4530898283d9acafb78d1b", 0x59}, {&(0x7f0000000940)="3cddba82b53608bd2994f86d46d00a7fe7bd031089ea0785825829501382ef89e8183879a019b1319afe4ba74519640fe8b7d9efe9f6fec2f40b4d07ebc6032a8b1aff8030d8472979d2a55e4574f061f8c296558a51ca89bc01071aee365e6c", 0x60}, {&(0x7f00000009c0)="9c04fcf376153f5aa8917034dc5b31e9c226d745cbbe65d6a0bf83871ae75603e94e538b69dc0d0175eb20c61c68e3da39ab168171d9f6977ed82375a9d7fd8b072ad0084fc51555a5acb9827355986cb1b24a03b17f1f48e21ec4700fcd2bd82fe929adde8b3f475af043c8d427ae2a0f6c608ee3086e746cca4540ee4561f0b897994632258aa2344d", 0x8a}, {&(0x7f0000000a80)="b722ccac3286398655b061c1886c2f287515890b2983afb30cb9e82f2285235ca1225c94ecddf60b3ea1bd8ac2e9525c6b884e54e0d9a2d3bf11b05b5da6030ee11d76ae2acd4f9f4245ddabc5", 0x4d}], 0x5, &(0x7f00000002c0)=[@rights={0x30, 0x1, 0x1, [r3, r3, r0, r2, r1, r0, r2]}], 0x30, 0x40000}, 0x1) setxattr$security_smack_entry(&(0x7f0000000800)='./file0\x00', &(0x7f00000008c0)='security.SMACK64IPIN\x00', &(0x7f0000000b80)='rfdno', 0x5, 0x2) r4 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x100, 0x0) write$P9_RXATTRCREATE(r4, &(0x7f0000000180)={0x7, 0x21, 0x1}, 0x7) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') [ 675.533091] input: syz1 as /devices/virtual/input/input1899 [ 675.583635] input: syz1 as /devices/virtual/input/input1900 [ 675.593313] binder: 5135:5145 got transaction with invalid handle, 0 21:37:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7b010000]}) [ 675.648093] binder: 5135:5145 transaction failed 29201/-22, size 24-8 line 3062 21:37:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x7601, [0x40000003]}) [ 675.690817] binder_alloc: binder_alloc_mmap_handler: 5135 20001000-20004000 already mapped failed -16 21:37:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB="2c7766646e6f3d396b8abb9bb9604eb4400f6c305374f68fceb5b281c1ae893c294d1c96232678b4c80c4d14bef8cd0622e431bff0b6fc8b8296ecac86426602effe580789285ba29a02", @ANYRESHEX=r2, @ANYBLOB=',\x00']) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)=ANY=[@ANYBLOB="230000006f010002090000000000000000000000000000000000000000000000000000"], 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 675.732308] binder: BINDER_SET_CONTEXT_MGR already set [ 675.740883] binder: 5135:5145 ioctl 40046207 0 returned -16 [ 675.752934] binder_alloc: 5135: binder_alloc_buf, no vma [ 675.768815] binder: 5135:5149 transaction failed 29189/-3, size 24-8 line 2970 21:37:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0xa00, 0x0, &(0x7f0000000400)}) 21:37:26 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xcff8}, 'syz0\x00'}) 21:37:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xfe00]}) [ 675.901718] binder: 5163:5165 got transaction with invalid handle, 0 [ 675.911502] 9pnet: Insufficient options for proto=fd 21:37:26 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x30100c000000000, [0x40000003]}) [ 675.946955] binder: 5163:5165 transaction failed 29201/-22, size 24-8 line 3062 [ 675.979163] binder_alloc: binder_alloc_mmap_handler: 5163 20001000-20004000 already mapped failed -16 [ 675.989935] 9pnet: Insufficient options for proto=fd [ 676.016390] input: syz1 as /devices/virtual/input/input1901 [ 676.038191] binder: BINDER_SET_CONTEXT_MGR already set [ 676.056549] binder: 5163:5165 ioctl 40046207 0 returned -16 21:37:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) inotify_init1(0x800) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) socketpair$inet_tcp(0x2, 0x1, 0x0, &(0x7f0000000080)) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 676.084646] binder_alloc: 5163: binder_alloc_buf, no vma [ 676.110127] binder: 5163:5182 transaction failed 29189/-3, size 24-8 line 2970 21:37:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x7a, 0x0, &(0x7f0000000400)}) 21:37:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0010058]}) [ 676.164441] input: syz1 as /devices/virtual/input/input1902 21:37:26 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00'], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x6e0, [0x40000003]}) 21:37:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') r5 = dup3(r0, r1, 0x80000) setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f00000023c0)=@req={0x2, 0x200, 0x7}, 0x10) 21:37:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1200000000000000]}) 21:37:26 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe6f8000000000000}, 'syz0\x00'}) [ 676.314842] binder: 5197:5199 got transaction with invalid handle, 0 [ 676.350611] binder: 5197:5199 transaction failed 29201/-22, size 24-8 line 3062 [ 676.414020] binder_alloc: binder_alloc_mmap_handler: 5197 20001000-20004000 already mapped failed -16 [ 676.452888] input: syz1 as /devices/virtual/input/input1903 [ 676.475859] binder: BINDER_SET_CONTEXT_MGR already set [ 676.499613] input: syz1 as /devices/virtual/input/input1904 [ 676.523721] binder: 5197:5199 ioctl 40046207 0 returned -16 21:37:26 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x3a, [0x40000003]}) 21:37:26 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r3 = openat(0xffffffffffffffff, &(0x7f00000002c0)='./file0\x00', 0x8900, 0x41) setsockopt$inet_sctp_SCTP_AUTH_CHUNK(r3, 0x84, 0x15, &(0x7f0000000380)={0x29a2}, 0x1) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') r5 = dup2(r1, r4) getsockopt$IP6T_SO_GET_REVISION_TARGET(r5, 0x29, 0x45, &(0x7f0000000080)={'ah\x00'}, &(0x7f0000000180)=0x1e) 21:37:26 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xffff8000]}) 21:37:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x68000000, 0x0, &(0x7f0000000400)}) 21:37:27 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000140)='/dev/null\x00', 0x60000, 0x0) ioctl$KVM_PPC_GET_SMMU_INFO(r1, 0x8250aea6, &(0x7f00000001c0)=""/78) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000240)={0x579b8d36}) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)={[{}, {0x0, 0x0, 0x0, 0x0, 0x0, 0xdb8}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}]}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 21:37:27 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd4f8000000000000}, 'syz0\x00'}) [ 676.750404] binder: 5241:5245 got transaction with invalid handle, 0 21:37:27 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc001020b]}) 21:37:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xa00d0000, [0x40000003]}) [ 676.803413] binder: 5241:5245 transaction failed 29201/-22, size 24-8 line 3062 21:37:27 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 676.867798] binder_alloc: binder_alloc_mmap_handler: 5241 20001000-20004000 already mapped failed -16 [ 676.913280] input: syz1 as /devices/virtual/input/input1905 [ 676.931933] binder: BINDER_SET_CONTEXT_MGR already set [ 676.950922] binder: 5241:5245 ioctl 40046207 0 returned -16 21:37:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x120101c0, [0x40000003]}) [ 676.960917] binder_alloc: 5241: binder_alloc_buf, no vma [ 676.971657] binder: 5241:5265 transaction failed 29189/-3, size 24-8 line 2970 21:37:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x20000000, 0x0, &(0x7f0000000400)}) [ 677.030958] input: syz1 as /devices/virtual/input/input1906 21:37:27 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1a0]}) 21:37:27 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)=ANY=[@ANYBLOB="230000006f010002000000000000000002000000000000000000001200000000000000"], 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)=ANY=[@ANYBLOB="0b00000029010000000008"], 0x145) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:27 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x40000, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) r3 = creat(&(0x7f0000000140)='./file0\x00', 0x48) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r3, 0x400c6615, &(0x7f00000001c0)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 677.173742] binder: 5280:5281 got transaction with invalid handle, 0 [ 677.182283] binder: BINDER_SET_CONTEXT_MGR already set [ 677.196217] binder: 5280:5281 ioctl 40046207 0 returned -16 [ 677.209068] binder_alloc: 5280: binder_alloc_buf, no vma 21:37:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x2c000000, [0x40000003]}) 21:37:27 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc3f80000}, 'syz0\x00'}) 21:37:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x6000000000000000, 0x0, &(0x7f0000000400)}) 21:37:27 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x7b01000000000000]}) 21:37:27 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)=ANY=[@ANYBLOB="9ece001b7cc5b0be530a1b"], 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:27 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1e01, [0x40000003]}) [ 677.476719] input: syz1 as /devices/virtual/input/input1907 [ 677.486750] binder: 5302:5306 got transaction with invalid handle, 0 [ 677.508899] binder: BINDER_SET_CONTEXT_MGR already set [ 677.521031] binder_alloc: 5302: binder_alloc_buf, no vma 21:37:27 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) r3 = open(&(0x7f0000000140)='./file0\x00', 0x1, 0x100) ioctl$EVIOCSCLOCKID(r3, 0x400445a0, &(0x7f00000001c0)=0x9) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 677.566982] binder: 5302:5306 ioctl 40046207 0 returned -16 [ 677.586379] input: syz1 as /devices/virtual/input/input1908 21:37:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x6000000, 0x0, &(0x7f0000000400)}) 21:37:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x70001c000000000]}) 21:37:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x8601000000000000, [0x40000003]}) 21:37:28 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) r3 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ppp\x00', 0x2000, 0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r3, 0xc4c85512, &(0x7f0000000940)={{0x3, 0x7, 0x7, 0x200, 'syz0\x00', 0x10000}, 0x1, [0x1, 0x9, 0x400000000, 0x4, 0x86, 0x9, 0x900, 0x3, 0x4, 0x400, 0x91, 0x8, 0x81, 0x0, 0x5, 0x5, 0x3, 0x4, 0x1000, 0x8, 0x5, 0x2, 0x80, 0x2, 0x9, 0x8000, 0xffff, 0x1, 0xc6, 0x0, 0xffffffffffffffff, 0x80000001, 0x1, 0x9, 0x13c8738c, 0x3ff, 0x200, 0x7, 0x4, 0x6, 0x0, 0x7fff, 0x0, 0x8, 0x0, 0x7, 0x84, 0x9fa8, 0x8, 0xb1dc, 0x5, 0xd49, 0xfffffffffffffffa, 0xffffffffffffffff, 0x7fff, 0x257f, 0x3ff, 0xfffffffffffffff7, 0x3, 0x3, 0x80000001, 0x7fff, 0x9, 0xb1e1, 0xcfe, 0xfffffffffffffbff, 0x635c9190, 0x7, 0x80000000, 0x0, 0xfff, 0x6, 0x4, 0x6, 0x100, 0x1, 0x8, 0x100, 0x3, 0x1ae3, 0xffff, 0x400, 0x0, 0x6, 0x0, 0x9, 0x4, 0xef, 0x200, 0x5148, 0x8, 0x8, 0x6, 0x8, 0x0, 0x100000001, 0x4, 0x5, 0x5, 0x0, 0x2, 0x5de, 0x1, 0x65a, 0x8, 0x9, 0xcdf5, 0x100, 0x100000000, 0x8, 0x3, 0x10001, 0xfff, 0x4, 0x4, 0x6, 0x100, 0x401, 0x4, 0xb0, 0xfff, 0x0, 0x3, 0x80, 0x8, 0x321f94ea, 0xd2fe], {0x0, 0x1c9c380}}) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) write$P9_RUNLINKAT(r3, &(0x7f0000000180)={0x7, 0x4d, 0x2}, 0x7) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 677.794930] binder: BINDER_SET_CONTEXT_MGR already set 21:37:28 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe2f8}, 'syz0\x00'}) [ 677.826659] binder_alloc: 5327: binder_alloc_buf, no vma [ 677.835562] binder: 5327:5339 ioctl 40046207 0 returned -16 21:37:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc100000000000000]}) 21:37:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x580001c000000000, [0x40000003]}) 21:37:28 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="040062fc3e41548f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/kvm\x00', 0x2000, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x200000000) r3 = dup3(r1, r0, 0x80000) setsockopt$packet_tx_ring(r3, 0x107, 0xd, &(0x7f0000000140)=@req3={0x40, 0x1, 0x9, 0x8, 0x9, 0x200, 0x9}, 0x1c) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x7a00, 0x0, &(0x7f0000000400)}) [ 678.006337] input: syz1 as /devices/virtual/input/input1909 [ 678.042674] input: syz1 as /devices/virtual/input/input1910 21:37:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x840000c000000000]}) 21:37:28 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x4) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 678.107116] binder: BINDER_SET_CONTEXT_MGR already set [ 678.120074] binder_alloc: 5379: binder_alloc_buf, no vma [ 678.141822] binder: 5379:5383 ioctl 40046207 0 returned -16 21:37:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x7f04, [0x40000003]}) 21:37:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x48, 0x0, &(0x7f0000000400)}) 21:37:28 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdaf8}, 'syz0\x00'}) [ 678.304120] binder: BINDER_SET_CONTEXT_MGR already set [ 678.327049] binder_alloc: 5394: binder_alloc_buf, no vma 21:37:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x12000000]}) [ 678.349533] binder: 5394:5395 ioctl 40046207 0 returned -16 21:37:28 executing program 2: chdir(&(0x7f0000000080)='./file0\x00') socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 678.386240] input: syz1 as /devices/virtual/input/input1911 21:37:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x12, 0x0, &(0x7f0000000400)}) 21:37:28 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x2a00000000000000, [0x40000003]}) [ 678.493657] input: syz1 as /devices/virtual/input/input1912 21:37:28 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4b564d02]}) [ 678.559940] binder: BINDER_SET_CONTEXT_MGR already set [ 678.586130] binder_alloc: 5418: binder_alloc_buf, no vma [ 678.626545] binder: undelivered TRANSACTION_ERROR: 29201 [ 678.636789] binder: 5418:5420 ioctl 40046207 0 returned -16 [ 678.649033] binder: undelivered TRANSACTION_ERROR: 29189 21:37:29 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000240)=ANY=[@ANYBLOB="9bd51f9174e66d960a073e0000000000000000"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f00000002c0)='memory.stat\x00', 0x0, 