00)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:51 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5334, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00'})

16:09:51 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x20, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0})

16:09:51 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x5451, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:09:51 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:51 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x500)

[  579.994754][T21717] binder: 21707:21717 unknown command 0
[  580.030578][T21717] binder: 21707:21717 ioctl c0306201 20000000 returned -22
16:09:51 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc0a85320, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00'})

[  580.042137][T21723] binder: 21709:21723 ioctl c018620b 0 returned -14
[  580.100945][T21730] binder_alloc: 21710: binder_alloc_buf, no vma
[  580.112150][T21723] binder: BINDER_SET_CONTEXT_MGR already set
[  580.131662][T21713] binder: 21710:21713 Release 1 refcount change on invalid ref 1 ret -22
16:09:51 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x8a, 0x400)
ioctl$TIOCMGET(r1, 0x5415, &(0x7f00000000c0))
ioctl$VIDIOC_G_FBUF(r1, 0x8030560a, &(0x7f0000000040)={0x80, 0x544f34797d6f3a94, &(0x7f0000000480)="87b4bc33244227a450e4dfd7b77601b4cf8336c15b364d47a75fab83fd49ac400c31833d4d3fd95adeedaab7c13592690784387dab843a0229830372b764fc7eae0697d04146bfc22c3146371a282da9d62e46c079d03ed7b20b0d737e6c9ae011dc867717a77ad3215e02bddeb51252967663b52fd3a30d9b8714215de4add25e23bfea3802cce0fbf374d583497ac34b3071d26e055a28aa7de62696ae9108ed025c1fd96910e1a3bc982e5e83da474dc237be165b38307ff3af55774636a17c92e0dbcaf704ca96bed412ac467a48108e96d0b376ad493a80f50eabd702af519ffd4b6dbcef2a0a1bd5db26a09f4bfb345a1c0245a2f79cc91f037c5469ca8861be753dafff775b5dabfd31b7ff1da0e8e83a979a8ba1bedf399ae53c825653483e3c66b22650f6154fb158372bcc759b1e7deca896b9e0489e3739c4381761eedb04610d2aa2e75151ff1db11389200bcffe1e4c123df8c1035a4e79c577e9dfd125d01cac766c647466f934c640af9c5b80684b0b83b206d4e154ade9f2609dec3c4a29345b52a4479777b002093f742da2ad5fa686bf8087292d5864c57c1702b41fff1878b6df211f8e3db30709988310077ad5d3b547427bf16358c6c30cf3fee0be608a9ed1db0ff6d2c5474b8921bbeb9c86ea15ea2d284013173c44853dbf6940fe5bffd5a73774664c43f8d14dcd3adec297f79d785dc68f435f6e26ae794c3ce42df71c670c2adc602a1451c273439ed18beb29455cb89618c4e200f45c6cb0278327f8bebea0a36d202f2336361d022b24620e93bb5c333d22348b83218a6383a6d1e7856a167a19fbea55e08f3ae8072a383dcafa779c889b3edc3ef34046f06221d798bad0502d94fb1fa02c5b1e6454d518e771afa574d37133daa9c042a5e9715dbe9517e616f077981a98c1842b5ddf5517fffc742fb00fd6446fe96d22d2b706b8a1525a023bf3c3d77b855ed6cb83c4529f8c291dc4e38f109bb8824df631b705203103b5ef3d27c223d284ccfc11b2f339f4a3a5236a0a7459beb87c82de8abfb072bad7636db558abc4c369a9d8e5fc3ee5056e3a4655f026364ac0655490cbd6e1a1d79021a5e4c5d5846d6421a771df52607ddcbdf42d8c6a47686749c03bf1a332df285279d1a7d21af961031d076a96a353bfbf2d6fa4f30d2d353f38eaba5cfc7f38568ea786662c5b1f6ff0eb01be8044a25da8cb1e3e39606388e33afbb276b929832617d68ecce8ae425b727df653a781dc395b06df826f5a6a24c93fa9da71ea6e90b1c65256fb86320f94f85a4ffe78de539d7ba6eb2612af305434b00ffe4fbbdfd563bcfcaa1b93ba60071b17d2ec1ac4e8a89832d4432ff82b4bd35369cd603f1079e6c30500fd069959ce1af6158c2a630c4c06df1ea059496be9f6ade49898ad22b9643e3c0365b4ec09d67f537a6f6a77abdd3b1f88f9058b7b980d78d3c965f7a10c1d75ad960bbd393a689b9d15a4c584360f0c36fcb667b118a8c966deb01829f1327e5177e87b05ba6e24ad90393ae8d175f936ab547bd0e2e64b900cfaa983b5a425d3b895b14a9f5bed5e0507f3c34b5a523bd7fc15de1eaa58f3201c0ebd10c54b8ccd40f392ca3a9c2978828486b54f0fa7001913216373d7a4137079080ba6d269fde02673e6fca575f2b13c29d5fccc6eb87aab72744be8cebfe3d863ae165f4f7a2bccd139ab3c2cfad216aaac5eccf32c75305749accd0bbbf144c6fc87a95b1769daf14826db013ae8d0bb8cad775ebc9bb140e40a6daea7c325917864be73b85845df19a6bcbbdd07978fdb37f642bb0706470c12731751ebf0d581a9bfe4db9992b4985df007e3641d79ef034f2db2b73dc0ef29a6c25f387649503221be2935ab0b573c13d4da386ed0a573100911285a36dc1edcda053cfefe517a4ede32e93a813f1c2ca1803331f3441af8b59f8e765321307c9243cadc7831af7bf9adb64f765cfb674d20ad865525770e0bc8bfe42572f28d16fa20549e7f16532daf6bafb67423320413b863873641e60a54b83d22f21f53331c78186885f56cbd59b9382cb716a99199dd2211c4119e428a76dd428b622e6243d060e2925ba12765aa6b84fecb890667c1d1c73657f1ce255713b56232956cb2013a27b612df87f3b4f6003f5de8c14c236910b88b13efc8ec0955dd68629b9141c4933af7cbb1a2c2221e19f82d38fff98322aac4d8b70f276de51e66bd2f185c4be17fef0056c70b8557b705b5d0266b857d296ed37b07941fa1b83bd4ab82fcf2d30fe17676bdfe3231b62f984b457de7dc3a710247e4bd65d38eb7f0f60678d43d11b9c88fc15cc8b0bbbdce9237084e13883de578b01468671e266146fd39d67888a4c885f444c49e9496a01e4f35082514794dff822a3b929dc0b33effbd3b192b5b149f9f0502dc7edf7e583b103c63c3d73144ba6f9857d7100acaada89a32d60f9e6c827d08a77c278ca6e4c8561532a203a14178cbcff7d66f9d76e1cadd6e08c1efaf4bcafab208a7871dee2b1024838197019f276a4c272ca7a42487182617da8d1a94be43001a945c6ea7eb70f206eaf726d31a6ccae604e82a44c080a95320ef21ea18b50cfa67f817e917d78ef64ebdf1784c6a6225b35d944bfdfde1e7e28bd34d74384875f7b1b3198cce0a0524327dc4453e442a46e93635536985f955dee17672fd307ebfd35a24f2c34060e77a46fe1cb7da627f2dcaae529e45aafb0fae5b20bfa332fa3b7f6c0a7beb98addaad4e7ba0bc7070a65a4e3359a062577fe9bdab7bafc961347130b07f342411b42d1658240dfb72c12318896d123fd1defa09e5f5523e5d2b7734fdc0a9e51b672b67a37b9a0a3e87c63966d62c86cfb20cf02f40f229da8355da68011e551215a7ec6ebd19053cc3003657b0059040da5139cbdf81f6b9c585c6364b29c5596503f7d749a62e7cd82ccf8a7dcc932e50a19158193754ed6caafb0bf6d89b214546349f7ae8a1661afa5211ceea6e7d4172e8798bc74ae60080fe5bb588f4d7aa78dda252a1aa1188f277adc6c5d5b7c7f4a0e25f37716246e3ba57fd2e5db165054e5b9163eeadd830a60671b341b6af86cc56d4bc9033a5994f2b7b0d192503a3cefdd8fb78de7c38713f1a5d620f6ad8df8031d055bcb523422a6dcaa3aa3c3d4e9039339fc068ac456ec139fcb4d210f6c714e1db8da9ca712b11aaf8b881f26371041bb3855b654dac8564726b0fabef0537113b288dbccf5f7b4f798651dd4882cc00a568d94091f3945c33f4b11aaac9ec9c975e77d33c991b8836d4fa49ea90a2ef8bc0666e20f80d5ac831dce30b9f537132d560a083e4bd1fd0356fc86d604fefa7f1634e75d87aff998ad190112e52838f298409256235516b067ee09952c6b3f4f28a25071682cc6381f13f3620a26c36067f30dde89fcdb0cddd9b0f0cad453c5a8c8ba33a01514e4dd3501d04678bcae7c5c2487d946801fea827d236b8f970edc7f1964d0d62efa4f9501806454df2299196c43f4a1f82948c2e1e1ec55b173ef3ea77acaf6720818bb3af4cc1b8f3731a8d9f09af222177fbd12dada176610958581c1071bca60766dd1223153615ef04c76fc9971e114c195e2790c2a882e183dcf028ffdda7f96f0f88c4329662dada09f11128b96de722c873cfd6e80e59818f5daaac5a5914cf042fdfe3e14db7389b6be1a1f2752f5c4387863a5eafb99c9a075a1144ef824260f8ad5379c92a463db677f7cf11ae32bdffce4858bf532aba60d568c5924558b8ac79d3bc6cba78505b523f4726c985e91680c6d1e80f324ebb5bb532fb006f6ff328430133a90588979a139c73939407ef98ec09f2e5e218d3166703e6427191a05efe03df706dc54c4bd5013a9a1dd6f26aa8ef5e7b1c09438a0520d749892c117d5637be5e22ad4275da0d198686da0f40afb066cca3c19311bcf0d9d0fdc727016a31a907a2a783981e8ae2a9ab35daeb1e8d14922776078927fa2d7c24f9df596018643705c6065df3a287e436bd9fc2f8d156cb861f78b34b256d40f7188f88b0b275b824f3bb6f54a413da07337633fa9666a81c8547f146135d85db4b49be9875863d766cf982aa8aca405f8be3c4aef8e2a36bd8314ad32ac3c3c9dc86ec6be0b6362767537c5d9e9a8d8f42494e685f7dd328994968ac087803ac91896af1f9a749afb633787a85686bc9dcd04318eaf296f77b611199ac274424a536421b7c3276ee077b0868d20964230be36711f2f66a9574dbcf1739832bda53f795d7def5deabfaf2e358b5eeb5e59939bec393914ae9c6e844c6285aecd6a3df76cc7a982c8eec3e2879bdef82f8d0fee0fada1f71f838f590fa0d2fdbf9c33b1f3911b7a628ebb552a9a98fbaaa4317a4b4775657227c72b6c514231397e609617beb447158262927d56c9c681125c630ff11bbcd1041042c2bfaac79b81a568b6a10856b708b4fdf10576076e302db0c671a570a196694f86052843a4fe84f155b10d2bcad5de95a044112e58b3dab5dd47a3a38c6841100d7b6b36a91bf222c2fb616b56e947aea5b2237d5473318c3c8a1b244e4b71044bd6907aacbc18923bce11539d4aef258e0ab5b590123747f9adacf5c314fdde3cefb18611dcf84b7237ead6fbaf1c61b163e020915f1d3bd67c0ed272c6755a71653b55d24d8c17dbff63c97d38060fbe039bceff4c63bcb80be5f7a446202a62b5f006113992efde3da4b8c364484ca9235a84cb2ec2ee40e978dd3b06c76bb7380f319e7bcc06edb73d5790565f14cc3de9aaaeea627b912e1b7e832ec37e518af3d993039263062a9185d7594d922b60da457af920575187fa2ade2781576d93ed4856fc25b3c24cb525cd020c4889be736baf8efab48e6b1db59db2510347f71810afd1bc55c0f4a325e2b81f366a4ea91ba9d07f31cc3965f323bb585c0feb8a7132190f2b0394fdf29b0dd39bacf87aa6735ae86371c9e85811106f9c682a46f2435870fdf5f5010f6c384cb3a816888a8a4661ded17a151d508035973238f41af9a9e5bc5b70f099ddd60dfd02c7ebf7e39f51bd967b28d34133492faa8087de0952b085647b2354e81bf6a6b7934c4236cf70040efda44e10112139c04166082a0a98105c2037639cda34fcf706136d8b2217a84016dbebf3feda9b8751ecb714dcd1df434aa0e46d47114b0a2083135692e19210b811a10966a25d430e6e99d1bebb23e86cf25cb9998cbbe2069f87ec8876610b37b2374d943d6899dbffbcea1025126342b22347f054ce6a11bda932fc44cc46ecb1743a030ad1e6151644ad5f3935d2d4902cfbe8a9496185f2f8b15fd9d59cb905af98f45d69a0d53c2fa5085c4e148ef5a32defb60fd089589fb62e1e5e3599a88d77ad585a2f134d21a68c6934da32e56bf6983eeb5965b6488e3b26124666953ee54eea49c3a34288a3fc318d8bb7deb61e2068c72a603617e0309aaa330170f669d5ea338669296e2f2f0af24be9d49ffd2c72d2ada071f75737467e9c5b02ba3a0234a652225be5ab1749e3a7a3e049140a0e98af1310dbf3889989db2942553a8d7183f10a26945ce982bfdfb570e51551a35b809d9339b8949cfc0d613a3d63710533e3f1482e03b89f5418389f528daca909a683869e975c9bb6308eb135520b7ea6595deb50acc56f5ae6d87298dd87952642c05a813dcda68abdccff6e548d3016ed4ece49f4d7139c2251dec2a1953ce7182430ebaeafccdaa9224493658ef2fe06f899f8716273df52d8cf9b4", {0x100, 0xf5, 0x7773777b, 0x9, 0x5, 0x31, 0x0, 0x7f}})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$PPPIOCCONNECT(r1, 0x4004743a, &(0x7f0000000080)=0x4)

[  580.150281][T21723] binder: 21709:21723 ioctl 40046207 0 returned -16
[  580.174565][T21721] binder: BINDER_SET_CONTEXT_MGR already set
[  580.186707][T21713] binder: 21710:21713 BC_ACQUIRE_DONE u0000000000000000 no match
[  580.188487][T21721] binder: 21716:21721 ioctl 40046207 0 returned -16
16:09:51 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc0a85322, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00'})

[  580.203963][T21718] binder: 21709:21718 Release 1 refcount change on invalid ref 1 ret -22
[  580.221179][T21737] binder: 21716:21737 Release 1 refcount change on invalid ref 1 ret -22
[  580.258947][T21732] binder_alloc: binder_alloc_mmap_handler: 21709 20001000-20004000 already mapped failed -16
[  580.271020][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:09:51 executing program 0:
r0 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x1, 0x200000)
recvfrom$inet(r0, &(0x7f0000000040)=""/9, 0x9, 0x10040, &(0x7f0000000080)={0x2, 0x4e22, @rand_addr=0x7f}, 0x10)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  580.300204][T21723] binder: 21709:21723 ioctl c018620b 0 returned -14
[  580.321578][T21732] binder: BINDER_SET_CONTEXT_MGR already set
[  580.341413][T21744] binder: 21709:21744 Release 1 refcount change on invalid ref 1 ret -22
16:09:51 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc0bc5310, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00'})