0x0) ioctl$KVM_IOEVENTFD(r1, 0x4040ae79, &(0x7f0000000300)={0x113000, &(0x7f0000000100), 0x0, r2, 0x2}) r3 = syz_open_procfs(0x0, &(0x7f0000000200)='net/snmp6\x00') r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x4) r5 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dsp\x00', 0x50040, 0x0) ioctl$SNDRV_RAWMIDI_IOCTL_PVERSION(r5, 0x80045700, &(0x7f00000001c0)) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r4, 0xae80, 0x0) 21:37:29 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) r3 = syz_open_dev$usbmon(&(0x7f0000000400)='/dev/usbmon#\x00', 0x6, 0x4000) accept$packet(0xffffffffffffffff, &(0x7f0000000440)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @link_local}, &(0x7f00000004c0)=0x14) ioctl$TUNSETIFINDEX(r3, 0x400454da, &(0x7f0000000500)=r4) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) openat$cuse(0xffffffffffffff9c, &(0x7f0000000a80)='/dev/cuse\x00', 0x2, 0x0) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB='trTns=fd,rfdno=', @ANYRESHEX=r1, @ANYRES16=r3, @ANYRESHEX=r2, @ANYBLOB=',access=', @ANYRESDEC=0x0, @ANYBLOB=',\x00']) getsockopt$inet_sctp_SCTP_DELAYED_SACK(r3, 0x84, 0x10, &(0x7f00000007c0)=@assoc_value={0x0, 0x3}, &(0x7f0000000800)=0x8) getsockopt$inet_sctp_SCTP_GET_PEER_ADDR_INFO(r3, 0x84, 0xf, &(0x7f0000000940)={r5, @in6={{0xa, 0x4e20, 0xc00, @loopback, 0x6}}, 0x712, 0x7ff, 0x8, 0x3f, 0x8000}, &(0x7f00000008c0)=0x98) r6 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) r7 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vga_arbiter\x00', 0x4000, 0x0) ioctl$SNDRV_CTL_IOCTL_HWDEP_INFO(r7, 0x80dc5521, &(0x7f0000000a00)=""/111) write$RDMA_USER_CM_CMD_JOIN_MCAST(0xffffffffffffffff, &(0x7f0000000700)={0x16, 0x98, 0xfa00, {&(0x7f00000002c0)={0xffffffffffffffff}, 0x1, 0xffffffffffffffff, 0x3c, 0x0, @in={0x2, 0x4e20}}}, 0xa0) write$RDMA_USER_CM_CMD_LEAVE_MCAST(r7, &(0x7f0000000380)={0x11, 0x10, 0xfa00, {&(0x7f0000000180), r8}}, 0x18) symlinkat(&(0x7f0000000540)='./file0\x00', r6, &(0x7f00000005c0)='./file0\x00') 21:37:29 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xc0f8}, 'syz0\x00'}) 21:37:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x700000000000000, 0x0, &(0x7f0000000400)}) 21:37:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x3400000000000000, [0x40000003]}) 21:37:29 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xdb01000000000000]}) [ 678.991337] input: syz1 as /devices/virtual/input/input1913 [ 679.019597] binder_alloc_mmap_handler: 6 callbacks suppressed [ 679.019615] binder_alloc: binder_alloc_mmap_handler: 5441 20001000-20004000 already mapped failed -16 21:37:29 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB="2c7766646e6f3da1137d1b61065a43e38690dda7d979ac5f1ef94c5eb5659ea26553cc5cc1451b815d4771ea309ab510b17d96683a51d016e2e16843a5f746408b990ace220cf832378a907d435cebbc39997b01aa105b2d62f20151a474aae02ff2a989fe7080edfe88deb7bb37882a3f44253c69ccc462bd49cbd40374403acbd1cff3e58d8ad593dc2afe0add18a66271603985c51a15c7756fce3379425a985798f94790", @ANYRESHEX=r2, @ANYBLOB=',\x00']) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2, @ANYBLOB="dbe215e880e7bcba3215ca4fcd52551f382aefb1836bae5822fcd16430f121c49c0a8f6cd7803cbc048707044eac1f6e55e80729b256c2aa9c84635eaa2ccd539657c7013e0c3caa047634acd959bd4d9017075ed183f2aa2df6f3009d7d432ca07bae3945ab70e735dbfeaa1e03c7f4fa37b4ec5daf9a84d0907e0d58ceae7b2fcc209549f1309386c3d663699fb9390294c7dcef0434228012f03799127a13a52e98a0813e56ccd211d3a2b3a65618d95ef321f9f5f9b7d5d9f34ab9ecbb9af8e2e377f3296f613b71f6d6485fd42d395791ce765d7ae48ce9c211745ef16ef63316568941f8871c160616ca7248ce52bda7fc17497d01349b2a9eef98", @ANYRESDEC=0x0, @ANYBLOB=',\x00']) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x1ffffd, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 679.063939] binder: BINDER_SET_CONTEXT_MGR already set 21:37:29 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x74010000]}) [ 679.093330] binder: 5441:5442 ioctl 40046207 0 returned -16 [ 679.116210] input: syz1 as /devices/virtual/input/input1914 [ 679.174369] 9pnet: Insufficient options for proto=fd [ 679.191812] 9pnet: Insufficient options for proto=fd 21:37:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x1f0001c000000000, [0x40000003]}) 21:37:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x8000000000000000, 0x0, &(0x7f0000000400)}) [ 679.217355] 9pnet: Insufficient options for proto=fd [ 679.225972] 9pnet: Insufficient options for proto=fd 21:37:29 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) r3 = openat$audio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio\x00', 0x20000, 0x0) getsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(0xffffffffffffff9c, 0x84, 0x72, &(0x7f0000000180)={0x0, 0x1, 0x30}, &(0x7f00000002c0)=0xc) setsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r3, 0x84, 0x75, &(0x7f0000000380)={r4, 0x3}, 0x8) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') 21:37:29 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x100000000000000}, 'syz0\x00'}) 21:37:29 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x2000, 0x0) ioctl$DRM_IOCTL_MODESET_CTL(r3, 0x40086408, &(0x7f00000001c0)={0x7, 0x400}) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) setns(r3, 0x40000000) ioctl$KVM_RUN(r2, 0xae80, 0x0) sync() fstat(r2, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) r5 = socket$alg(0x26, 0x5, 0x0) ioctl$sock_FIOGETOWN(r5, 0x8903, &(0x7f0000000540)) fstat(r2, &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0, 0x0}, &(0x7f0000000340)=0xc) r8 = getgid() fsetxattr$system_posix_acl(r0, &(0x7f0000000200)='system.posix_acl_default\x00', &(0x7f00000004c0)={{}, {0x1, 0x4}, [{0x2, 0x1, r4}], {0x4, 0x6}, [{0x8, 0x1, r6}, {0x8, 0x1, r7}, {0x8, 0x3, r8}], {}, {0x20, 0x5}}, 0x44, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 679.339130] binder_translate_handle: 5 callbacks suppressed [ 679.339141] binder: 5479:5480 got transaction with invalid handle, 0 21:37:29 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3b]}) 21:37:29 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc200000000000000, [0x40000003]}) [ 679.419791] input: syz1 as /devices/virtual/input/input1915 [ 679.438443] binder_alloc: binder_alloc_mmap_handler: 5479 20001000-20004000 already mapped failed -16 [ 679.507118] input: syz1 as /devices/virtual/input/input1916 [ 679.508452] binder: BINDER_SET_CONTEXT_MGR already set [ 679.557794] binder: 5479:5480 ioctl 40046207 0 returned -16 21:37:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x6c00000000000000, 0x0, &(0x7f0000000400)}) 21:37:29 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="230000006f010002000000000000000000000000000006001a7d3fe20000000000000039d04b06ed937107e3b710b4ba854aeb1d9b10bcc920d4ff2b008ccfe27f3a95203d70af327d118756b812b84baef92148af53726df2809ecec8c194836b6c01460042c47b27e61b78efcbe6fba0a083a93058cbda1512e23df55f780507a3cddf738b2773c428e4fe37a4f56f3864a0ff74ec719a36a5650b298fafc8865689b3f43e8cb0dac34bbb9820b5a1c60a00a56b6bcc5f71e1224cb9ba65a0c6823d121f6e4c9c582617a7bdd41c2c91c1e646bc1bd2cdc33e94fba0770000002355dd33bda234ee143915a4a47981ff367a8403e55cfcff54a5e82e7c164f1d7b5ca84d5d1c9201a1c057e809677014c78e"], 