[  580.378728][T21732] binder: 21709:21732 ioctl 40046207 0 returned -16
16:09:51 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x5452, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  580.564001][T21761] binder: 21759:21761 ioctl c018620b 0 returned -14
[  580.624664][T21766] binder: BINDER_SET_CONTEXT_MGR already set
[  580.635841][T21766] binder: 21759:21766 ioctl 40046207 0 returned -16
16:09:52 executing program 1:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
dup(r3)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:52 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = syz_open_dev$vcsa(&(0x7f0000000040)='/dev/vcsa#\x00', 0x3, 0x1)
ioctl$IMSETDEVNAME(r1, 0x80184947, &(0x7f0000000180)={0x401, 'syz0\x00'})
r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000000c0)='IPVS\x00')
sendmsg$IPVS_CMD_NEW_DEST(r1, &(0x7f0000000140)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x10008001}, 0xc, &(0x7f0000000100)={&(0x7f0000000480)={0x10c, r2, 0x210, 0x70bd2d, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_SERVICE={0x3c, 0x1, [@IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0x3a}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'nq\x00'}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x1}, @IPVS_SVC_ATTR_FWMARK={0x8}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x20, 0x6}}, @IPVS_SVC_ATTR_SCHED_NAME={0xc, 0x6, 'lblcr\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, [@IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x200}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x34f1}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1f}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0xff}, @IPVS_CMD_ATTR_DAEMON={0x30, 0x3, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'veth1_to_hsr\x00'}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x2}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x1}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x1}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x6}, @IPVS_CMD_ATTR_SERVICE={0x34, 0x1, [@IPVS_SVC_ATTR_FWMARK={0x8}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x1, 0x8}}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x21, 0x20}}, @IPVS_SVC_ATTR_PE_NAME={0x8, 0xb, 'sip\x00'}, @IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0x5}]}, @IPVS_CMD_ATTR_DAEMON={0xc, 0x3, [@IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @initdev={0xac, 0x1e, 0x0, 0x0}}]}]}, 0x10c}, 0x1, 0x0, 0x0, 0x80}, 0x24000000)

16:09:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x1f00, 0x200000000080, 0x0, 'queue0\x00'})

16:09:52 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0xf000)

16:09:52 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x1f000000, 0x200000000080, 0x0, 'queue0\x00'})

16:09:52 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
socketpair(0xa, 0x0, 0x9, &(0x7f0000000000)={<r1=>0xffffffffffffffff})
getsockopt$TIPC_IMPORTANCE(r1, 0x10f, 0x7f, &(0x7f0000000040), &(0x7f0000000080)=0x4)
ioctl$PPPOEIOCDFWD(r1, 0xb101, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="0000980000000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
ioctl$EXT4_IOC_PRECACHE_EXTENTS(r0, 0x6612)

16:09:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0xfdfdffff, 0x200000000080, 0x0, 'queue0\x00'})

[  581.010769][T21794] binder_thread_write: 4 callbacks suppressed
[  581.010782][T21794] binder: 21776:21794 BC_ACQUIRE_DONE u0000000000000000 no match
[  581.063487][T21784] binder: 21780:21784 BC_ACQUIRE_DONE u0000000000000000 no match
[  581.085314][T21799] binder: 21790:21799 ioctl 6612 0 returned -22
16:09:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0xfffffdfd, 0x200000000080, 0x0, 'queue0\x00'})

16:09:52 executing program 0:
r0 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x7ff, 0x80000)
bpf$BPF_GET_MAP_INFO(0xf, &(0x7f0000000080)={r0, 0x28, &(0x7f0000000040)}, 0x10)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:09:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x1f00000000000000, 0x200000000080, 0x0, 'queue0\x00'})

[  581.327795][T21820] binder_alloc: binder_alloc_mmap_handler: 21759 20001000-20004000 already mapped failed -16
[  581.381266][T21819] binder: 21759:21819 ioctl c018620b 0 returned -14
[  581.382490][T21825] binder: BINDER_SET_CONTEXT_MGR already set
[  581.412662][T21825] binder: 21759:21825 ioctl 40046207 0 returned -16
[  581.413447][T21819] binder: 21759:21819 BC_INCREFS_DONE u0000000000000000 no match
16:09:52 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x5460, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  581.576596][T21831] binder: 21830:21831 ioctl c018620b 0 returned -14
[  581.629214][T21834] binder: BINDER_SET_CONTEXT_MGR already set
[  581.635308][T21834] binder: 21830:21834 ioctl 40046207 0 returned -16
[  581.648871][T21834] binder: 21830:21834 BC_INCREFS_DONE u0000000000000000 no match
16:09:53 executing program 1:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
timer_create(0x1, &(0x7f00000001c0)={0x0, 0x15, 0x1, @thr={&(0x7f0000000000)="e095cc1af31e795948313d17f6bc79554b17f958751713aaf9d6a1c9e9b0a73a676d08cbcd27a8485e442827b1b6e123cf9e3071f7e49a990f49e42bfee431428456ae45ca18df50101da4be70d01068e71b508930a01c41124969a5aab69d1b4a83d4d131ec625c57bc8bf427959fd75206343aeaa0daed985f4500c9a4b2b8a62b72433812e34dacf7a8f49f82cbede28ff9f36c", &(0x7f00000000c0)="e48d57206af7a6dc90a7cc995b6f90a1e34868dd221f30815867db7ded0171e94ef6ac49af9081bbb4924e3d57906884c1b852f6375a5f133e5090525a7f93f2482290af5c4314a547bf6786ef130342794d501e1a3669ae431fd1d2ade8b37733c3d18ecf9c4242e3cba8cba561bab5ce43e70239b9bcdc987b25492e86405126b4dd64cc78a9b89ddddd6749538344280c865e050cb17eefbf364470a3f8a4917b1274899e62a1699f3715778480158add0e48e0b7f4d1295675cb4f4f742ceddaa22675a0fe3b36263d992b5856e428"}}, &(0x7f0000000280)=<r1=>0x0)
r2 = syz_open_dev$sndpcmc(&(0x7f0000000540)='/dev/snd/pcmC#D#c\x00', 0xffffffff, 0x1)
ioctl$DRM_IOCTL_ADD_CTX(0xffffffffffffffff, 0xc0086420, &(0x7f0000000580)={<r3=>0x0})
ioctl$DRM_IOCTL_NEW_CTX(r2, 0x40086425, &(0x7f00000005c0)={r3, 0x2})
clock_gettime(0x0, &(0x7f00000002c0)={<r4=>0x0, <r5=>0x0})
r6 = dup3(r0, r0, 0x80000)
setsockopt$netlink_NETLINK_RX_RING(r6, 0x10e, 0x6, &(0x7f00000004c0)={0x0, 0x7, 0x5, 0x81}, 0x10)
ioctl$SG_GET_SCSI_ID(r0, 0x2276, &(0x7f0000000480))
ioctl$TIOCLINUX7(r6, 0x541c, &(0x7f0000000500)={0x7, 0x5})
timer_settime(r1, 0x1, &(0x7f0000000380)={{0x77359400}, {r4, r5+10000000}}, &(0x7f00000003c0))
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0xffffffffffffffd6, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="0000000011000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

16:09:53 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0xfdfdffff00000000, 0x200000000080, 0x0, 'queue0\x00'})

16:09:53 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x7ffff000)

16:09:53 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  581.784881][T21842] binder: 21837:21842 ioctl 2276 20000480 returned -22
[  581.826268][T21849] binder: 21837:21849 ioctl 2276 20000480 returned -22
16:09:53 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x1f00, 'queue0\x00'})

[  581.900650][T21844] binder_transaction: 21 callbacks suppressed
[  581.900681][T21844] binder: 21839:21844 transaction failed 29189/-22, size 24-8 line 2903
16:09:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x5f2b491687ffb093)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
openat$dir(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x84000, 0x8)

[  581.942071][T21844] binder_thread_write: 5 callbacks suppressed
[  581.978481][T21844] binder: 21839:21844 Release 1 refcount change on invalid ref 1 ret -22
[  582.019490][T21844] binder: 21839:21844 BC_ACQUIRE_DONE u0000000000000000 no match
[  582.028398][T21851] binder: 21846:21851 transaction failed 29189/-22, size 24-8 line 2903
[  582.040405][T21851] binder: 21846:21851 Release 1 refcount change on invalid ref 1 ret -22
16:09:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc0\x00', 0x0, 0x0)
ioctl$EVIOCSABS0(r0, 0x401845c0, &(0x7f00000000c0)={0x9, 0x9, 0x7, 0x9, 0xff, 0x180000000})
ioctl$VIDIOC_SUBDEV_S_CROP(r1, 0xc038563c, &(0x7f0000000040)={0x0, 0x0, {0x7, 0x9, 0x9, 0x6}})
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080))

16:09:53 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x1f000000, 'queue0\x00'})

[  582.064107][T21851] binder: 21846:21851 BC_ACQUIRE_DONE u0000000000000000 no match
[  582.130348][T21870] binder: 21867:21870 transaction failed 29189/-22, size 24-8 line 2903
[  582.145471][T21870] binder: 21867:21870 ioctl 401845c0 200000c0 returned -22
[  582.168355][T21870] binder: 21867:21870 transaction failed 29189/-22, size 24-8 line 2903
16:09:53 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0xfdfdffff, 'queue0\x00'})

[  582.187294][T21872] binder: 21867:21872 ioctl 401845c0 200000c0 returned -22
[  582.203854][ T8164] binder_release_work: 7 callbacks suppressed
[  582.203862][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  582.223087][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:09:53 executing program 0:
r0 = syz_open_dev$binder(&(0x7f00000000c0)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000)='/dev/snapshot\x00', 0x10043, 0x0)
getsockopt$IP6T_SO_GET_REVISION_MATCH(r1, 0x29, 0x44, &(0x7f0000000040)={'IDLETIMER\x00'}, &(0x7f0000000080)=0x1e)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x1, 0x3}], 0xfffffdf2, 0x0, 0x0})
write$capi20_data(r1, &(0x7f0000000180)={{0xfffffffffffffe31, 0x3, 0x200000000088, 0x82, 0x6a40, 0x8000}, 0x95, "271c6e1b5030fd21a9ae5318660aa9392a31f5295cf125b4a3ab169f6b83704952af9ecdff55bf2ae890230aafdafa8a541a746ec42dcff9101262df7bce8575a84e2f9de80f8dc3a945ad72a1983c84b7579567c6df54953881691513742eadad374054f7dddc613408ecad0696f3642090c167d11ee4518c3f9fef2a1ad0723b8fbe118ca79300000000000000000000000000008c8facb81fdf9300744f0a21d44259cf503684a2e4b63331ac2453bae79cf4bb6994986dc3e8170a0e5665389956fa702924a5a3815732ecbff48dc8"}, 0xffffffffffffff0d)

[  582.332989][T21886] binder_alloc: binder_alloc_mmap_handler: 21830 20001000-20004000 already mapped failed -16
[  582.373823][T21887] binder: 21882:21887 BC_CLEAR_DEATH_NOTIFICATION invalid ref 1
[  582.381941][T21887] binder: 21882:21887 unknown command 0
[  582.392405][T21887] binder: 21882:21887 ioctl c0306201 20000440 returned -22
[  582.399578][T21884] binder: 21830:21884 ioctl c018620b 0 returned -14
[  582.411358][T21887] binder: 21882:21887 BC_CLEAR_DEATH_NOTIFICATION invalid ref 1
[  582.418729][T21885] binder: 21830:21885 transaction failed 29189/-3, size 24-8 line 3056
[  582.425097][T21887] binder: 21882:21887 unknown command 0
[  582.439396][T21887] binder: 21882:21887 ioctl c0306201 20000440 returned -22
[  582.441657][T21886] binder: 21830:21886 BC_INCREFS_DONE u0000000000000000 no match
[  582.463164][T21834] binder: 21830:21834 Release 1 refcount change on invalid ref 1 ret -22
16:09:53 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x40046205, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  582.587710][T21896] binder: 21895:21896 ioctl c018620b 0 returned -14
[  582.646360][T21904] binder_alloc: binder_alloc_mmap_handler: 21895 20001000-20004000 already mapped failed -16
[  582.657038][T21902] binder: BINDER_SET_CONTEXT_MGR already set
[  582.663052][T21902] binder: 21895:21902 ioctl 40046207 0 returned -16
[  582.671034][T21901] binder: 21895:21901 ioctl c018620b 0 returned -14
[  582.678294][T21904] binder_alloc_new_buf_locked: 14 callbacks suppressed
[  582.678302][T21904] binder_alloc: 21895: binder_alloc_buf, no vma
16:09:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0xfdfdffff, 'queue0\x00'})

16:09:54 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0xfffffdfd, 'queue0\x00'})

16:09:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB="00521fdeacee10000800", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

16:09:54 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0xfffff000)

16:09:54 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  582.691806][T21906] binder: 21895:21906 BC_INCREFS_DONE u0000000000000000 no match
[  582.749348][T21904] binder: 21895:21904 transaction failed 29189/-3, size 24-8 line 3056
[  582.752409][T21896] binder: 21895:21896 Release 1 refcount change on invalid ref 1 ret -22
[  582.770140][T21913] binder_alloc: 21895: binder_alloc_buf, no vma
16:09:54 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x1f00000000000000, 'queue0\x00'})

16:09:54 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0xfdfdffff, 'queue0\x00'})

[  582.803185][T21913] binder: 21911:21913 transaction failed 29189/-3, size 24-8 line 3056
[  582.815992][ T2993] binder: release 21895:21901 transaction 3543 out, still active
[  582.826129][ T2993] binder: send failed reply for transaction 3543, target dead
16:09:54 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x40046207, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  582.879784][T21923] binder: 21908:21923 transaction failed 29189/-22, size 24-8 line 2903
[  582.892890][T21913] binder: 21911:21913 transaction failed 29189/-22, size 24-8 line 2903
[  582.892982][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  582.918428][T21923] binder: 21908:21923 Release 1 refcount change on invalid ref 1 ret -22
16:09:54 executing program 0:
r0 = socket(0x1a, 0x3, 0x5)
getsockopt$inet6_udp_int(r0, 0x11, 0x67, &(0x7f00000015c0), &(0x7f0000001600)=0x4)
r1 = socket$inet(0x2, 0x4, 0x69a)
lseek(r1, 0x0, 0x2)
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:09:54 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0xfdfdffff00000000, 'queue0\x00'})