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)=ANY=[@ANYBLOB="2a000000290000000000000000ca64a00002a85988ca75cae7cf50000000000007002e2f66696c663000"], 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:30 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) rt_sigpending(&(0x7f0000000140), 0x8) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4d564b]}) 21:37:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x24d564b00000000, [0x40000003]}) [ 679.713671] binder: 5511:5512 got transaction with invalid handle, 0 21:37:30 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe0f80000}, 'syz0\x00'}) [ 679.767807] binder_alloc: binder_alloc_mmap_handler: 5511 20001000-20004000 already mapped failed -16 [ 679.811859] binder: BINDER_SET_CONTEXT_MGR already set [ 679.848700] binder: 5511:5512 ioctl 40046207 0 returned -16 21:37:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x201c0, [0x40000003]}) 21:37:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x6c00, 0x0, &(0x7f0000000400)}) [ 679.906087] input: syz1 as /devices/virtual/input/input1917 [ 679.939661] input: syz1 as /devices/virtual/input/input1918 21:37:30 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) r3 = openat$audio(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio\x00', 0x40001, 0x0) setsockopt$netlink_NETLINK_PKTINFO(r3, 0x10e, 0x3, &(0x7f0000000180)=0x2, 0x4) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) bpf$OBJ_PIN_MAP(0x6, &(0x7f0000000380)={&(0x7f00000002c0)='./file0\x00', r3}, 0x10) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x4}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') 21:37:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x187]}) 21:37:30 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="0400ed19ffff000000000000"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x10) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f00000001c0), &(0x7f0000000200)=0xc) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) setsockopt$IP_VS_SO_SET_FLUSH(r1, 0x0, 0x485, 0x0, 0x0) ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r2, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 680.032619] binder: 5541:5544 got transaction with invalid handle, 0 [ 680.066923] binder_transaction: 17 callbacks suppressed [ 680.066944] binder: 5541:5544 transaction failed 29201/-22, size 24-8 line 3062 [ 680.091716] binder_alloc: binder_alloc_mmap_handler: 5541 20001000-20004000 already mapped failed -16 [ 680.109188] binder: BINDER_SET_CONTEXT_MGR already set [ 680.123733] binder: 5541:5544 ioctl 40046207 0 returned -16 21:37:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x100001c0, [0x40000003]}) 21:37:30 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xa0008000}, 'syz0\x00'}) [ 680.145151] binder: 5541:5553 transaction failed 29189/-3, size 24-8 line 2970 21:37:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x199]}) 21:37:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x6000, 0x0, &(0x7f0000000400)}) 21:37:30 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f0000000080)='./file0\x00') [ 680.306087] input: syz1 as /devices/virtual/input/input1919 [ 680.345155] binder: 5572:5574 got transaction with invalid handle, 0 [ 680.368129] binder: 5572:5574 transaction failed 29201/-22, size 24-8 line 3062 [ 680.388954] binder_alloc: binder_alloc_mmap_handler: 5572 20001000-20004000 already mapped failed -16 [ 680.401190] binder: BINDER_SET_CONTEXT_MGR already set [ 680.407014] binder: 5572:5574 ioctl 40046207 0 returned -16 21:37:30 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0000082, [0x40000003]}) [ 680.413060] binder_alloc_new_buf_locked: 3 callbacks suppressed [ 680.413075] binder_alloc: 5572: binder_alloc_buf, no vma [ 680.419699] binder: 5572:5577 transaction failed 29189/-3, size 24-8 line 2970 [ 680.434582] input: syz1 as /devices/virtual/input/input1920 21:37:30 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x20100c000000000]}) 21:37:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x1200, 0x0, &(0x7f0000000400)}) 21:37:31 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xd004000000000000]}) [ 680.628588] binder: 5587:5590 got transaction with invalid handle, 0 [ 680.642045] binder: 5587:5590 transaction failed 29201/-22, size 24-8 line 3062 21:37:31 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xe4f80000}, 'syz0\x00'}) [ 680.672985] binder_alloc: binder_alloc_mmap_handler: 5587 20001000-20004000 already mapped failed -16 21:37:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x4b564d04, [0x40000003]}) [ 680.785644] binder: BINDER_SET_CONTEXT_MGR already set [ 680.792440] binder_alloc: 5587: binder_alloc_buf, no vma [ 680.802581] input: syz1 as /devices/virtual/input/input1921 [ 680.813313] binder: 5587:5590 ioctl 40046207 0 returned -16 [ 680.832418] binder: 5587:5593 transaction failed 29189/-3, size 24-8 line 2970 [ 680.851553] input: syz1 as /devices/virtual/input/input1922 21:37:31 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) setxattr$trusted_overlay_opaque(&(0x7f0000000140)='./file0\x00', &(0x7f00000001c0)='trusted.overlay.opaque\x00', &(0x7f0000000200)='y\x00', 0x2, 0x1) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = syz_open_dev$sndctrl(&(0x7f0000000000)='/dev/snd/controlC#\x00', 0x0, 0x0) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000040), 0xffffffffffffffff) r2 = getpid() sched_setscheduler(r2, 0x5, &(0x7f0000000200)) ioctl$EXT4_IOC_PRECACHE_EXTENTS(r1, 0xc0405519) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r4, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r3}, 0x2c, {'wfdno', 0x3d, r4}}) write$P9_RREADDIR(r4, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r4, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r4, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r4, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r4, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r4, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="7472616e733d66642c7266646e6f3d5804635761706d58d16f0d3deb2ca679782974a05fa46d60264dd02780dc3b7891fd1b508d32147b34f9a856fe8aa72dff34748d9cd5f530c1e43789f557fc0eb0b7dd4199ceb684176507628405e0ea77d67fd958311fb38ececa026212d5cba974c3c299047a60ca8a65f9759d6b34817372c0a5ebe5bf49bc6f328769a4b0f22d04e32e2a0ae5d5b3a518dee2a41b1e75601342e1d769b125fa786ba7fa", @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4, @ANYBLOB=',access=', @ANYRESDEC=0x0, @ANYBLOB=',\x00']) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') 21:37:31 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1c000000000]}) 21:37:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0xa000000, 0x0, &(0x7f0000000400)}) 21:37:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x47f, [0x40000003]}) [ 681.007700] binder: 5616:5619 got transaction with invalid handle, 0 21:37:31 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x20000000}, 'syz0\x00'}) [ 681.049404] binder: 5616:5619 transaction failed 29201/-22, size 24-8 line 3062 [ 681.084653] binder_alloc: binder_alloc_mmap_handler: 5616 20001000-20004000 already mapped failed -16 21:37:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x174, [0x40000003]}) 21:37:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r3 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x200000, 0x0) getsockopt$inet_sctp_SCTP_ASSOCINFO(0xffffffffffffff9c, 0x84, 0x1, &(0x7f0000000180)={0x0, 0x4, 0x0, 0x8ba0, 0x5, 0x2}, &(0x7f00000002c0)=0x14) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r3, 0x84, 0x6d, &(0x7f0000000700)={r4, 0xbf, "b7c62ff147713f90ca89e0911ae1dc0ce836d976c81a3d63f23a236c7fbe1274aad3ec70b959854f487eec594b639a25eb953eece8fc08d228471afbd3a5f82a7f8373098bc687f9e2421c5fdd8fdcb4a6d8a319f8dffbf3fae091a033e9790d6f2cd626f06118a41f83643a6ad27f257e90486320a0833aa7a6f5787cea4525909095b11a84bdc8b39b4de787e230e6a1d286e23223ce91cafcf568b92fdc78b8a8fddeb70f5abc2611d4470b38a1d15ff9fa0ec949bc5863a45299f963f9"}, &(0x7f0000000380)=0xc7) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') [ 681.104804] binder: BINDER_SET_CONTEXT_MGR already set [ 681.116404] binder: 5616:5619 ioctl 40046207 0 returned -16 [ 681.121427] binder_alloc: 5616: binder_alloc_buf, no vma 21:37:31 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x44d564b]}) [ 681.166188] binder: 5616:5626 transaction failed 29189/-3, size 24-8 line 2970 21:37:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x48000000, 0x0, &(0x7f0000000400)}) [ 681.285668] input: syz1 as /devices/virtual/input/input1923 [ 681.323949] binder: 5641:5643 got transaction with invalid handle, 0 [ 681.338076] input: syz1 as /devices/virtual/input/input1924 21:37:31 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x820000c000000000, [0x40000003]}) 21:37:31 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f0000000080)=ANY=[@ANYBLOB="0000000000000000ffff0100000000000000ce4f26c7b4f059"], 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 681.382769] binder: 5641:5643 transaction failed 29201/-22, size 24-8 line 3062 [ 681.441115] binder_alloc: binder_alloc_mmap_handler: 5641 20001000-20004000 already mapped failed -16 [ 681.454721] binder: BINDER_SET_CONTEXT_MGR already set [ 681.474109] binder: 5641:5643 ioctl 40046207 0 returned -16 21:37:32 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:32 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x91040000]}) 21:37:32 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xd5f8}, 'syz0\x00'}) 21:37:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x3000000, 0x0, &(0x7f0000000400)}) 21:37:32 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x8701, [0x40000003]}) 21:37:32 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x216, 0x4d, 0x1}, 0x7) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 682.255548] binder: 5666:5676 got transaction with invalid handle, 0 [ 682.273819] input: syz1 as /devices/virtual/input/input1925 21:37:32 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400201) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f0000000940)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB="2c0400640347fd349756c7b0a80f78f3f80f50c5964a64b562e755fcdd781b7f6f57a1a7462ecb550b1321810579c142b1975f71aad02e66b2d1c16ffb6daa10d0d32c2cf12d82bc3ce852aadff572ce1ba30f10050e36f9c1692c6094433a5da476f815c8bb1d05efc40d3324a856516964526f6374fe7fa07d96815186da2e11338409ca85e89eda7fa2", @ANYRESHEX=r2, @ANYBLOB=',\x00']) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) r3 = add_key$user(&(0x7f0000000080)='user\x00', &(0x7f0000000180)={'syz', 0x1}, &(0x7f0000000700)="313081bd8427466d287ebe9a1c6758d6939e85719fe3bc4cae929fde3cbfca3945957c954a0644a286861e4517a05f35255a79421768e9ab252c247787c891cb42ed7d500055a10ccd2ab320d06a18db8fb386b7de66d99b61f8414599693814154561d5cc2e3830ae75bfc93069f55604d1a9798d3468ad6757cad7c8b189a5065756775e02714d4f9c42db7bd272529418526da588596f3c971938d113ca580fba391d1d33499b652024db6267f3a61c128e570a48c668c25054a5c626", 0xbe, 0xfffffffffffffff8) r4 = request_key(&(0x7f00000002c0)='pkcs7_test\x00', &(0x7f0000000380)={'syz', 0x3}, &(0x7f0000000400)='rfdno', 0x0) keyctl$negate(0xd, r3, 0x1ff, r4) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r5 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r5, &(0x7f00000005c0)='./file0\x00') [ 682.303255] binder: 5666:5676 transaction failed 29201/-22, size 24-8 line 3062 [ 682.340000] binder_alloc: binder_alloc_mmap_handler: 5666 20001000-20004000 already mapped failed -16 21:37:32 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x174]}) [ 682.372413] binder: BINDER_SET_CONTEXT_MGR already set [ 682.378048] binder_alloc: 5666: binder_alloc_buf, no vma [ 682.391428] input: syz1 as /devices/virtual/input/input1926 [ 682.396852] binder: 5666:5676 ioctl 40046207 0 returned -16 21:37:32 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x9801, [0x40000003]}) [ 682.482132] 9pnet: Insufficient options for proto=fd 21:37:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x4c000000, 0x0, &(0x7f0000000400)}) [ 682.528789] 9pnet: Insufficient options for proto=fd [ 682.564007] binder: 5704:5705 got transaction with invalid handle, 0 [ 682.580221] binder_alloc: binder_alloc_mmap_handler: 5704 20001000-20004000 already mapped failed -16 21:37:32 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8c1}, 'syz0\x00'}) 21:37:33 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) write$P9_RREADDIR(r3, &(0x7f0000000480)=ANY=[@ANYBLOB="2a0000002901000000000000000000000000000000000020020007f42d2f66696c6530"], 0x2a) write$P9_RGETATTR(r3, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r3, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r3, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r3, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) r4 = getpid() ioctl$TIOCGPGRP(0xffffffffffffff9c, 0x540f, &(0x7f0000000180)=0x0) kcmp(r4, r5, 0x0, r0, r2) stat(&(0x7f0000000080)='./file0\x00', &(0x7f0000000400)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) write$P9_RGETATTR(r3, &(0x7f0000000640)={0x1e, 0x19, 0x0, {0x1140, {}, 0x0, 0x0, r6}}, 0xffffffffffffffef) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@access_uid={'access'}}]}}) r7 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r7, &(0x7f00000005c0)='./file0\x00') [ 682.613686] binder: BINDER_SET_CONTEXT_MGR already set [ 682.623433] binder: 5704:5705 ioctl 40046207 0 returned -16 [ 682.639119] binder_alloc: 5704: binder_alloc_buf, no vma 21:37:33 