16:09:54 executing program 1 (fault-call:4 fault-nth:0):
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  582.955709][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  582.987638][T21923] binder: 21908:21923 BC_ACQUIRE_DONE u0000000000000000 no match
[  583.098385][T21943] binder: 21932:21943 ioctl c018620b 0 returned -14
[  583.134210][T21942] binder: 21941:21942 transaction failed 29189/-22, size 24-8 line 2903
16:09:54 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x1f\x00'})

[  583.191622][T21933] binder: BINDER_SET_CONTEXT_MGR already set
16:09:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f00000002c0)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x0, 0x2)
ioctl$FS_IOC_GETVERSION(r1, 0x80087601, &(0x7f0000000380))
write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x18, 0xfa00, {0x1, &(0x7f0000000040)={<r2=>0xffffffffffffffff}, 0x106}}, 0x20)
write$RDMA_USER_CM_CMD_BIND(r1, &(0x7f00000000c0)={0x14, 0x88, 0xfa00, {r2, 0x30, 0x0, @ib={0x1b, 0xffffffffffffff75, 0x558, {"84c1e91a74972d0963b060d692bd3757"}, 0x1, 0x6, 0x8}}}, 0x90)
lsetxattr$trusted_overlay_redirect(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)='trusted.overlay.redirect\x00', &(0x7f0000000280)='./file0\x00', 0x8, 0x3)

[  583.239176][T21933] binder: 21932:21933 ioctl 40046207 200003c0 returned -16
[  583.248499][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  583.310367][T21951] binder_alloc: binder_alloc_mmap_handler: 21932 20001000-20004000 already mapped failed -16
16:09:54 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x1f\x00'})

[  583.371049][T21958] binder_alloc: 21932: binder_alloc_buf, no vma
[  583.376575][T21943] binder: 21932:21943 ioctl c018620b 0 returned -14
[  583.395301][T21958] binder_alloc: 21932: binder_alloc_buf, no vma
[  583.396346][T21933] binder: BINDER_SET_CONTEXT_MGR already set
[  583.426725][T21933] binder: 21932:21933 ioctl 40046207 0 returned -16
[  583.433890][T21951] binder: 21932:21951 BC_INCREFS_DONE u0000000000000000 no match
[  583.462278][T21933] binder: 21932:21933 Release 1 refcount change on invalid ref 1 ret -22
[  583.479481][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  583.485965][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  583.496345][T21943] binder_alloc: 21932: binder_alloc_buf, no vma
[  583.504187][T21951] binder: BINDER_SET_CONTEXT_MGR already set
[  583.512205][ T8164] binder: release 21932:21933 transaction 3552 out, still active
[  583.520686][T21951] binder: 21932:21951 ioctl 40046207 200003c0 returned -16
16:09:54 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB="0000000000001100", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

[  583.528312][ T8164] binder: send failed reply for transaction 3552, target dead
16:09:55 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0xffff888085d93001)

16:09:55 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\xff\xff\xfd\xfd\x00'})

16:09:55 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:55 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x40046208, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:09:55 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  583.680067][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  583.705763][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:09:55 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\xfd\xfd\xff\xff\x00'})

[  583.830324][T21987] binder: 21975:21987 ioctl c018620b 0 returned -14
[  583.840038][T21986] binder_alloc: 21973: binder_alloc_buf, no vma
[  583.864085][T21990] binder_alloc: 21973: binder_alloc_buf, no vma
[  583.874283][T21986] binder: 21973:21986 Release 1 refcount change on invalid ref 1 ret -22
[  583.898622][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  583.907304][T21979] binder: BINDER_SET_CONTEXT_MGR already set
16:09:55 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x2)
r1 = msgget(0x0, 0x0)
msgctl$MSG_INFO(r1, 0xc, &(0x7f0000000040)=""/44)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  583.934394][T21979] binder: 21975:21979 ioctl 40046207 0 returned -16
[  583.980433][T21979] binder: 21975:21979 Release 1 refcount change on invalid ref 1 ret -22
[  584.076955][T21939] FAULT_INJECTION: forcing a failure.
[  584.076955][T21939] name failslab, interval 1, probability 0, space 0, times 0
[  584.095877][T21939] CPU: 0 PID: 21939 Comm: syz-executor1 Not tainted 5.0.0-rc4-next-20190130 #22
[  584.104906][T21939] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  584.114965][T21939] Call Trace:
[  584.118282][T21939]  dump_stack+0x1db/0x2d0
[  584.122633][T21939]  ? dump_stack_print_info.cold+0x20/0x20
[  584.128354][T21939]  ? aa_file_perm+0x46a/0x1180
[  584.133130][T21939]  should_fail.cold+0xa/0x14
[  584.137730][T21939]  ? fault_create_debugfs_attr+0x1e0/0x1e0
[  584.143563][T21939]  ? ___might_sleep+0x1e7/0x310
[  584.148438][T21939]  ? arch_local_save_flags+0x50/0x50
[  584.153734][T21939]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  584.159986][T21939]  __should_failslab+0x121/0x190
[  584.164937][T21939]  should_failslab+0x9/0x14
[  584.169446][T21939]  kmem_cache_alloc_trace+0x2d1/0x760
[  584.174834][T21939]  alloc_pipe_info+0x152/0x580
[  584.179608][T21939]  ? pipe_read+0x940/0x940
[  584.184024][T21939]  ? aa_path_link+0x5d0/0x5d0
[  584.188710][T21939]  ? debug_lockdep_rcu_enabled+0x71/0xa0
[  584.194344][T21939]  ? common_file_perm+0x293/0x820
[  584.199378][T21939]  splice_direct_to_actor+0x795/0x9d0
[  584.204754][T21939]  ? ksys_dup3+0x660/0x660
[  584.209174][T21939]  ? generic_pipe_buf_nosteal+0x10/0x10
[  584.214728][T21939]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  584.220965][T21939]  ? do_splice_to+0x190/0x190
[  584.220986][T21939]  ? rw_verify_area+0x118/0x360
[  584.221005][T21939]  do_splice_direct+0x2c7/0x420
[  584.221036][T21939]  ? splice_direct_to_actor+0x9d0/0x9d0
[  584.221069][T21939]  ? rw_verify_area+0x118/0x360
[  584.245836][T21939]  do_sendfile+0x61a/0xe60
[  584.250266][T21939]  ? do_compat_pwritev64+0x1c0/0x1c0
[  584.255562][T21939]  ? fput+0x128/0x1a0
[  584.259557][T21939]  ? do_syscall_64+0x8c/0x800
[  584.264233][T21939]  ? do_syscall_64+0x8c/0x800
[  584.268910][T21939]  __x64_sys_sendfile64+0x1f8/0x240
[  584.274109][T21939]  ? __ia32_sys_sendfile+0x2a0/0x2a0
[  584.279402][T21939]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  584.284905][T21939]  do_syscall_64+0x1a3/0x800
[  584.289493][T21939]  ? syscall_return_slowpath+0x5f0/0x5f0
[  584.295169][T21939]  ? prepare_exit_to_usermode+0x232/0x3b0
[  584.300902][T21939]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  584.306450][T21939]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  584.312348][T21939] RIP: 0033:0x458089
[  584.316234][T21939] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  584.335846][T21939] RSP: 002b:00007f8afba1ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[  584.344264][T21939] RAX: ffffffffffffffda RBX: 00007f8afba1ec90 RCX: 0000000000458089
[  584.352227][T21939] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000004
[  584.360192][T21939] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[  584.368161][T21939] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f8afba1f6d4
[  584.376129][T21939] R13: 00000000004c4fd7 R14: 00000000004d8b90 R15: 0000000000000007
16:09:55 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:09:55 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:55 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:09:55 executing program 0:
r0 = creat(&(0x7f00000000c0)='./file0\x00', 0x0)
getsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f00000002c0)={<r1=>0x0, @multicast1, @broadcast}, &(0x7f0000000380)=0xc)
r2 = semget$private(0x0, 0x0, 0x44)
semctl$GETALL(r2, 0x0, 0xd, &(0x7f0000000600)=""/105)
sendmsg(r0, &(0x7f0000002a80)={&(0x7f0000001480)=@hci={0x1f, r1, 0x3}, 0x80, &(0x7f0000002900)=[{&(0x7f00000003c0)="2984", 0x2}, {&(0x7f0000001500)="558be736a91f68b1b3d08e679d7940bbe00b68433dbdc4672602643e356946926d1323f07912ebcb53cab43860a1760ce946d2c811cc62ed9b04dc147ffaa61b2a5539fb78660b15e8939ae738b63fab74447f488e10398e6e5600b819bafbcb906e55511b51f82e71004d605cb3cbd09ee803010b5fcbc6b6e042ebb3d7fa31ea7cdf036d7d6511f2e9d9d145034ad27b89dabf885482453bd54879a608b026694db7ba17d7d2add460a8bb9fa3c23881567f325e9448bed821e19eb3397d4a45fe628bf629c66cffe3af2bb7bddae80cd7bff6360e996d0ab00813864e4c827585c098b0c3945c", 0xe8}, {&(0x7f0000001600)="a9cd5c0d8ba1608b225b26fe7178ff426f1953205f8911ec5af4395d3156a69178fc89cb86a937b27851e0280cce32734c8396586ef309c430c344bfc6a8aa1215a61c4cd9f0062ddbf3c1790895dfa0c898abb307263ee72321301503b340d22b25008a52af", 0x66}, {&(0x7f0000001680)="f913076676a383dce79f1b8cdbea9d9ded03f2cfca39569607cd4badba78fcba364f995cc318a087054ab8c116275ae03adf2a5e663ba22b05276f283a4d2c3fd9003a9d69b15f636228fc6feb891e180b2fdf3ce85bd56b580eedd9612115fe70eb2ebb6ea410a36790aea9c73356bd29e1f25ab08c4f16b52df1c87c2418250a6b27f4dc3d9046b2a12159b475fadbdf254ffe8c5fb16d425585ad7a3c0fcfbc1b0d110b4b236a2e76ae1e9f3c502e4ed65a001fe6b3c1aca0432e60274ae2bb24438a65c59b151fc5b64c578ecc7cb483b69d345dfc", 0xd7}, {&(0x7f0000001780)="5d36f2ea5c6589655670a3e4b878e18372f4991e9959a559e75cf4e5df1e2b2793ada7ce5830ba28c3003bb66957d3cbe8e0de97036ff762c5ba37050a", 0x3d}, {&(0x7f00000017c0)="5bfc98442eda5bb16a18d12f778cff4d60b9c1de6976cd221bed26775101287b56a108e8f06cad", 0x27}, {&(0x7f0000001800)="63424f2126ab439a7e7449a4a6e415233103989819a2d470b46ad1ac2844bd4e92e814ee2554d97e48b67231506919a0bbbb056c5633604c92ca35621cf4a7a83bf27703eeb05fdb445b2885a3707d1addb50fd54afd739ce38f358230626b8bd4d4d95776f27ceffa32f627a78ec9e172b406c20df0af30741f6faec396953321018566fb29eb892cc2b3400b8190436e15f053d2f9aec3231685038b4ef1c14d3c7082b706bfd2bbb2820d291dc267d70a8e86d5ef0f14542540f57fa3ca605b3654f972", 0xc5}, {&(0x7f0000001900)="be94284d6a185a19a6cd2e66e09e519117900f5550206e93edaa528eb8ae964e055c75f21f1a7813c3e4451ea84c2750bfefb95d37472bb0ccc740e9acdc827de0ef0c129cc2a08005356e7421b0fef266444c43b8ad4b8bc6b4e08037352eb05b5107bfaf1a138887e97e1bbc700294f64471a981e9c5dcb85b430ab70ef47774edab6f4147530ee3dd1e7d2a5dd99929719b0285dd0de7cb3d1972fe466d5e2501a740b20f9e53e7a93f326564ccdd1110316712d64a388682576d52bc9a7763cbdc9890b5f045bf71173b94ecf267ae44e8bdac33756c80ff5ca3f4f35363391ef26529da4d7d21ffaab2d73db33a0fcb823f28372fceb2fa74bcfc840eae51a4548eccdaa3ea460ff7019ab57ae7440876e471ada3c0de42e34e2c96eaa920e40dc4d906bda3f1e9130ccb15e4883861c2ff58758a1cf77b5c26a21b40c06f59485fb61fa31f95ace56c1140892a4b3820c63b5fc3dc366f8c413f0991dc8a6ab344a57e678291d1d537a79331c7f48a2c63711933e5b7ff757d691c2ac37360ba3fcc9cd7ec540a5c6c850daffc5f6459580d0e0cb65033fe44286df7570e731641e79b013eeb64d53314d2b721c9f7add0856f5e313cfb9865863fe31493834281d02c7605f38befaea0b3082c42992ef98d385d2c38377406ebf3c836c3d7ca8b2d294d522290d5a6a1689036f36ea123c794662152fa5621a5532dae6d06f229cef219a182b8bc82acabb483cdc0531725610dc4ebcc75f32b853fa6aaf749826601f012d5cf95b648da5a0ebfa5e89813cac70be0616bcb128be8a03bbb6eeb1d1adc612685023116b12f94e6b04fc8028180ff56eaa657b8985d48be74858adf95796aa965d56ce0919ba96c9ac003641411552de35f8de53ee13623697c4b7de92cf7c9fd1d1ec9906de9b22dbdf286f74ca4b395f30948088a90ec6b77f51bad8e12ebbea720f527605e9c5ab7ceee3326c8f3cbe40d6843821272d1b65cea98f8e51bbb1655d688d4da59042dc36b96082f613796a6bc952a7d19ed097041e046410956b49e63c58df2a75ed94f693b11198f3b02d3ed0ec7b6389aaf533366e84dcb922dbc8671303fbf9e6d04ff182aa024da250f3e4622174faa58e3cc16a7cd3503070adf1dededeb93b4f5b5db6e711132738aa99c3d932db20b11726048e90a8a144309c6c6f76bbdfa97234ce88e5c9b42feb5245f80393a3f1ba2a66bc60e4eec400d3380a1513559f738825558ac8db40103cb3abb8d7a5f990a22b7033e41ef2ba3cac61a98e569d4c0070524722623c0390a51dd43fb8c73112a17e25199010549d232d6c80c32b255de8ac5817700e72a8603ebc84f9f5c4c56b6b799c8028ca0990a779c9f3427761e7eb0e490387f71004b473a1343f95f43825d39bea31bb46c928ae27245167e4d969675089add0c5a1c9b66bd9fc1ea6b79fc7e656e17a6a42f90ade56b34c39197254863f8b3fc6985c4c201203e30761d1e2c1488c6c3477264b17da4e61b2a42df04aa09f2fea854b0c4b51ee21f032e9101e6d815f23ad33002ced5d2a6d9819be461acb996377533fd5de7c88a3cee6b47191deeaa69a72d418c52657db06a5793844117c54cda2b989bb7bff929952b284143fddb5dd9fa6175127263d22e9764a90d02b78b6a01d507d186ee9d692caa75573a71699f378d92c38ef491296ecdf7f1ba9ea61bf14b4e961148cf48342b56e3e079c52f7085885303715eabe39bf956e8ca81d02ee119eab111a31547ad02af020fdfeafe74f806caf1abe736f22cc7eb243ffc7ef6596861c40d6082551c288f046db9b8f61d8c8ef411336dc76372d75b29b7a261644255cdbc76b2e05fb8ce3cd043dec8f0c48bd439a57f55c2ba455bedc48c52baede5c7626c4c35b9486db78b9afb0e9d05881d301dbecd04bac623b9f00bcbb12208388e264c2e111e322ac77634d26a61e7e0b5dc12456c285c35cd81f6d89a701e7b247da05b9a8f2134b33ac5be4c906d9a689ba65d9bcced9919f107ac6c8785d2acbb382279ec17c87d82d5bfcf9ff4d2d62bc6c7ec740d5ed1e9d872ccae6634605838bcb937ffed1e476c26a445cf949d28f5c1e058e7abb481bdeae4225e262962ea258a25fab2919b68144aedabb917c8886dd1c2e80d60bc2df9006b18f4098e38d0f43211bd5715c58a280cbe3f4ed3e2f955035215085981089579d9e5aac9cc36caef127066a05441968cb9744b6c5b4319de2ace88177df20ce923ce5796de3df8de6fb2ed78a7fe97d06c335df9e154d09655c8d42701b9ae5ff0f3972d9b233c1b616a534a9ef136e5e69acfb36fb026c51a9bb08b3936f2a9925dfed30826ce33eca4a83232737c808b48be04814b658d8dc98863fe7bdc2fb071c9f99c8d35b0be276c49f3d5823f2d5e5348a09ace32834e3eb07f33a7972931c04172dfe5db1e7705ff2a65c5312b169fb8ebbdfed1fd4cc849e008dd633ff829c8503604dd334485aee333fd57863154c1c694338ddc851d937170e6d0db48234472fec50b3451ac9849bfbd8f60aa1e775b30c2afd0b8d8486113213a548d8883ff39dd367d184579df0a5c99eb38918e64c68cb2ba944094816d2c479d5d8a921a5df21bee09b8868c75f9d6dbcfb68e890a05e402aeaf6c6e0066f8957993e04efd7d5f9ac3818d1e1e463d53012604f4fe9613768a22f6ac02348cb2a2108294ce69f401ebde8f5429fa7d7ecb027d29cbe1148fd9693484ed616147eeb50a3a3a94d244196484729c81654ce18e88c6a048fbd478187715a4f88b78bc85a076b1b8005d4bc47282ea958f77de0dd387df084211ecf9fcd7c5d5e3ad50934014864c1f05b0868d072d994bfea793d025ec03f1764c368c5b50ba822932ec8de340814a565908f353400fdaa2b274e90b5f72d36a063b840b166e23c3c10256341568c19dee00456e0559f1cff1b57d44df91c4e1319a0264c42cbbbf149a7bb4efeb86654c30a9a9cb5ad701b5251300eb20db294fc5e6808ce111cbe45eef5e7e3d16a259c474f7970c2438e44c75daa401d075a31d0396b4972022fecbf33abeeea984dc2b7638428eed01fd0e6bc6adad94c389025c8260131e4cd562e0ba22a950c67c5210331cbdcd94a5e7965f0ad1e99b1941653e20fb7158e40e2aac03bca96628c3b6684b8ade254870f4519c77d39c0ed6fda8759427ec76b216fa5613f4e6b91e2c705345612c6c55158b7913dae88e148509e45c49bcc7a0305e5b9dc119e2962a62dd8fe7e07d7a8d27b272049894098726fad7390b63f4e7c9f13b914b6f0566e9d04899396379ee1432e6650e6538e04e4c6998e9f9ba05b449bcc40967e07d36611bb2ec13d5610fe77cc70c82e0a1198f9c362025f99811c6f7542dd5e80fa63d1c42bbe95cba1f212e0dce7ba1258818d261b2c1674baeb7da7ee8ba1cfc0df24d8259b38d30b9c771a93dc571ace4648a2c4a8b9028c9b8c99c9d7c108fd27b37eeee0364ebebc006abff76e9c0109a15534628853694dc6a6cad1ca75f83845e4f737ee8032942163333891e6fb99dd83c8035ca04c3ba9178be7b9e2b27a3f312f2eff3dce1dc6aa2ce4feda319d1b58d4fe1768f501f4c58f44d1286218a49a82b4b5067d1a657713a315aabce5a6807a4661df13ee0b3d04f5d068c72bb894f1719377cc7d1334c7d446cdc2bbeb4f6eacda48d746151ec1695f3400de79867407dcae0f1b83b33113ff43bcdf0e344e5d9a0b8a29031d220147633e129693ee9940f05f78499615a6859f4261460df03be4090cf87e3cbfbcfc0102ae109a252673fac2b3f7cbcb082bd80c03aae0c97f32f411fa44ed6f66e6e1a783f3c8ce1709f9114e994f2ec6362911bb48c02d34cf2c26a28d6a805c3eae0581dbe4d37939e60da95acdf0fca1f3d131ba5804d3e7123c218eb9a105f0056b1488ad93a8fa190b1714e5402c1d8208c3ac23fe754d0aefe8a2d311f205f21bfd79f4a323677d59a2109e77135b250a71dfba18d3976fc6b8d4fbe99fee8c3f759398d4f145b6f8db5b34fdf265aaf0107e276c5ca3031d2dac51a059c71dc307120e0623fe22f07883c3a7a2a1afc246930542fe1ae283b8e795416a86956195dd8c4c26066c86b1495c9662a9c9d2eb96275a2dd7bd8f63315e5d15fcf43c46eae9a437cac54c2b6edf13134af0e5c937af39b0d6df4f5e70486249000f3e2dbed9a206c553e299c6c5a59d60f88aa14765cb1db08b1570b3dc1c7d47308ce37f647eb300611e49836a523a7e872f82a7e710f9fdf4c17b514959a2cc62d30609efe34db6f2bea33c1295f810be4bb3b74d565cab86a497a0decd01350aa9bc329b1424b40bc6e05362ca708e170bbd42be672b86c0bb2048eb703189436d5056c6f20753c9f3e81c08347b86da160cf95b9c31a181e291e2e71cb7d518253f419d566b9a6110e3d7c9369f33f8baee5fe6fc2d8ce334f53e030878db13c876e125ca07f487fce9300b486705338b182657c2ae051a5a91ee5e5266db70f58b809798fda5a42a92a7f922a3d3cfa0279659867e70a21b513a203862474bdf6f4fbba7165ed5fac311b16c518cccee4c520d273c125f7cf5a6f8c6fd009f1b113535ff1c0e00035f16c982a21c9991d2f17f9052bc0d699c7643174e4b7135302ccd1d94e4b0a8c9472c51858ac8767de6d35f2631c8ed0390ab897ce9c8424f7c75645045bcc54dd6df95033a46c5f28c6fdfe350eaae545ae3cef92e8398e7a226279101847a15ee49d812355a8527a86baad9299ffb72a1cd1e2480e1fe9eba8cf4965aaca8f78733133a39ddebd163401293667a59c3b6f9cb4c914ff634d3031a639ae6854593b51653ade585982109f95167cb30d1d529ab26e344b91eb10b490864fde5a5c6ec40b811db9163b2ecf44bf0b2d1d6e44852f9b1a6d6b2259c7d7491711aaf24d1c2ea021992726492a9b1f8d29ee268531bf2f6fe62bbd8ae232da8a900c6424d6b70b6d37ab1389f63d6d99d7334ad63df8f9648d08cbc95b76b280838c86b8966624f314a6cef668de464241f2911a9756184c8e6254788ea247a2462b3c93648ea75646999a5479314eb5b3d7919e35cec33c73a45570b22d0447f3431bead2e3d704e1640deb3102595d30fdb6f37fc948508608f078bb951cbd833279537c53ee2cc95b5ec00d9a01cff4449d644344834e39a1e6c7774d69f2d6aad36717a4953acfd48e34a2e91345606ce3103f6afa70b35ec5f23015d2b5bb35cea099522010951a27a4d4cfa9a478fd89ce39415d0471ae2f109488ebd01a6a9902ae786f27c85269911ba0a67d66658a22d5a9dfdca8083983e9aae49e5bbcefda0ca213682169903ab5c2847f33aef2494b446e1ac6efb48d18d097af4202b3dd007b34f467066d63304380d436972e8a3fbbdbe2e909a28867cecca6ee720da8e0af22e631548326ec50c73f71a09ac802349799085aecf9453a124eeaa4442ac956975d59a2bb4f75ddeedbe0baa84c5fb69aea58e431dfc4804d63eac46f7b0bd776cfb76476266a1fb2ab8dbc3d32eb4aef7251c022b40612f5cd23d1b297b477e9efad6168e4c5ad5c14d71b580f57a98dcfc94af7f1adb3025ae7bf51809162c0a2c22ee5809fc3aed16de5519f83e1603ff980c2f6ee397a7334f170bb01dddf3bc188e2303acbf0906d55da35b6778d6e8a16839a38554f0ed2bfa0dc880f8838362b18d918002698ac790e898d7ad75efa0c7945cb3b1163da8f1db755cd62273101", 0x1000}], 0x8, &(0x7f0000000480)=ANY=[@ANYBLOB="b000000000000000290000000800000095a25f8960353a7a5a927e28e54bb9e0dc74091052cc24875bf59514f73e67101f0912eede6559c7da584cd6c571800ea1cf441ce4e337b2d3e982357b8222c2bb2565246b17c5285e716767733eb384aaaf9126db9abe0bc28e567cdf06c6f7cce24a2ce890c8b2c1f8d7ca50a1c093a1360beb149ce654c8a9a5b570e76678b35c9303d21a12caf44f57f2062af22eae6e34d63528f3071132579d0000000028000000000000000000000080000000bc803204e739cef2710e7d42933c760826b7b284ef03e17a784072a3289328dd460d073e2010b5ee2967bff9a9fdb3ce6215eb35127cfd57b6222cd3889c5a45fd940996f2b2f98e6694b834af43688ab1b1016324bfb6f40b545ab533c95490f23399729353d5582caa91f8e55ad6f8a3b34de9e0393dfdd50cff4f5248f800a6d509ff3f65e18d19065366b6faa8416bfbf7c719bfa7c1a96aaa21d911bfc7680eef41192518e2e45feabd0c47e386"], 0xd8}, 0x4000014)
r3 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000680)=ANY=[@ANYBLOB="0063404000000000000000000000000000000000000000000000000000000000000000001800000000000000080000000000000024c61f199d8a3ced84ec3b189f878ee7147bd11f6033d8ee925bb9914c7efd4d164b099c6a6c3eea4e75786453d225efc98198e4d3c97dd1f3b1951bac", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
semget$private(0x0, 0x4, 0x400)
clock_gettime(0x0, &(0x7f0000000100)={<r4=>0x0, <r5=>0x0})
ioctl$VIDIOC_QUERYBUF(r0, 0xc0585609, &(0x7f0000000140)={0xfffffffffffffff8, 0xb, 0x4, 0x40000000, {r4, r5/1000+30000}, {0x2, 0xcd33e4cdd093aae6, 0x1, 0x7, 0x80000001, 0x7ff, "6012b30c"}, 0x0, 0x4, @userptr=0x10000, 0x4})
lsetxattr$trusted_overlay_origin(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.origin\x00', &(0x7f0000000080)='y\x00', 0x2, 0x2)
sendto$rose(r0, &(0x7f0000000300)="209d24f575de17165a69dd7d7bd58f932fc7326e1f1993f916ac8d08c216b4d77bbdeee2ab92d6036fa50b00d3cac48046c5f9a28bcfd6fd1d43391a8c902fe83e", 0x41, 0x4010, &(0x7f00000001c0)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}}, 0x1c)