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f00000001c0)=ANY=[@ANYBLOB="0400ed19ce0c62fc1e22548ff87da93d5a7691b027cf20a65e37f5ce76da9b34389d5c4d29aec300994311d3b969bcc6000000000000000000000000000000000000"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:33 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3a00]}) 21:37:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x3b00, [0x40000003]}) [ 682.720054] input: syz1 as /devices/virtual/input/input1927 21:37:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x7a00000000000000, 0x0, &(0x7f0000000400)}) [ 682.801533] input: syz1 as /devices/virtual/input/input1928 21:37:33 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) r3 = syz_open_procfs(0x0, &(0x7f0000000080)='net/protocols\x00') ioctl$KDDELIO(r3, 0x4b35, 0x3) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) ioctl$TIOCEXCL(r3, 0x540c) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000002c0)='./file0\x00') 21:37:33 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x3b00]}) 21:37:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x40000108, [0x40000003]}) [ 682.930827] binder: 5732:5734 got transaction with invalid handle, 0 [ 682.975663] binder_alloc: 5732: binder_alloc_buf, no vma [ 682.979320] binder: BINDER_SET_CONTEXT_MGR already set [ 683.014213] binder: 5732:5734 ioctl 40046207 0 returned -16 21:37:33 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xf8df}, 'syz0\x00'}) 21:37:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x2000000000000000, 0x0, &(0x7f0000000400)}) 21:37:33 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) write$P9_RREADDIR(r0, &(0x7f0000000080)={0x30, 0x29, 0x1, {0x2, [{{0xc, 0x1, 0x4}, 0xf7, 0x101, 0xd, './file0/file0'}]}}, 0x30) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:33 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=@ng={0x4, 0x0, "ed19ce0c62fc3e41548f"}, 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) r3 = syz_open_dev$usbmon(&(0x7f0000000140)='/dev/usbmon#\x00', 0x3, 0x4001) accept4$llc(r3, &(0x7f0000000240)={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f0000000300)=0x10, 0x800) r4 = fcntl$dupfd(r2, 0x406, r1) getsockopt$sock_cred(r4, 0x1, 0x11, &(0x7f0000000200)={0x0}, &(0x7f00000001c0)=0x169) ptrace$pokeuser(0x6, r5, 0xdc12, 0x9) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)={[{0x0, 0x0, 0x40}]}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:33 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xa01]}) [ 683.157138] input: syz1 as /devices/virtual/input/input1929 21:37:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x410101c000000000, [0x40000003]}) [ 683.231327] input: syz1 as /devices/virtual/input/input1930 [ 683.266485] binder: BINDER_SET_CONTEXT_MGR already set [ 683.324571] binder: 5755:5760 ioctl 40046207 0 returned -16 21:37:33 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x4d0]}) 21:37:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x4000000, 0x0, &(0x7f0000000400)}) 21:37:33 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x8000000400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)=ANY=[@ANYBLOB="2a0000002901000000000000000000000000000007002e2f66696c653014a26bd24c6bfedd874ff85b6d"], 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) creat(&(0x7f0000000080)='./file0\x00', 0xc) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') 21:37:33 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x700000000000000}, 'syz0\x00'}) 21:37:33 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x80040000, [0x40000003]}) [ 683.566115] binder: BINDER_SET_CONTEXT_MGR already set [ 683.592581] binder: 5781:5786 ioctl 40046207 0 returned -16 [ 683.601531] input: syz1 as /devices/virtual/input/input1931 21:37:34 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1e01000000000000]}) 21:37:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xce00, [0x40000003]}) 21:37:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x700, 0x0, &(0x7f0000000400)}) [ 683.690954] input: syz1 as /devices/virtual/input/input1932 21:37:34 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000700)={0xe4, 0x29, 0x1, {0x4, [{{0x2, 0x2, 0x8}, 0x1, 0x4, 0x7, './file0'}, {{0x10, 0x1, 0x2}, 0x4, 0x8, 0x7, './file0'}, {{0x9, 0x2}, 0x1, 0x3, 0x7, './file0'}, {{0x1}, 0x0, 0x100000001, 0x7, './file0'}, {{0x18, 0x2, 0x2}, 0x7, 0x7fff, 0x7, './file0'}, {{0xb1, 0x4, 0x6}, 0x3, 0x3, 0x7, './file0'}, {{0x7, 0x4, 0x3}, 0x7, 0x4, 0x7, './file0'}]}}, 0xe4) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r3 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r3, &(0x7f00000005c0)='./file0\x00') [ 683.804391] binder: BINDER_SET_CONTEXT_MGR already set [ 683.835044] binder: 5800:5801 ioctl 40046207 0 returned -16 21:37:34 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="0400ed191f0462fc3e41548f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0xfffffffffffffffe) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x3}) r3 = fcntl$dupfd(r0, 0x406, r2) setsockopt$IP_VS_SO_SET_ZERO(r3, 0x0, 0x48f, &(0x7f0000000440)={0x2f, @broadcast, 0x4e23, 0x2, 'wrr\x00', 0x20, 0xff, 0x21}, 0x2c) setsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r3, 0x84, 0xc, &(0x7f0000000140)=0xa9a9, 0x4) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_GET_MSRS(r3, 0xc008ae88, &(0x7f00000001c0)={0x3, 0x0, [{}, {}, {}]}) ioctl$SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE(r3, 0xc08c5336, &(0x7f00000002c0)={0x0, 0x4, 0x8, 'queue0\x00', 0x80000001}) ioctl$KVM_RUN(r2, 0xae80, 0x0) getsockopt$inet_mreq(r3, 0x0, 0x20, &(0x7f0000000200)={@rand_addr, @dev}, &(0x7f0000000240)=0x8) 21:37:34 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0x60000000}, 'syz0\x00'}) 21:37:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0xffffffff00000000, 0x0, &(0x7f0000000400)}) 21:37:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc0010007, [0x40000003]}) 21:37:34 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x1700000000000000]}) 21:37:34 executing program 2: socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RUNLINKAT(r2, &(0x7f0000000040)={0x7}, 0x7) mkdir(&(0x7f0000000300)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000340)='9p\x00', 0x0, &(0x7f00000001c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) write$P9_RREADDIR(r2, &(0x7f0000000480)={0x2a, 0x29, 0x1, {0x0, [{{}, 0x0, 0x0, 0x7, './file0'}]}}, 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000200)={0xa0, 0x19, 0x1}, 0xa0) write$P9_RWALK(r2, &(0x7f0000000140)={0x23, 0x6f, 0x1, {0x2, [{}, {}]}}, 0x23) write$P9_RREADDIR(r2, &(0x7f00000003c0)={0xb, 0x29, 0x1}, 0xb) write$P9_RREADDIR(r2, &(0x7f0000000600)=ANY=[@ANYBLOB="000400003901000000000000000000000000e42a60a26dd207600000000000000007002e2f66696c6530"], 0x2a) write$P9_RGETATTR(r2, &(0x7f0000000640)={0xa0, 0x19, 0x0, {0x1140}}, 0xa0) pipe2(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80000) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x2400, 0x5e3b) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000900)='9p\x00', 0x0, &(0x7f0000000840)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@access_uid={'access'}}]}}) r4 = open$dir(&(0x7f0000000580)='./file0\x00', 0x200000, 0x0) symlinkat(&(0x7f0000000540)='./file0\x00', r4, &(0x7f00000005c0)='./file0\x00') [ 684.137052] input: syz1 as /devices/virtual/input/input1933 [ 684.156168] binder_alloc_mmap_handler: 4 callbacks suppressed [ 684.156186] binder_alloc: binder_alloc_mmap_handler: 5822 20001000-20004000 already mapped failed -16 [ 684.184199] binder: BINDER_SET_CONTEXT_MGR already set [ 684.201117] binder: 5822:5830 ioctl 40046207 0 returned -16 [ 684.215645] binder_alloc: 5822: binder_alloc_buf, no vma [ 684.225976] input: syz1 as /devices/virtual/input/input1934 21:37:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0xc100000000000000, [0x40000003]}) 21:37:34 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x2c00000000000000]}) 21:37:34 executing program 1: setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.evm\x00', &(0x7f0000000100)=ANY=[@ANYBLOB="0400be19ce0c62fc3e41548f"], 0xc, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text16={0x10, &(0x7f00000003c0)="0f20d86635080000000f22d866b80500000066b9060d20500f01c1ba6100b01aeed9a6390b0f0174170f009a0050670f01caba610066b80010000066ef260f22276766c74424004edeac976766c74424022c0000006766c744240600000000670f011424", 0x64}], 0x1, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_CREATE_PIT2(r1, 0x4040ae77, &(0x7f0000000180)={0x5}) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)) ioctl$KVM_RUN(r2, 0xae80, 0x0) 21:37:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0x1000000, 0x0, &(0x7f0000000400)}) 21:37:34 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xdcf80000}, 'syz0\x00'}) 21:37:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x10100c000000000, [0x40000003]}) [ 684.430485] binder_translate_handle: 4 callbacks suppressed [ 684.430508] binder: 5850:5851 got transaction with invalid handle, 0 [ 684.507472] binder_alloc: binder_alloc_mmap_handler: 5850 20001000-20004000 already mapped failed -16 [ 684.520040] input: syz1 as /devices/virtual/input/input1935 [ 684.543190] input: syz1 as /devices/virtual/input/input1936 [ 684.550712] binder: BINDER_SET_CONTEXT_MGR already set 21:37:34 executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x79010000, [0x40000003]}) 21:37:35 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0x8010040]}) [ 684.569804] binder: 5850:5851 ioctl 40046207 0 returned -16 [ 684.590877] binder_alloc: 5850: binder_alloc_buf, no vma 21:37:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000280)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000040)=[@flat={0x77682a85}], &(0x7f0000000080)=[0x0]}}], 0xfdfdffff, 0x0, &(0x7f0000000400)}) 21:37:35 executing program 5: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0) write$uinput_user_dev(r0, &(0x7f0000000400)={'syz1\x00'}, 0x45c) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x2) ioctl$UI_SET_EVBIT(r0, 0x40045564, 0x1) ioctl$UI_DEV_SETUP(r0, 0x5501, &(0x7f0000000300)={{0x0, 0x0, 0xffffffff00000000}, 'syz0\x00'}) 21:37:35 executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0xc008ae88, &(0x7f0000000380)={0x7b, 0x0, [0x400000b7, 0x0, 0xc0000100]}) [ 684.796965] binder: 5876:5878 got transaction with invalid handle, 0 [ 684.823298] input: syz1 as /devices/virtual/input/input1937 [ 684.845135] binder_alloc: binder_alloc_mmap_handler: 5876 20001000-20004000 already mapped failed -16 [ 684.873311] input: syz1 as /devices/virtual/input/input1938 [ 684.887890] binder: BINDER_SET_CONTEXT_MGR already set [ 684.920918] binder: 5876:5878 ioctl 40046207 0 returned -16 [ 684.931449] binder_alloc: 5876: binder_alloc_buf, no vma [ 842.905597] INFO: task syz-executor2:5892 blocked for more than 140 seconds. [ 842.912920] Not tainted 4.19.0-rc8+ #63 [ 842.917508] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 842.925513] syz-executor2 D25400 5892 5397 0x00000004 [ 842.931194] Call Trace: [ 842.933783] __schedule+0x86c/0x1ed0 [ 842.937701] ? __sched_text_start+0x8/0x8 [ 842.941869] ? mark_held_locks+0x130/0x130 [ 842.946227] ? graph_lock+0x170/0x170 [ 842.951234] ? print_usage_bug+0xc0/0xc0 [ 842.955290] ? __fget+0x4aa/0x740 [ 842.958829] ? lock_downgrade+0x900/0x900 [ 842.962987] ? check_preemption_disabled+0x48/0x200 [ 842.968073] ? find_held_lock+0x36/0x1c0 [ 842.972157] schedule+0xfe/0x460 [ 842.975620] ? __schedule+0x1ed0/0x1ed0 [ 842.979618] ? lockdep_hardirqs_on+0x421/0x5c0 [ 842.984196] ? trace_hardirqs_on+0xbd/0x310 [ 842.988579] ? kasan_check_read+0x11/0x20 [ 842.992746] ? __rwsem_down_write_failed_common+0x8db/0x1670 [ 842.998601] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 843.004059] ? kasan_check_write+0x14/0x20 [ 843.008366] ? do_raw_spin_lock+0xc1/0x200 [ 843.013048] __rwsem_down_write_failed_common+0xbb9/0x1670 [ 843.018753] ? find_held_lock+0x36/0x1c0 [ 843.022824] ? rwsem_spin_on_owner+0xa30/0xa30 [ 843.027465] ? __lock_acquire+0x7ec/0x4ec0 [ 843.031704] ? smk_curacc+0x7f/0xa0 [ 843.035417] ? mark_held_locks+0x130/0x130 [ 843.039677] ? rcu_bh_qs+0xc0/0xc0 [ 843.043224] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 843.048837] ? security_inode_permission+0xd2/0x100 [ 843.053857] ? inode_permission+0xb2/0x560 [ 843.058173] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 843.063833] ? link_path_walk.part.40+0xcbb/0x1530 [ 843.068830] ? pick_link+0xaf0/0xaf0 [ 843.072553] ? walk_component+0x25c0/0x25c0 [ 843.076958] ? graph_lock+0x170/0x170 [ 843.081041] ? shrink_dcache_sb+0x350/0x350 [ 843.086232] ? save_stack+0xa9/0xd0 [ 843.089876] ? lock_acquire+0x1ed/0x520 [ 843.093848] ? filename_create+0x1b2/0x5b0 [ 843.098159] ? lock_release+0x970/0x970 [ 843.102126] ? arch_local_save_flags+0x40/0x40 [ 843.106764] rwsem_down_write_failed+0xe/0x10 [ 843.111256] ? rwsem_down_write_failed+0xe/0x10 [ 843.115969] call_rwsem_down_write_failed+0x17/0x30 [ 843.120982] down_write_nested+0xa9/0x130 [ 843.125180] ? filename_create+0x1b2/0x5b0 [ 843.129512] ? _down_write_nest_lock+0x130/0x130 [ 843.134274] ? __sb_start_write+0x1b2/0x370 [ 843.138675] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 843.144227] filename_create+0x1b2/0x5b0 [ 843.148347] ? kern_path_mountpoint+0x40/0x40 [ 843.152857] ? kasan_check_read+0x11/0x20 [ 843.157067] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 843.162611] ? getname_flags+0x26e/0x5a0 [ 843.166770] do_symlinkat+0xfe/0x2d0 [ 843.170481] ? do_syscall_64+0x9a/0x820 [ 843.174655] ? __ia32_sys_unlink+0x50/0x50 [ 843.179067] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 843.184538] __x64_sys_symlinkat+0x73/0xb0 [ 843.188843] do_syscall_64+0x1b9/0x820 [ 843.193046] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 843.198733] ? syscall_return_slowpath+0x5e0/0x5e0 [ 843.203686] ? trace_hardirqs_on_caller+0x310/0x310 [ 843.208772] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 