16:09:55 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0xfffffffffffff000)

[  584.565915][T21995] binder_alloc: binder_alloc_mmap_handler: 21975 20001000-20004000 already mapped failed -16
[  584.595349][T22016] binder_alloc: 22006: binder_alloc_buf, no vma
16:09:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000040000000000000000000000000000000000000000000000000000000000018000000000100000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/conn_reuse_mode\x00', 0x2, 0x0)
ioctl$TCSETA(r1, 0x5406, &(0x7f0000000040)={0x8001, 0x81, 0x2b32, 0x9, 0xa, 0x178000000000, 0x1, 0xabf, 0xff, 0x4})

[  584.631939][T21995] binder: 21975:21995 ioctl c018620b 0 returned -14
[  584.632915][T22022] binder: BINDER_SET_CONTEXT_MGR already set
[  584.665793][T22025] binder: 22006:22025 Release 1 refcount change on invalid ref 1 ret -22
[  584.686222][T21995] binder: 21975:21995 Release 1 refcount change on invalid ref 1 ret -22
16:09:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  584.754034][T22023] binder_alloc: 22006: binder_alloc_buf, no vma
[  584.801121][T22022] binder: 21975:22022 ioctl 40046207 0 returned -16
[  584.810016][T22033] binder: 22032:22033 got transaction to invalid handle
16:09:56 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x40049409, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  584.867358][T22033] binder: 22032:22033 got transaction to invalid handle
16:09:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x1f\x00'})

16:09:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB="000000040092803cf40000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000180)=ANY=[@ANYBLOB="00b969efcfde5b9800000000000000"]], 0x0, 0x0, 0x0})
r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/vs/pmtu_disc\x00', 0x2, 0x0)
getsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(0xffffffffffffffff, 0x84, 0x76, &(0x7f0000000080)={<r2=>0x0, 0x5}, &(0x7f00000000c0)=0x8)
getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f0000000100)={r2, 0x6, 0xffff, 0x7f}, &(0x7f0000000140)=0x10)

[  585.013699][T22044] binder: 22040:22044 ioctl c018620b 0 returned -14
[  585.069797][T22044] binder: BINDER_SET_CONTEXT_MGR already set
[  585.095866][T22044] binder: 22040:22044 ioctl 40046207 0 returned -16
[  585.115619][T22041] binder_alloc: 22006: binder_alloc_buf, no vma
16:09:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x1f\x00'})