843.213796] ? recalc_sigpending_tsk+0x180/0x180 [ 843.218602] ? kasan_check_write+0x14/0x20 [ 843.222855] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 843.227910] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 843.233105] RIP: 0033:0x457569 [ 843.236348] Code: 83 c4 18 c3 e8 d8 64 00 00 48 8b 04 24 48 8b 4c 24 08 48 89 01 e8 d7 2d fc ff e8 22 7a fc ff b8 02 00 00 00 48 8d 0d 2a 60 09 <01> 87 01 8b 05 22 60 09 01 83 f8 01 0f 85 8a 00 00 00 b8 01 00 00 [ 843.255355] RSP: 002b:00007f4e83f82c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010a [ 843.263397] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 843.271791] RDX: 00000000200005c0 RSI: 0000000000000009 RDI: 0000000020000540 [ 843.279100] RBP: 000000000072c040 R08: 0000000000000000 R09: 0000000000000000 [ 843.286414] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e83f836d4 [ 843.293697] R13: 00000000004c4848 R14: 00000000004d7ab8 R15: 00000000ffffffff [ 843.301179] [ 843.301179] Showing all locks held in the system: [ 843.307626] 1 lock held by khungtaskd/982: [ 843.311845] #0: 000000005837d5c0 (rcu_read_lock){....}, at: debug_show_all_locks+0xd0/0x424 [ 843.320544] 1 lock held by rsyslogd/5239: [ 843.324695] #0: 00000000ec430745 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200 [ 843.332800] 2 locks held by getty/5329: [ 843.336807] #0: 00000000dcd27274 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x32/0x40 [ 843.345048] #1: 000000003cf5c0fb (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x335/0x1ce0 [ 843.354302] 2 locks held by getty/5330: [ 843.358306] #0: 00000000d5d567f0 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x32/0x40 [ 843.366605] #1: 000000003b6c999b (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x335/0x1ce0 [ 843.375550] 2 locks held by getty/5331: [ 843.379508] #0: 000000002681521a (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x32/0x40 [ 843.388017] #1: 000000006f8aea24 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x335/0x1ce0 [ 843.396961] 2 locks held by getty/5332: [ 843.401176] #0: 00000000fe43df32 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x32/0x40 [ 843.409503] #1: 00000000b7df2691 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x335/0x1ce0 [ 843.418423] 2 locks held by getty/5333: [ 843.422477] #0: 0000000065ecd4de (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x32/0x40 [ 843.430834] #1: 00000000af2484ea (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x335/0x1ce0 [ 843.439779] 2 locks held by getty/5334: [ 843.443743] #0: 0000000009549953 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x32/0x40 [ 843.452134] #1: 00000000e65f9368 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x335/0x1ce0 [ 843.461080] 2 locks held by getty/5335: [ 843.465039] #0: 00000000695e66b4 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x32/0x40 [ 843.473349] #1: 000000002632d222 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x335/0x1ce0 [ 843.482311] 2 locks held by syz-executor2/5827: [ 843.487056] #0: 00000000d68072c5 (sb_writers#18){.+.+}, at: mnt_want_write+0x3f/0xc0 [ 843.495100] #1: 000000007bca09aa (&sb->s_type->i_mutex_key#23/1){+.+.}, at: filename_create+0x1b2/0x5b0 [ 843.504844] 2 locks held by syz-executor2/5892: [ 843.509546] #0: 00000000d68072c5 (sb_writers#18){.+.+}, at: mnt_want_write+0x3f/0xc0 [ 843.517607] #1: 000000007bca09aa (&sb->s_type->i_mutex_key#23/1){+.+.}, at: filename_create+0x1b2/0x5b0 [ 843.527352] [ 843.528971] ============================================= [ 843.528971] [ 843.536071] NMI backtrace for cpu 0 [ 843.539709] CPU: 0 PID: 982 Comm: khungtaskd Not tainted 4.19.0-rc8+ #63 [ 843.546529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 843.555916] Call Trace: [ 843.558514] dump_stack+0x1c4/0x2b4 [ 843.562260] ? dump_stack_print_info.cold.2+0x52/0x52 [ 843.567637] ? check_preemption_disabled+0x48/0x200 [ 843.573746] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 843.579330] nmi_cpu_backtrace.cold.3+0x63/0xa2 [ 843.584355] ? lapic_can_unplug_cpu.cold.27+0x3f/0x3f [ 843.589638] nmi_trigger_cpumask_backtrace+0x1b3/0x1ed [ 843.595082] arch_trigger_cpumask_backtrace+0x14/0x20 [ 843.600275] watchdog+0xb3e/0x1050 [ 843.605013] ? reset_hung_task_detector+0xd0/0xd0 [ 843.609857] ? __kthread_parkme+0xce/0x1a0 [ 843.614086] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 843.619198] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 843.624300] ? lockdep_hardirqs_on+0x421/0x5c0 [ 843.628882] ? trace_hardirqs_on+0xbd/0x310 [ 843.633291] ? kasan_check_read+0x11/0x20 [ 843.637454] ? __kthread_parkme+0xce/0x1a0 [ 843.641687] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 843.647128] ? kasan_check_write+0x14/0x20 [ 843.651352] ? do_raw_spin_lock+0xc1/0x200 [ 843.655580] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 843.661164] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 843.666964] ? __kthread_parkme+0xfb/0x1a0 [ 843.671703] kthread+0x35a/0x420 [ 843.675066] ? reset_hung_task_detector+0xd0/0xd0 [ 843.679905] ? kthread_bind+0x40/0x40 [ 843.683751] ret_from_fork+0x3a/0x50 [ 843.687660] Sending NMI from CPU 0 to CPUs 1: [ 843.692242] NMI backtrace for cpu 1 skipped: idling at native_safe_halt+0x6/0x10 [ 843.693281] Kernel panic - not syncing: hung_task: blocked tasks [ 843.705933] CPU: 0 PID: 982 Comm: khungtaskd Not tainted 4.19.0-rc8+ #63 [ 843.712755] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 843.722099] Call Trace: [ 843.724696] dump_stack+0x1c4/0x2b4 [ 843.728315] ? dump_stack_print_info.cold.2+0x52/0x52 [ 843.733612] panic+0x238/0x4e7 [ 843.736796] ? add_taint.cold.5+0x16/0x16 [ 843.740934] ? nmi_trigger_cpumask_backtrace+0x16a/0x1ed [ 843.746368] ? nmi_trigger_cpumask_backtrace+0x1c4/0x1ed [ 843.751908] ? nmi_trigger_cpumask_backtrace+0x173/0x1ed [ 843.757348] ? nmi_trigger_cpumask_backtrace+0x16a/0x1ed [ 843.762791] watchdog+0xb4f/0x1050 [ 843.766325] ? reset_hung_task_detector+0xd0/0xd0 [ 843.771155] ? __kthread_parkme+0xce/0x1a0 [ 843.775385] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 843.780588] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 843.785694] ? lockdep_hardirqs_on+0x421/0x5c0 [ 843.790268] ? trace_hardirqs_on+0xbd/0x310 [ 843.794576] ? kasan_check_read+0x11/0x20 [ 843.798714] ? __kthread_parkme+0xce/0x1a0 [ 843.802938] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 843.808374] ? kasan_check_write+0x14/0x20 [ 843.812597] ? do_raw_spin_lock+0xc1/0x200 [ 843.816822] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 843.821913] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 843.827511] ? __kthread_parkme+0xfb/0x1a0 [ 843.831742] kthread+0x35a/0x420 [ 843.835288] ? reset_hung_task_detector+0xd0/0xd0 [ 843.840231] ? kthread_bind+0x40/0x40 [ 843.844024] ret_from_fork+0x3a/0x50 [ 843.848689] Kernel Offset: disabled [ 843.852647] Rebooting in 86400 seconds..