[  585.164600][T22049] binder_alloc: binder_alloc_mmap_handler: 22040 20001000-20004000 already mapped failed -16
16:09:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300)=ANY=[], 0x0, 0x0, 0x0})
r1 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x0, 0x2)
bind$rxrpc(r1, &(0x7f00000027c0)=@in6={0x21, 0x4, 0x2, 0x1c, {0xa, 0x4e20, 0x1, @mcast1, 0x8000}}, 0x24)
ioctl$TIOCGSID(r1, 0x5429, &(0x7f0000000140)=<r2=>0x0)
fstat(r1, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x0, <r3=>0x0})
getgroups(0x2, &(0x7f0000000200)=[<r4=>0x0, 0xffffffffffffffff])
r5 = getpid()
getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000000240)={{{@in=@local, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r6=>0x0}}, {{@in6=@remote}, 0x0, @in=@initdev}}, &(0x7f0000000340)=0xe8)
r7 = getgid()
getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000380)={<r8=>0x0}, &(0x7f00000003c0)=0xc)
getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000002500)={{{@in6=@empty, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r9=>0x0}}, {{@in6=@remote}, 0x0, @in6=@loopback}}, &(0x7f0000002600)=0xe8)
lstat(&(0x7f0000002640)='./file0\x00', &(0x7f0000002680)={0x0, 0x0, 0x0, 0x0, 0x0, <r10=>0x0})
sendmsg$netlink(r1, &(0x7f0000002780)={&(0x7f00000000c0)=@kern={0x10, 0x0, 0x0, 0x381183}, 0xc, &(0x7f0000000100)=[{&(0x7f0000000480)={0x1010, 0x34, 0x0, 0x70bd29, 0x25dfdbff, "", [@generic, @generic="64aae8305a30eb3f5e7d4bc2ea90cd57ec45572f95579f87d1330fc74da0cf5d512ab707d70c3e6be7b1c53ae24442e55ff8f2cf22dd5ae29cbe03252506edf2f95145e975ef304bbc3d0a4fdbb20859386d11c7c21beaa9d1a61ca61c98ded399436770b8787044f04437b4b3ba327b8b23e66b8ceba75517458e65e8f524198d118cae9ec18c50c34073a35caec7174247a64dc90f888594d1cc33e5935e852b6667451adb0393d7f86769db725516420d16cde685147cc3acf4d8337b3cdfbb645baa609c7dacf8da13739f4db019e648c4e8eb481e7e9f8700c91a5efc54cac8dc167c1d7635e9a86a87d9c10d84bec6ffe0af3c2d7ffee2cac828655bdd0d635bac36e2aa1af4beb8957ff6305a552a20c44c67dbcd654646b7c5e789f1921dafbe4706ae11950eaf4dba372d0b097e58b87cdd770e2d5f889325c61009c1d67f1971e65f1a2175fee600dec106e244519fdb119a60ad9eed5c1f5e914e6115ba7065a31813b8598edbe860e2b524eb20ca6db8632a421167d535efaf7f4c813404fd0679761723457b71f78e8ba1693f98582d5189f0a911f9c2410dbae37df3b95dba4c4c0eebdac8aa9cb2fab29126052eb948d8fe5549df9431bc0f7f31dcf5d77e7893ea0ff75ec15f846130506395a7c84b424d7dd68e62c8fd9b06a1c5567323c7a540350227e9b53bee43aa8fe6f5202bec056db0135f1e10690570ff47588b2da8b2c998c74c2fad724ccecf28efa1b9e70972e8272e81810f41c09a935337d69b9bc0418c21209aa541a1d6b67fa474998d3a3dde843c864e00e85bca217b9494df52fb1e1905b5302b537fd194a49d1374d3e1929e32c225b1cb74abd0c751f8def961d7ecedb67e93b84550c8052ae947c821dc7cb8bd34dfdbf3f8d6ac244bdc074b4a1977d50e773f5056e158e915341a496b825fea87dce753b48888780dc6faf9edaccb9b4627f545b5d547631df22b92f76089704c3e1a02df7d9ffe391d360afd99c6ad4732659d68e07ed490d87875e054e6781272bdff015634180e82c120333c2ae03fe3acee8e65fba95c760d68e8bb473a6654abf0aac1f9b302e46cd68b86b53452761b3ee5cc6c07f055a7a2cb42890e69d6a87830c46c4db1c11de58775de9a675706a885dc72b675229b8a5ceb1d75656d1eb853d3f5da5d41f7c2179f92c14515ffc90b064efb9376a91a248474e2c29486ffb6b33fbf92d12c686088ce8c1850d190c112ac94b63f25b126bf76de499b43768c567616c0f8f615db13a9c3c6b3389370d54eba51aa659b7010298097e4f759c23d40720a8a330149494365cdcb2d872fc622e926acb457194b3e1afd5ce165aa58ed5b1b7781067b57433e94385fe47098e1c9404a850b3fed4846f9c866699b6f59f5ecb41ef4e6d7e2711a7cb156572ea7be08b893bbe3754ae4c4bdd6664c48b247b74751d513856e41edf87bb01e640ad1b2582e4c6bbd42c5b384521016644500f1ff4c06632ac7ea3eba393d20f810ae9b2e98ab4850727aa1091d5c1ba8a317f6ab25c37311260bb910fd04ad73ffe1dfcbf20b2235affbc6b61447219633f6ad5d0e71675332e62e9164afee586d26c804ba5397e10adecdd8eb65e3f9e9472f7781b1d246591b1fea72faf631cb0fa4fb35d49a189af8c4af0e02b4eb6ae29aa3a684b475c55aacea64c8ed66da54e6de6bc5a07c0c69169840d858f6171bc7200d8c440601bcaeb6a2322eb083d7a2e4985d823314781d702c57bb1cbc2da64795cf25b6c257be3919bd4bf3586f2907fd8a7745c2694d02cf66dee0a7b58503b18067af10910bb9028c3b94abcf3ae2da48369cf5ba8007fa5b2ebd6243efe8622be5326a89f71922bbf19538d5d86a752d5a49a2d95dfcb93a9354111e305d4fcbe87231b15e4df8abc21752008e03140d7eba4c8d606400a8c6a62601c64ca27e91d8690271e2f5fa138e9d234c54ffdab3f0619bbdd60994745aa51fe8e6ea41c9767c7236d481704156af5e6acb01dd9cf0bbbf893da2c5ceeb0b28519bbd4d742cd9e00dc378190803e6fd5844becb08295888ee33e91a7c2d256c261247cc4d6f0825bae82902eb048ace5aecd1344bbae54a57f12d2e88a4c643cf99f974712cf7da2b55049c2c09d70dd70be306df4f375a3cb592dbfa8c6663fa5c0847d4bbab8f357b8afe2c01cacd61395acbcca5c90eeeed1fade528efc747bbe956a07ada8af2dfec6af31087a28d75f4a1182e7864525e83be2a4b8a2489f65f5c053cbbbd550f5211693b121ad7c41833403357f56e34b345f3745e0a48e0d92792ecfc3985db141f0cd078d859f4980d3bd39d1d87c4f20b5e598f8f23995a62047adba056f714298d8409414e819132923bf01d7b53309d19e56ea60a8f8e75efc3fb75cf86424f38cdcdebf443a7e08224289f96220a9aaf3cfa945a67b5261e3b10861953e2d872ea54ee70e066dead574dd6fda54d0cfbd44cba46db9ea47aa5d50434c9ec236053b46a3e056e938c0b24bb893958b98797ec71b17e8f987ca5a9e345a07e8042d4e04c416622a8c3e024c2287553e2f4441c91ee6fc59ed1ce6177c4901f4d5d680092abe0196c8ab4f2f8fa1e36a887af3d2dea23441958db86369d6b1bceb183bab42c8781d6a1c7a608c0247531f110f0981d89457fe351c463ae70c1eed99f4499ec222810c488a77c41803743dc6e1468c1bc207e3fa65d9436a97fe3a0972e67fa98c6b4aca753399d0f32a87e9ea33a9e9e4c7aa5c3ed4f6a74fef2b46ce5fdaa1e9d0c303b505bd9cf2e08f65fcf943796c238b8ec269a818b1c1e294d5f46e95a41691780d6cd5d22e7573318093dd45b2230542aca83aa7f168f63ab32b68548b93b9436645f42d78fba0e6c7c0506fc52e2c066eb327f025260bc6e9545b5704998c1d42d98172ebbfbad6741065f89327017cc06dfaa51773fe77e13767ec0a31158b618b969f1bfa8f223abcf2ba5548a98828f1d4effbb63b25ebd1539ce2924688f35c2eb3047155a18e6b41034ce55914d56db834a22a232bbde52d178541225ac60b350ce1da617c8678b55d678c88a9e12995b2deb2a536411a1ddb55d39acb80aaff3b967aa2e2bbcb85e59f4cbf16764a948ef219be391b97affb6d28dadfcb85b841eb9f26612762ddd83462ff92d74d637eeee3bd96f382889cfa4fd0b5509ad5e74977b78b8dc83df43bc46e4f2212dc4724c74db3c5957be668db46b454845d6db1c2f75d1513d4613bda8fe90ab33e68427c888dc577149addcd406e80682548a9d029db603efac6b9668d3d15a46ebfa072ee50256b2e7c667e0c764a30384f85e7313343959521d641eb62ebb4d8355141ffca68eead59a39e196bd3d1857a6b843fa9ecf6e93c966a5c912737a626ab089ea3b64281a33dc9236b60f7e51d72d16e74e4dccc2971725e087232444701c7a0e185b136b6e42027d7d970db892d672d99092fbc422cfb51433eea81b0e88192de9dfe83fdf2f9692977024cdbe2112abd429d6044436b5df726067cc450d9292aaac635005940ab8a0a9b5566e31cba9edd7f9e5a94de4a369ea4057dd583712a620d61ca6f869ed372cbe3cf71aca137f77f8f60be033785894b3bad4cdd09b5bcffb5be320eee44eec8503148d1d2757708e070be594c12d82880e70a9c64ffcfcec4aeed4ade9aa9fb869d3513a46ef3f2a0d09f6bc0a91e74e839b88c11e46eabea20c58f9551b8efe251210238c78ab94e6277cf94782efbd1baa0674b18fe385dfdd612779f7ab8aa91e655ef12c42c4b24da3f45f3c95bacfc9171595fac5cc8c65a970dcf9408d1604180e9ebae787b8c0f9da840c9be50c73f588d097a5ccc9ee4638454af5dad86223e331149df01d0e34c1e3e973f46fef6053ce8927fa4f58575c613f26b036eaeb255bf9360139c9ce1fa9cb3a05e342998530ba8fb5af43e2fa9cae19defabf888663cf5f7e301171ead052e174ae5e92fe5bccfa76aec8988e3031b418d173c734e31289ac7fa113191b58252473f14f668c5f80f95dac09f1eacadbe0fca5ec217f2c80dc300734b8a00ad7632ab5482d76a046fe919bbe620152d7be299fcbfe93708330d25fb55689004e74834cda98ffe3e9f442c2fc83e24e054448b8ada42bb47f90f1754635f9d43e9784b04c4b6147de298b192d6b5803401ab32e3c2a49ce5417e9f1845f9e9846c3e22a2414b42ca4bd21f1a18f98c225f28bc5b7f026a00639952f94104bb8c5584589ec0e1e963db823f9a16b77f367c4cc9c0648a11b56e992667e37e385636a215265fa3db60ca16f7bcc4c9c40d9f398b9b47315c2b654d77ef9f72d8b5734ec82d9b57042b79f5e5fa804824077ae33cf703ed284a3febbe57d78009098815dde0659df8f75dab214accbbac40e7c93a4bdf953645965a3ab91ad5bd50a33be54ddfec89f039d82297022f0ccc9145a45805bacee983c0972ce36bb96059293f76f6759626cde14f34d99a575865189106902ef7071f1002857bdb164d613b5f17ffca027a1c97fc5232fe0988da86ad5ea923aa172ec3382d638fd4051c3b53bef5b70348df62441ead97a2d966bd6f24eb08d5fc18ae49eebe9128880419d9239687f0a25e517f7570e08f6436e76aae7dd3a605bef06c6ed01a70dad378de3b19b4366e8e34f3bd65a3024127a6e3a6003b4253ec561695650593725e6678d41850abb8e7f421eb73e4123662f9710650aca0e32d4ad93208cedf534e69e94223fc8fa7ff2561241deb72641cf6c490361531590aea381335597f5caf2be2c29edb4e31908a886a52e5b74b304f246db40ce281e33aef3134074d1417772ed43db28a7644704a200fe676faed7065a2c5279e30fec80270c68f2ca99f943d877f6616f69cf9e091a42878c45d2b9a113fe292104d1d0b47ec43ab7fcb85db2036133819f0387f2e5d78ad4fe7b62813983cbf4656056d99874dac9a119b8b18b4e937754034de022cd3717ccc8f94a36641dff9a165b5e2c51e2468dc81fc2f64924198ae70933314604e7286065ca0dfb6a987ed1d4d39b75f277e7f5a4924f143058e25fb603f8ef137f2ab1ab1e7e682510f524afd62e02f7067babb9831e83a107c655ce4ffe987f55b90183a4dcc45a1ee31159d44925641b916221d14341185fb7002a6fcdcf9570e862ac739f3fb06a37f087a17dd3b9b2a8a087cbfc4b8286c77d9356f89581ec807547e32b1660cba5202c821b018e00f10cb60cb30be2eebdc1002cf3c72d01472c9e00d2cb5bbad50d7a2fb6751792bf042796a0dc9e2cbe86fa40d66f9104cc57fdde0eaf4fcbbda9765628a06e90679173d1e893e637d37953a4723eea601b2a2921b37abe0568552ba49ed3320e2b82ba7847d78cbec919dc7e8e0ce970eef89e0a5530ea9605bd69df6b2e8656aadd9c55257e2ff88fa213bfad16a288e3bee8f342dc74f2e3c6fda1ed0b7794c0c743e587fe724bf60d1b07e436f83a75f256a16059e4fcf6cc1bbc50a5a52d8c47e435401f2b4301334d2f2f7a497795009c82d5f7665624186980c02607bb5650f0eef9aafb3eea790e3fe0bff720e240b0ecd6c759b55b7510b3e3e58bb6d21e096a22f410dfbefc326e60d228cfd05d55ba6e0621729d604233818abcf8f30559c8ee86ae74c37e93205d12e9cb97b24b02d76e04bc606d7a0d814b41d37c3e4541b93657b412c24b7754900f1c686deb9f246177f52453a1600d640883595f03a11814ea28d4075e45e6255f77e0e423"]}, 0x1010}, {&(0x7f00000014c0)={0x1024, 0x31, 0x2, 0x70bd2c, 0x25dfdbfe, "", [@typed={0x8, 0x68, @ipv4=@empty}, @generic="e57cac3387df43a29b6f7342d654c9f530a71f6f2522445cb9127a4aa4fd0d62516b4859c77d860295b54cea84726ee3ff004d02558dcd8ef212f230abb7a915d607e8a422f1306c3a92eb96065049b6db1c6270d4a6326c016e6f561fbaf1629a503d41d7c672cb9bc3cf7078ce200a29c40e4c623a44b756c3e52e7d13f4f017d17c93c5eeba32f12e99fb8766d872c7d0100317fba55b9f79f8089ef0e5654b1f11f417c5926b1e7e484e5af4cb39f3c372a30337c148c32270571902fcd43f446778e39101291e799fab065034b6248094273b654fb0f760d56c74cfc0364f3615bbfeb81e7c087bc4aa159db7178adaa4cbd3cc903e262ab851bc546f3310e2d8ee25876a1646df476abf29460dac8aeeea1de7fb6eccbd22ee01dbbc1e21d545f3a1334dc617325951d663c6273fcff95543386c7ea09f0a7cd41b772b4ddf6b7b89ac38ab2a4738705fa3464c2995b4fe47aad4ef542ed5c80bf8330fb47d096de76866fab0e6f56dc96ab1fe7ea234743a123b65213d23285475c5ed26e515b4f190c78c9c8b030559c014283e4700f6dc3c84bace73049162dd8bf1dc4890370ad351f54c8e72a203dddb5e748a00d0eb37a8d21b0b540fa80f4f404aa7a6582eba0ae0512d446568f8c1f906aea53aa1b3615e7fd8e8a6cd79ed95f958021fe433595509c04e5c1ae8933ec96f9428a4ca50d1c70b5333aed2fe2491985cef0ca749cf8367e4efa87067317f873769fe42efd702e503a8e1b54d9aae0c9753f3a1405a716dd637d92aafc47d67bc6b52181432eae5aaca4a67f360f59a12c2192960b929420b932d5eb504db9c96627f0d7e450a002029e3f3fc2cc9d5c93bde8b4d705ec870ac1cd5ee64b7d4ec2f902bc5200c2a319a6bd7cd0269c6fbfcf2c115d11a6e27a89ac258c4ed74e86a42bf1eb99e8ebbaebc03d5eb2f26ec22e70da9bf4dba0a0ae1ab94660d3eb864dd3c3f5364bbe4915df54075afb1cbd7965e024496ea7bcddec81a790559f30993737261a3375bc1785de9d9ca83416a285be5538c18d36f0da5ebb465095b1a1a8a8ff9cf02c8ed4dff4ede5eda64acee37356f4f0f59ad27790cf1e8043b6027ceef0cf1f4bffdf2a545a676e6001bfa006c0e51a1910af8166c721a4334d3b9435238ba47d94a069960fffb9322ba2471941cadae8fbf67027e7d3b9966e68faa6787e3e293c7e79c91c6e7b48bbbe9e924c424526ae0532a01a8b6b7bfe723d9f9192d81b67187d9f40f3afcc78d62def2dc52657c08fe31fe0cd2631b3e345e3fb57025eafbc312eea6a459ef71167a6b4801d6ff1b520350fe80e42433cdbcfcfded2283160215bb48e317aba0cc4337f03a5a28aefc0ef3be17e32606ead2c32481b913d042a3b6415f1a0ee5995a000eeca73cb5818d852720cb791ea7ad15b4c791aa354d9897c7fdf54066ed6c7fdb8741a5ccca285ec2685eab4fe3960a517aa41f02bd77ba57998f5c6a1a32af4039355927f6b39e4b541c20a1ce5c5eebe63a485f83e6ab65ca1d63190612985bf909a3f43299d7296f8fbcc78474425c2700e13d92652710159889728dd87aeaeec8d13b384ece104d1e1d8afed9c126aa28fa4c95a0c4b0b54e0bb38864336a8603b88f9b379e7276f66819a67710dcc2fc2fc76ff192f3a7e4253567951769f87cb9185a7916ca423abb6f7f95c076492100e30f4f2f19d3492002be1a2c5bc65ecfa0ebf07a721ccf463ccb9263431b6bf59385c9115d8513df18c7ffa3de93a862ad939b68a4b5488550a5b7149f9ca856f9b85778b54e0cee612b506c626fd19b8be1e1fea406b55a1da22dbfe4976cd302c10a9e0d74343641ade6dba03cf671fdcad7f1bfb08c99efdd8c93537895f7d185e08c69cf968749fcb4afeb04baaa55056f9b116e25377da3960b675ec1f6f0f481783504d33baafebae3916b81ae09b79f570f1451f8b1417ce46bdfaec6c4e07df545f64e3a188a6ae713c83c32f3620113def3e921c4f6da9deeb2604dbf29fb36990599b18c8b3b93be8a51bc97caee6fce8d0dcbb4e0cf1cfb4b8b44a0b5eb3ffd7ecdf6a558a359e5c8b401530d10f8e6d1933043dcb7335add7dcf567ae000b46fe35da91abd6fb6a99773f3c584d5e3c0a151147707b514047da425c082410cfda4b99bcb100015769bc3a9fc0855f89a723fbb1d284e5a85f3e89ea19c2ae2bcb1552761d91dfa3ec01acf11b4c9b6f19b3a2014710b5c5a4fc6b3a0811851d9be72324ade9a7ffab44a795e0b08ad3448b42ef61269767caef0f7ee9c379807af8b24ea237292a9038dc0195244e094af221f40090b5e368b836b8171f6f09f71bb12e3f0bd1ea138d6bd777ec94a6217ef0974e855ce4d109bb6da0d66ddfc570228d68f3696f7555480590025a528c1603501cd97bbbf6b8f4ffdf1ff84661780588c5aba0bc31dc67def84fc8c1c9b57f47f1aca040dc30197f4d1c0ad35dc46b9a70f22ba5d950d6b8e185276aad7fd03202a9931b3d95fe3e558787dc8e5d6b9a98e70ad91bd96fe9fd64c8346b91439318b874a36767ed2f82c222942ba75fed64a8414b85493d38f1b0e46b102ed21b9c41d38653354a09823124ec9d1b3011fb8509e05bcfd5a4e0825cd995e0f17ea5e7d362851ae03d0d6c156b922a9e07e6374d848183ad1d9ed403d4e61cd2e51a90709ff7c054ecbb860b814caf1d0051ba94855a7884e437230a77d3860999e764336b4980a5b9d04e898e1e960ecbd24d35a88f866a025751fd50333d4a5bfe2f79457ed464801d1362a78646b5ff0e55f033c6d7546ee540113d55ec8c1d571c599b989e1a6fae5caf3da56b3e15e662d924040b7639807b0b49657a03d9444fed51aab553667c4b157105b64883eb4e924826f7029d25427058b939ab688c58abb38d55e4ceaded4cb513c5f6cdc8a704fff38ca8be3f013f3bd73fd51b60aa4619288ab0eb38fcf7d2a0fac08df287bc6d0d9271a246e06d2ef1be52b08d4cc541ca9e2bddc9014237252fada28eb74f3d2ebfaaa0c26cf5bc9f9dec709cdbdfacc30b6db6d04cffdefa4882e086fa446c91a4c1703946e52544feb0641107803971c5b28cf5cc30966ef6bab7739f63eeafe126866a6b11ce1961856ff269b500979f0543c5d0d26858f58bfc83174a097e5ae609b46b2cad99b83ac68fc43958ec0d9f6b7e545a0849171acb2938f67d28f465925c42f2c0aca5f28cab4347ba3dcf79171ffe5ac0b997f77cccbdaf52a6e2cae378d6ada1970916555d66fa88f12bf6d1ad1d88d1d0bec271043d04ed8ff524ed0e66bf067a931de87a78f7e1300cfbe5da39d48d0042ca561d8c402f79ff4392706067a552712cd3279592e9f2fbc0c729ceccfb8c6d48fb979825d12b2a8819429145bdc868c2b66af35aa6951bef2d72e5011153ff7b5118ee1764f5f0445f77c4a8100ddc542f326a7097a1ebae53b15e3382408510bbe91af7dbf9576a930f52a5d6875065609f4701e8f9802e23f28fd6b3f8a7797ba73ffe368434bca427d9a5b8752beaa69d03a731d9d337918fcffc795cb6b89c81244993d160e1d69e78cc2d9e52a1022f5c943ffdcebe45e0d5c11166ab71d4c9e0fbd73097c1d0690d5e8e0e03e3e59c36032e271b62e806db7e33f85d0814ab5daac160558adc21ce5aeece6ccc298d6dc8ad8baa54d339bda46461b8b9044b539cfbfca6368c60d58349f7141c1e95faddfad4cd55cfed95e16d6b9af51811b9ddc9e10598e6099a27763537d5c544434ba3370ff925f68f465983bf369b6d7ff34e334dda2e3ea210e851390adbfb5ef73fffa6eb8d5c7fa7590ace5a46b6eec77e2a138df5442e8d3530a3359df8ae6cb27a153523a45189db062502f417de7420a89430e090f83c7651e518064786ecb141f1fb9ce117a8aff1080c6190d16048d6ab5370e874e531681d1ac994015dcb5983fde792df1f2b14590a1491834b4421145528b0f2a3ea72ec1b643e8ef1837645eb97a13b65a77399f0770ce64f81791d251743238917ec232397e8e4b686cf0fb109307bd6a3f5d927f55283dae1a1e13cb1163c7e410a64355457931dcacb65cd467abba63cd1fe80e8cc455d84ddafb0de968b37787671f0527f1c42dee5d7e74603927c0824f7a8ea025920db986bfd079ca585b0fc91a7b1045551234b3f33a458133f112b1b8f28684b8e713f43495bedb42509ca379181dc49c8ca79faeab7c4011a09a2799edd261e8f87ecf23e77b4ea1f5243c8db6de77285194c87c1b3c592098065dd3630f46efbd2b1865173518927a67c55373ecc0169122484ff04cf1bf735b678c8f3e49bed5722b4270d3a48a5968b89b9a95b936c34d44f4857a897b6ac81ec57b2a43cb575c822ea036156f3eac35e309d8ab4282954a0aea4e73f9ce5cea4bfa4bc227887f7b0d65f820c99650696db4751f6c3d8b050371d96e74dd4fc7c390f45437a5e628d362653c939b440c5e42d2ecf6384a04087b7aa04cf3fd58e969bb029dda32470b409045e814a64f1212657cb06ac85fd3f36b53109f769a5a5f30491514dd981bb9489eb5d3625473a25134636633e950326e1cf218094cf4fb34bba13a9c012e0e451fb774f31784ee31071c1b697d62825070b4393117a5438edeac0c86716a5f065e67a5ab970b9318ffbaefb799d13ade308e23274d6abee2d938f9325a28a33234c5127d8ec16b1a2414e577c57e7cb5eb413abcb9e7dd187dfc414d9053fd94fd50e0881a9f29f3980ee0777c3bfcb2b19f6f4f2dfcfc16efafd0ec4b8219729cc6104f2e97e53b619fdd20be598792e9127bdce10bb7cda9d3af4fd0578f8103ac1c0b117e0778e36d6e0944e24e761b960bd4e314ce1036e40dc91d567caeb331cbb52f9168f8066a09ca2e579e484db0277138ce673ba22bca89db2be55633382146baf09fd96125c1cb3a6d8364020283f24b620066a70db1402ef6399b2294798029511cecf8e890981a758e486cdf3ac46ea62414c415d6a1284ddc4ca9ccc3034b93b589e3f1e1bf79abb0e0394f7a5763899117d1e6cde3eb2f8f1620802ac6a16588827e65e098e006a4e344d55f39167b94cd021c92b59aadfaca57e065764970c55541cf900ac9ab8f57b495573d5c7dae6fe3563af9dc937115452c0634a2a1e9bd2d80d2183b3cce0b310f2177dbbed52efa361108622e2c2b1c437b33777ca170046d20f44455d218fd6d753ad18da84a443bc9f137e51963e65a4341b7ecec7952b87a58d308a4efa7818eb5012add2a208eea84d8934fbe12e40091dfed4486a7e0b6cf8d4d0454cb1088e90a4ae5f410060bea9e9cd2bff89e4690508d34ec5ddf57b548aa70dae71592d16a920c1e89d31ad7a35b05d43080868ad6810ba1c42fdd36751bb82f5d48425e5eaac3fe9ef8cf79db32f44f960cb2cfcb05dbc67b3719b6341e9eac08388a76bb9c994324b902e1c6ef4bc39bb9c976be04ac9cea1e860f171cfd6a7e90117d1c8dfea4014e55017529b1edbf5a41ee48ef96ad29d20dd4ca1771a1a36853539f6083c3f626b32d40de6f03d0438cb03947d8fa43dfaed787dee4186d57ff341a55941f6d45bab14741e9cf69def68fdafa81405924b2452c3397ca0255a9703db403dc2923a4c6dbed7a40b6b7d0bc4de7663ecafdaea9de5f2539d18dc0e19d96baed5a573087271ccf0801e71c996711c3c8617f1050cced13ee5604722aa41f9e6bd16ba8750bc458240bb2cbc263d28b1389939d492f42a3538458f2", @typed={0xc, 0x8a, @u64=0xffffffffffff24e0}]}, 0x1024}], 0x2, &(0x7f0000002700)=[@cred={0x20, 0x1, 0x2, r2, r3, r4}, @cred={0x20, 0x1, 0x2, r5, r6, r7}, @cred={0x20, 0x1, 0x2, r8, r9, r10}, @rights={0x20, 0x1, 0x1, [r0, r0, r0]}], 0x80, 0x4000}, 0x4000)
ioctl$KVM_DEASSIGN_PCI_DEVICE(r1, 0x4040ae72, &(0x7f0000000040)={0x101, 0x100000000, 0x1, 0x4, 0x20})
ioctl$RTC_ALM_READ(r1, 0x80247008, &(0x7f0000000080))

[  585.207173][T22044] binder: 22040:22044 ioctl c018620b 0 returned -14
[  585.225300][T22049] binder: BINDER_SET_CONTEXT_MGR already set
[  585.234307][T22049] binder: 22040:22049 ioctl 40046207 0 returned -16
16:09:57 executing program 0:
r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x800, 0x0)
bind$vsock_dgram(r0, &(0x7f0000000040)={0x28, 0x0, 0xffffffff, @reserved}, 0x10)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:09:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\xff\xff\xfd\xfd\x00'})

16:09:57 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x4018620d, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:09:57 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:57 executing program 5:
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup2(r0, r0)
ioctl$KVM_GET_ONE_REG(r2, 0x4010aeab, &(0x7f0000000000)={0x3, 0xf9})
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_MODULATOR(r2, 0x40445637, &(0x7f00000000c0)={0x10001, "a7f8026eab3b26b81f4c23657525fa2ef19ceffce77af19f4b14b8b2d47dbb0f", 0x1800, 0x80000001, 0x101, 0xf, 0x5})
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
fcntl$setstatus(r2, 0x4, 0x4400)
fsetxattr(r0, &(0x7f0000000140)=@known='system.posix_acl_default\x00', &(0x7f0000000180)='mime_typelo{proc^wlan1self[\x00', 0x1c, 0x3)
sendfile(r1, r3, 0x0, 0x1)

16:09:57 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x2)

[  585.786749][T22088] binder: 22073:22088 ioctl c018620b 0 returned -14
16:09:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\xfd\xfd\xff\xff\x00'})

16:09:57 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = creat(&(0x7f0000000080)='./file0\x00', 0x42)
ioctl$SIOCX25GCAUSEDIAG(r1, 0x89e6, &(0x7f00000000c0)={0x0, 0x400})
r2 = syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00', 0x76c, 0x4000)
ioctl$PPPIOCSMRU1(r2, 0x40047452, &(0x7f0000000040)=0x6)

16:09:57 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0)
r3 = dup(0xffffffffffffffff)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  585.843141][T22077] binder: BINDER_SET_CONTEXT_MGR already set
[  585.850623][T22077] binder: 22073:22077 ioctl 40046207 0 returned -16
[  585.932462][T22100] binder_alloc: binder_alloc_mmap_handler: 22073 20001000-20004000 already mapped failed -16
16:09:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  586.010168][T22088] binder: 22073:22088 ioctl c018620b 0 returned -14
[  586.070377][T22077] binder: BINDER_SET_CONTEXT_MGR already set
[  586.107369][T22077] binder: 22073:22077 ioctl 40046207 0 returned -16
[  586.114059][T22106] binder_thread_write: 8 callbacks suppressed
16:09:57 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe9d, 0x0, 0x0})

[  586.114070][T22106] binder: 22073:22106 BC_INCREFS_DONE u0000000000000000 no match
[  586.160180][T22116] binder: 22104:22116 BC_ACQUIRE_DONE u0000000000000000 no match
[  586.205017][T22088] binder: BINDER_SET_CONTEXT_MGR already set
[  586.242350][T22088] binder: 22073:22088 ioctl 4018620d 200003c0 returned -16
16:09:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  586.249859][T22119] binder: 22118:22119 ioctl c0306201 20000440 returned -14
16:09:57 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$mouse(&(0x7f0000000040)='/dev/input/mouse#\x00', 0x101, 0x400002)
r2 = syz_open_dev$sndpcmp(&(0x7f0000000080)='/dev/snd/pcmC#D#p\x00', 0x2a, 0x400)
ioctl$PERF_EVENT_IOC_SET_OUTPUT(r1, 0x2405, r2)
fcntl$getownex(r0, 0x10, &(0x7f0000000000)={0x0, <r3=>0x0})
ptrace$peekuser(0x3, r3, 0x0)

16:09:57 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0x4020940d, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:09:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x1f\x00'})

16:09:57 executing program 0:
r0 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0xeb, 0x50000)
bind$bt_rfcomm(r0, &(0x7f0000000040)={0x1f, {0xffffffff, 0x79, 0x6, 0x7ff, 0xfffffffffffffffb, 0x100000001}, 0x1ff}, 0xa)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f00000000c0)={0x0, 0x18, 0xfa00, {0x4, &(0x7f0000000080)={<r2=>0xffffffffffffffff}, 0x106, 0x5}}, 0x20)
write$RDMA_USER_CM_CMD_RESOLVE_ADDR(r0, &(0x7f0000000100)={0x15, 0x110, 0xfa00, {r2, 0x4, 0x0, 0x0, 0x0, @ib={0x1b, 0x81af, 0x82, {"bbbe0a8563d66eb025198aceab0bfc53"}, 0x800, 0x6, 0x1}, @in6={0xa, 0x4e20, 0x7, @mcast1, 0x6}}}, 0x118)
syz_open_dev$mouse(&(0x7f0000000240)='/dev/input/mouse#\x00', 0x80000001, 0x400000)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0xffffffa1, 0x0, 0x0})

[  586.522446][T22136] binder: 22131:22136 ioctl c018620b 0 returned -14
[  586.600324][T22143] binder_alloc: binder_alloc_mmap_handler: 22131 20001000-20004000 already mapped failed -16
[  586.657544][T22142] binder: BINDER_SET_CONTEXT_MGR already set
[  586.670069][T22145] binder: 22144:22145 ioctl c0306201 20000440 returned -14
[  586.695709][T22142] binder: 22131:22142 ioctl 40046207 0 returned -16
[  586.711300][T22136] binder: 22131:22136 ioctl c018620b 0 returned -14
[  586.717417][T22148] binder: 22144:22148 ioctl c0306201 20000440 returned -14
[  586.764588][T22136] binder: 22131:22136 BC_INCREFS_DONE u0000000000000000 no match
[  586.804356][ T2993] binder: release 22131:22132 transaction 3589 out, still active
[  586.824020][ T2993] binder: send failed reply for transaction 3589, target dead
16:09:58 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
openat(r1, &(0x7f0000000000)='./file0\x00', 0x2, 0x10)
sendfile(r0, r1, 0x0, 0x1)

16:09:58 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x3)

16:09:58 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x1f\x00'})

16:09:58 executing program 0:
syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r0 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x200000, 0x0)
ioctl$TIOCLINUX7(r0, 0x541c, &(0x7f0000000080)={0x7, 0x1f})

16:09:58 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0045878, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:09:58 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0)
r3 = dup(0xffffffffffffffff)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:09:58 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$KDSKBMETA(r1, 0x4b63, &(0x7f0000000000)=0x5194)
sendfile(r0, 0xffffffffffffffff, 0x0, 0x1)

[  587.443720][T22173] binder: 22162:22173 ioctl c018620b 0 returned -14
16:09:58 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\xff\xff\xfd\xfd\x00'})

16:09:58 executing program 0:
exit(0x3)
r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0xfffffffffffffce1, 0x0, &(0x7f0000000300)=[@enter_looper], 0x0, 0x0, 0x0})

[  587.545242][T22182] binder: 22162:22182 BC_INCREFS_DONE node 3595 has no pending increfs request
16:09:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\xfd\xfd\xff\xff\x00'})

16:09:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:09:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:09:59 executing program 5:
fanotify_init(0x40, 0x800)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  588.195712][T22182] binder_alloc: binder_alloc_mmap_handler: 22162 20001000-20004000 already mapped failed -16
[  588.205752][ T2993] binder: release 22164:22171 transaction 3597 out, still active
[  588.212289][T22182] binder: 22162:22182 ioctl c018620b 0 returned -14
[  588.227683][T22212] binder: BINDER_SET_CONTEXT_MGR already set
16:09:59 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x8)

16:09:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x1f\x00'})

16:09:59 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0)
r3 = dup(0xffffffffffffffff)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  588.248270][T22213] binder: 22162:22213 BC_INCREFS_DONE u0000000000000000 no match
[  588.323510][T22163] binder_thread_write: 6 callbacks suppressed
[  588.323541][T22163] binder: 22162:22163 Release 1 refcount change on invalid ref 1 ret -22
[  588.363079][ T2993] binder: release 22162:22173 transaction 3594 out, still active
[  588.382101][T22182] binder_alloc_new_buf_locked: 9 callbacks suppressed
[  588.382108][T22182] binder_alloc: 22162: binder_alloc_buf, no vma
[  588.397045][ T2993] binder: send failed reply for transaction 3594, target dead
[  588.407344][T22212] binder: 22162:22212 ioctl 40046207 0 returned -16
[  588.414158][ T2993] binder: send failed reply for transaction 3597, target dead
[  588.422151][T22182] binder_transaction: 30 callbacks suppressed
[  588.422184][T22182] binder: 22162:22182 transaction failed 29189/-3, size 24-8 line 3056
16:09:59 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0045878, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:09:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:09:59 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0xfffffffffffffdad, 0x0, 0x0})

[  588.508814][T22224] binder: 22222:22224 transaction failed 29189/-22, size 24-8 line 2903
[  588.564210][T22224] binder: 22222:22224 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:00 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  588.675263][T22238] binder: 22237:22238 ioctl c018620b 0 returned -14
16:10:00 executing program 0:
r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0)
ioctl$VIDIOC_DBG_G_REGISTER(r0, 0xc0385650, &(0x7f0000000040)={{0x2, @addr=0x8000000000000000}, 0x8, 0x120000, 0x401})
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:00 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  588.778607][T22253] binder_alloc: binder_alloc_mmap_handler: 22237 20001000-20004000 already mapped failed -16
[  588.853947][T22243] binder: 22237:22243 ioctl c018620b 0 returned -14
[  588.886628][T22260] binder_alloc: 22237: binder_alloc_buf, no vma
[  588.896470][T22238] binder: BINDER_SET_CONTEXT_MGR already set
[  588.897332][T22258] binder: 22237:22258 BC_INCREFS_DONE u0000000000000000 no match
[  588.911569][T22260] binder: 22259:22260 transaction failed 29189/-3, size 24-8 line 3056
[  588.959024][T22264] binder: 22237:22264 Release 1 refcount change on invalid ref 1 ret -22
[  588.970120][T22238] binder: 22237:22238 ioctl 40046207 0 returned -16
16:10:00 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
bpf$BPF_PROG_GET_NEXT_ID(0xb, &(0x7f0000000000)=0x7, 0x4)
sendfile(r0, r1, 0x0, 0x1)

16:10:00 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:00 executing program 0:
openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/loop-control\x00', 0x232080, 0x0)
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  589.052338][ T2993] binder_release_work: 13 callbacks suppressed
[  589.052347][ T2993] binder: undelivered TRANSACTION_ERROR: 29189
[  589.065060][T22253] binder_alloc: 22237: binder_alloc_buf, no vma
[  589.074056][ T2993] binder: release 22237:22243 transaction 3603 out, still active
[  589.139717][T22253] binder: 22237:22253 transaction failed 29189/-3, size 24-8 line 3056
[  589.181470][ T2993] binder: send failed reply for transaction 3603, target dead
[  589.308951][T22277] binder: 22274:22277 transaction failed 29189/-22, size 24-8 line 2903
[  589.371076][T22280] binder: 22274:22280 transaction failed 29189/-22, size 24-8 line 2903
[  589.415812][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  589.422024][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:10:01 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x10)

16:10:01 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:01 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:01 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0046209, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:01 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$swradio(&(0x7f00000000c0)='/dev/swradio#\x00', 0x1, 0x2)
setsockopt$inet_sctp_SCTP_NODELAY(r1, 0x84, 0x3, &(0x7f0000000100)=0x8, 0x4)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:01 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
r2 = perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
fcntl$setlease(r2, 0x400, 0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
recvmmsg(r1, &(0x7f0000000700)=[{{&(0x7f00000000c0)=@ipx, 0x80, &(0x7f00000001c0)=[{&(0x7f0000000000)=""/61, 0x3d}, {&(0x7f0000000140)=""/88, 0x58}], 0x2, &(0x7f0000000200)=""/27, 0x1b}, 0xfffffffffffff000}, {{&(0x7f0000000240)=@sco, 0x80, &(0x7f0000000680)=[{&(0x7f0000000380)=""/246, 0xf6}, {&(0x7f00000002c0)=""/85, 0x55}, {&(0x7f0000000480)=""/243, 0xf3}, {&(0x7f0000000580)=""/135, 0x87}, {&(0x7f0000000640)=""/35, 0x23}], 0x5}, 0x5}], 0x2, 0x2001, 0x0)
sendfile(r0, r3, 0x0, 0x1)
ioctl$SNDRV_RAWMIDI_IOCTL_DROP(r1, 0x40045730, &(0x7f00000007c0)=0x9)

[  589.978055][T22296] binder: 22287:22296 transaction failed 29189/-22, size 24-8 line 2903
[  590.015299][T22302] binder: 22289:22302 ioctl c018620b 0 returned -14
16:10:01 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x1f\x00'})

[  590.032815][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  590.053169][T22293] binder: BINDER_SET_CONTEXT_MGR already set
[  590.056888][T22305] binder: 22286:22305 Release 1 refcount change on invalid ref 1 ret -22
[  590.072849][T22293] binder: 22289:22293 ioctl 40046207 0 returned -16
16:10:01 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  590.122754][T22293] binder_alloc: 22286: binder_alloc_buf, no vma
[  590.191297][T22293] binder: 22289:22293 transaction failed 29189/-3, size 24-8 line 3056
[  590.199604][T22302] binder: 22289:22302 BC_INCREFS_DONE u0000000000000000 no match
16:10:01 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  590.245998][T22302] binder: 22289:22302 Release 1 refcount change on invalid ref 1 ret -22
[  590.261293][T22313] binder: 22311:22313 transaction failed 29189/-22, size 24-8 line 2903
[  590.295814][ T2993] binder: undelivered TRANSACTION_ERROR: 29189
16:10:01 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:01 executing program 0:
syz_open_dev$adsp(&(0x7f00000000c0)='/dev/adsp#\x00', 0x7, 0x80000)
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$amidi(&(0x7f0000000000)='/dev/amidi#\x00', 0xb0, 0x400040)
ioctl$TIOCSLCKTRMIOS(r1, 0x5457, &(0x7f0000000040))
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000480)=ANY=[@ANYBLOB="0000ffffffff00007dad18bf23e21f2525600013fa66291e5d66487aa100cf080000d5e9779f723b1c0ca7a4e2b72c4bde4908000000246f77954091eca29e4a09a80dfe5dd16abd97523df59c27dc0be094279fa8298ca10727d11483d1bafac2c4281d519bc93fe5ed90711847972ea85dd50d2b00b7bce5428cb233ec947aafeff3b904eaaf94b7a1dae8cc6989f62a911eca511625f623f418563d52b02559deb2a1e0beb723e52afbc699e9ad48374d502d44ef592ebe41b8ef22fe84adf303e1175d0ff34fcb2ec0e998ef148da2045e447223d678b927da10b54e6ef40b15e09b3166fce1789423dd4f03252cef", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

[  590.359033][T22317] binder_alloc: binder_alloc_mmap_handler: 22289 20001000-20004000 already mapped failed -16
[  590.411557][T22302] binder: 22289:22302 ioctl c018620b 0 returned -14
[  590.445079][T22329] binder: BINDER_SET_CONTEXT_MGR already set
[  590.467142][T22317] binder: 22289:22317 BC_INCREFS_DONE u0000000000000000 no match
16:10:01 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  590.521219][T22329] binder: 22316:22329 ioctl 40046207 0 returned -16
[  590.521528][T22318] binder: 22316:22318 Release 1 refcount change on invalid ref 1 ret -22
[  590.556228][T22334] binder: 22332:22334 transaction failed 29189/-22, size 24-8 line 2903
[  590.600817][ T2993] binder: undelivered TRANSACTION_ERROR: 29189
[  590.614000][ T2993] binder: undelivered TRANSACTION_ERROR: 29189
16:10:02 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x600)

16:10:02 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc018620b, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:02 executing program 0:
r0 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x1, 0x2)
r1 = syz_genetlink_get_family_id$tipc(&(0x7f0000000080)='TIPC\x00')
sendmsg$TIPC_CMD_GET_LINKS(r0, &(0x7f0000000140)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x24, r1, 0x808, 0x70bd28, 0x25dfdbff, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x4c6d8fcf}}, ["", ""]}, 0x24}}, 0x20004004)
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:02 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:02 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:02 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
r2 = perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$SCSI_IOCTL_DOORUNLOCK(r1, 0x5381)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f00000000c0)={<r3=>0xffffffffffffffff, r2, 0x0, 0x1, &(0x7f0000000000)='\x00'}, 0x30)
fcntl$setown(r0, 0x8, r3)
r4 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r4, 0x0, 0x1)

[  591.216993][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  591.225717][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:10:02 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  591.272033][T22365] binder: 22354:22365 ioctl c018620b 0 returned -14
16:10:02 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0xffffffffffffff7f)
syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  591.331254][T22360] binder: BINDER_SET_CONTEXT_MGR already set
[  591.334301][T22368] binder: 22357:22368 Release 1 refcount change on invalid ref 1 ret -22
[  591.410805][T22360] binder: 22354:22360 ioctl 40046207 0 returned -16
[  591.452716][T22365] binder_alloc: 22357: binder_alloc_buf, no vma
[  591.494525][T22375] binder: 22354:22375 BC_INCREFS_DONE u0000000000000000 no match
16:10:02 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:02 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  591.544489][T22360] binder: 22354:22360 Release 1 refcount change on invalid ref 1 ret -22
16:10:02 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/qat_adf_ctl\x00', 0x200000, 0x0)
ioctl$FS_IOC_MEASURE_VERITY(r1, 0xc0046686, &(0x7f0000000480)={0xe52b5d1b2d630927, 0xf6, "d723c6139b56c4cf9cc81016e81db95acbdf21b4b8e55d74f08090e79765f897c1be6a6010c95e1b9180a1e1834d36bd8ff5552a90c8da4173ac03e88e97f6a42ce027c5d4e341cbbece56cf89afd31e261a56a619fdff27cad513837a325b7771f08af50d945709cdfbadb0cfd412eed6179b339d62446f7c0683d0aac0924f6989c0677dce34aee936fab9397a01b7992cadd75e3db66b63578424d53218b04b166bfea804e12cc1ca19e968c1053a131198e5eb54a5233bcc45a3c2a7c90a2a267afc664d564846af6d6b43981391dcdc6e00ca98dce632e06f4ca3400ef88627a7a2bac0ebcdd9721e4709e208e29b16e0f4734b"})
ioctl$SIOCSIFHWADDR(r1, 0x8924, &(0x7f0000000080)={'lapb0\x00', @random="7946a7f5b87e"})
sendto$inet6(r1, &(0x7f00000000c0)="52ca848e4beca943264677c89cf7806f587f944e0338117696140e40ca416516088cfe395ec22e544fdd", 0x2a, 0x4001, 0x0, 0x0)
getsockopt$inet_sctp6_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7, &(0x7f0000000100), &(0x7f0000000140)=0x4)

[  591.647201][T22375] binder_alloc: binder_alloc_mmap_handler: 22354 20001000-20004000 already mapped failed -16
[  591.695455][T22365] binder: 22354:22365 ioctl c018620b 0 returned -14
[  591.731617][T22375] binder: 22354:22375 BC_INCREFS_DONE u0000000000000000 no match
[  591.755809][T22365] binder_alloc: 22354: binder_alloc_buf, no vma
[  591.762737][T22375] binder: 22354:22375 Release 1 refcount change on invalid ref 1 ret -22
16:10:03 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  591.802970][T22393] binder_alloc: 22354: binder_alloc_buf, no vma
[  591.826764][T22388] binder_alloc: 22382: binder_alloc_buf, no vma
[  591.833624][T22388] binder: 22382:22388 Release 1 refcount change on invalid ref 1 ret -22
[  591.851841][T22393] binder_alloc: 22382: binder_alloc_buf, no vma
[  591.892552][ T2993] binder: undelivered TRANSACTION_ERROR: 29189
[  591.916800][T22388] binder: 22382:22388 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:03 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0xf000)

16:10:03 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc018620c, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:03 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000280)='/dev/binder#\x00', 0x0, 0x2)
r1 = syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0x4, 0xc0400)
setsockopt$ARPT_SO_SET_ADD_COUNTERS(r1, 0x0, 0x61, &(0x7f0000000080)={'filter\x00', 0x4}, 0x68)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0xfffffffffffffeee, 0x0, &(0x7f0000000040), 0xfffffffffffffdb7, 0x0, 0x0})
ioctl$sock_kcm_SIOCKCMCLONE(r1, 0x89e2, &(0x7f0000000100)={<r2=>r1})
getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f0000000140)={{{@in6=@remote, @in=@broadcast}}, {{@in=@multicast2}}}, &(0x7f0000000240)=0xe8)

16:10:03 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:03 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000000)={<r2=>0x0}, &(0x7f00000000c0)=0xc)
r3 = syz_open_procfs(r2, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)

[  592.436373][T22415] binder: 22412:22415 ioctl c0306201 20000000 returned -14
[  592.453499][T22415] binder: 22412:22415 ioctl c0306201 20000000 returned -14
[  592.483406][T22422] binder: 22409:22422 ioctl c018620b 0 returned -14
[  592.509468][T22414] binder: BINDER_SET_CONTEXT_MGR already set
16:10:03 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:03 executing program 0:
r0 = getpgid(0xffffffffffffffff)
ptrace$pokeuser(0x6, r0, 0x0, 0x938)
r1 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0x0, 0x800)
openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm-control\x00', 0x4000, 0x0)
r2 = syz_open_dev$audion(&(0x7f00000000c0)='/dev/audio#\x00', 0xfffffffffffffffd, 0x202001)
perf_event_open(&(0x7f0000000040)={0x3, 0x70, 0x5, 0x100000000, 0xffb2, 0x1, 0x0, 0x0, 0x11000, 0x2, 0xffff, 0x5, 0x726, 0x7f, 0xffffffff, 0x3ff, 0x8e0, 0x3d10, 0x3, 0x7, 0x9, 0x6, 0x400, 0x1, 0x6, 0x7ff, 0x2, 0x3, 0x3, 0xec67, 0x5, 0x4, 0x3, 0x6, 0x6, 0x4f, 0x80000000, 0x99, 0x0, 0x101, 0x0, @perf_bp={&(0x7f0000000000), 0x1}, 0x8000, 0x0, 0x53, 0xa2c45a8cf1846694, 0x7, 0x5, 0x8a8}, r0, 0x7, r2, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:03 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  592.535620][T22414] binder: 22409:22414 ioctl 40046207 0 returned -16
[  592.578141][T22414] binder: 22409:22414 BC_INCREFS_DONE u0000000000000000 no match
16:10:04 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0})
openat$rdma_cm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0)
clone(0x4000600, &(0x7f0000000140)="4d6cc3ac12182ebe3d44991497e909f58bb668d362867265c9af1979817015295a08faf5d9cf8d3e75d9c4fed192640f9246e2da0b554568088597a2e9c89e3ab6", &(0x7f00000001c0), &(0x7f0000000200), &(0x7f0000000240)="d1ca8c1e2386af38aa81a6bf500650b49263c93a4ba6864a9c3f73c0cac41a8d8d70")
setxattr$trusted_overlay_opaque(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.opaque\x00', &(0x7f0000000080)='y\x00', 0x2, 0x1)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000280)={<r1=>0x0})
ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f00000002c0)={r1})
semget$private(0x0, 0x1, 0x100)

[  592.676959][T22414] binder: 22409:22414 Release 1 refcount change on invalid ref 1 ret -22
[  592.710676][T22414] binder: 22409 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.
[  592.710703][T22414] binder: 22409:22414 ioctl c018620c 200003c0 returned -22
[  592.802230][T22441] binder_alloc: binder_alloc_mmap_handler: 22409 20001000-20004000 already mapped failed -16
[  592.818715][T22429] binder_alloc: 22428: binder_alloc_buf, no vma
16:10:04 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  592.851372][T22429] binder: 22428:22429 BC_ACQUIRE_DONE u0000000000000000 no match
[  592.861056][T22422] binder: 22409:22422 ioctl c018620b 0 returned -14
[  592.861790][T22447] binder: BINDER_SET_CONTEXT_MGR already set
[  592.917937][T22447] binder: 22409:22447 ioctl 40046207 0 returned -16
[  592.918161][T22422] binder: 22409:22422 BC_INCREFS_DONE u0000000000000000 no match
[  592.966352][T22414] binder: 22409 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.
[  592.966364][T22414] binder: 22409:22414 ioctl c018620c 200003c0 returned -22
16:10:04 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:04 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0189436, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  593.256597][T22468] binder: 22464:22468 ioctl c018620b 0 returned -14
[  593.302951][T22471] binder: BINDER_SET_CONTEXT_MGR already set
[  593.321640][T22471] binder: 22464:22471 ioctl 40046207 0 returned -16
[  593.337786][T22465] binder: 22464:22465 BC_INCREFS_DONE u0000000000000000 no match
[  593.346985][T22465] binder_thread_write: 2 callbacks suppressed
[  593.346998][T22465] binder: 22464:22465 Release 1 refcount change on invalid ref 1 ret -22
[  593.365224][T22471] binder_alloc: binder_alloc_mmap_handler: 22464 20001000-20004000 already mapped failed -16
[  593.393140][T22468] binder: 22464:22468 ioctl c018620b 0 returned -14
[  593.413311][T22471] binder: BINDER_SET_CONTEXT_MGR already set
[  593.431445][T22468] binder: 22464:22468 BC_INCREFS_DONE u0000000000000000 no match
[  593.462182][T22465] binder_alloc_new_buf_locked: 2 callbacks suppressed
[  593.462190][T22465] binder_alloc: 22428: binder_alloc_buf, no vma
[  593.495939][T22472] binder: 22464:22472 Release 1 refcount change on invalid ref 1 ret -22
[  593.558842][T22471] binder: 22464:22471 ioctl 40046207 0 returned -16
[  593.594179][T22465] binder_transaction: 14 callbacks suppressed
[  593.594212][T22465] binder: 22464:22465 transaction failed 29189/-3, size 24-8 line 3056
16:10:05 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x7ffff000)

16:10:05 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="688e4ea5a074257b"]], 0x0, 0x0, 0x0})

16:10:05 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:05 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x1000000007)
ioctl$SNDRV_CTL_IOCTL_POWER_STATE(r1, 0x800455d1, &(0x7f0000000000))
clock_adjtime(0x5, &(0x7f00000000c0)={0x0, 0x80000001, 0x40, 0x1000, 0x2, 0x5, 0x568d, 0x5, 0x4, 0x400, 0x0, 0x40, 0x8, 0x9, 0x2, 0x100000001, 0x1, 0x2, 0x81, 0x800, 0x2, 0x9, 0x5, 0x8, 0x8, 0x9})
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
accept4$bt_l2cap(r2, &(0x7f00000001c0), &(0x7f0000000200)=0xe, 0x800)
sendfile(r0, r2, 0x0, 0x1)

16:10:05 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:05 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc020660b, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  593.902473][T22494] binder: 22483:22494 transaction failed 29189/-22, size 24-8 line 2903
[  593.915245][T22496] binder: 22484:22496 ioctl c018620b 0 returned -14
16:10:05 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  593.976872][T22494] binder: 22483:22494 got transaction with invalid offset (8873626874120408680, min 0 max 24) or object.
[  593.998605][T22502] binder: BINDER_SET_CONTEXT_MGR already set
[  594.021574][T22496] binder: 22484:22496 BC_INCREFS_DONE node 3638 has no pending increfs request
[  594.042276][T22502] binder: 22490:22502 ioctl 40046207 0 returned -16
[  594.049416][T22494] binder: 22483:22494 transaction failed 29201/-22, size 24-8 line 3131
16:10:05 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:05 executing program 0:
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  594.101499][ T2993] binder_release_work: 4 callbacks suppressed
[  594.101507][ T2993] binder: undelivered TRANSACTION_ERROR: 29201
[  594.119746][T22491] binder: 22490:22491 Release 1 refcount change on invalid ref 1 ret -22
16:10:05 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:05 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
msync(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x4)

16:10:05 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  594.410042][T22524] binder: 22522:22524 got transaction with invalid offset (0, min 0 max 24) or object.
[  594.470442][T22524] binder: 22522:22524 transaction failed 29201/-22, size 24-8 line 3131
[  594.532556][ T2993] binder: undelivered TRANSACTION_ERROR: 29201
[  594.661465][T22505] binder_alloc: binder_alloc_mmap_handler: 22484 20001000-20004000 already mapped failed -16
[  594.688737][ T8164] binder: release 22490:22491 transaction 3641 out, still active
[  594.720676][T22505] binder: 22484:22505 ioctl c018620b 0 returned -14
[  594.721489][T22531] binder: BINDER_SET_CONTEXT_MGR already set
[  594.752796][T22532] binder: 22484:22532 BC_INCREFS_DONE u0000000000000000 no match
[  594.774162][T22531] binder: 22484:22531 ioctl 40046207 0 returned -16
[  594.777764][T22496] binder_alloc: 22484: binder_alloc_buf, no vma
[  594.814632][T22535] binder: 22484:22535 Release 1 refcount change on invalid ref 1 ret -22
[  594.825147][ T2993] binder: release 22484:22485 transaction 3637 out, still active
[  594.840332][T22496] binder: 22484:22496 transaction failed 29189/-3, size 24-8 line 3056
[  594.851190][ T2993] binder: send failed reply for transaction 3637, target dead
[  594.863607][ T2993] binder: send failed reply for transaction 3641, target dead
16:10:06 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0xfffff000)

16:10:06 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:06 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000080)=ANY=[@ANYBLOB="30270cb625baf3f775d108edd45f359d687553f9fe649309718b985ba73266ba7f5a5e9abf70d78d7de719885b4b12941b299b9e56335bbd1af6afb0501616ef4a5b30c8ce04e4077aaa3d29f190abb2bd91c07b366b6481f18931711eff262d7e4e30577e1c557202f3bdf3536c96b69633dbd4"]], 0x0, 0x0, 0x0})
openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0)
syz_extract_tcp_res(&(0x7f0000000040), 0x2e597f25, 0x4)

16:10:06 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:06 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306209, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:06 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
pipe(&(0x7f0000000000)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$VIDIOC_G_JPEGCOMP(r1, 0x808c563d, &(0x7f00000000c0))
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

[  595.320862][T22553] binder: 22542:22553 transaction failed 29189/-22, size 24-8 line 2903
[  595.360690][T22559] binder: 22543:22559 ioctl c018620b 0 returned -14
16:10:06 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  595.408064][T22553] binder: 22542:22553 transaction failed 29189/-22, size 24-8 line 2903
[  595.426185][T22564] binder_alloc: 22544: binder_alloc_buf, no vma
[  595.436448][T22545] binder: BINDER_SET_CONTEXT_MGR already set
[  595.452882][T22564] binder: 22544:22564 transaction failed 29189/-3, size 24-8 line 3056
[  595.472542][T22545] binder: 22543:22545 ioctl 40046207 0 returned -16
[  595.472562][ T2993] binder: undelivered TRANSACTION_ERROR: 29189
[  595.501969][ T2993] binder: undelivered TRANSACTION_ERROR: 29189
[  595.509735][T22554] binder: 22544:22554 Release 1 refcount change on invalid ref 1 ret -22
[  595.525502][T22545] binder_alloc: 22544: binder_alloc_buf, no vma
[  595.546918][T22545] binder: 22543:22545 transaction failed 29189/-3, size 24-8 line 3056
16:10:06 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000800018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
r1 = request_key(&(0x7f0000000000)='asymmetric\x00', &(0x7f0000000040)={'syz', 0x0}, &(0x7f0000000080)='/dev/binder#\x00', 0xfffffffffffffff8)
r2 = request_key(&(0x7f00000000c0)='syzkaller\x00', &(0x7f0000000100)={'syz', 0x0}, &(0x7f0000000140)=',security\xf9\x00', 0xfffffffffffffffb)
keyctl$negate(0xd, r1, 0x3, r2)
ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0)

[  595.571260][T22559] binder: 22543:22559 BC_INCREFS_DONE u0000000000000000 no match
16:10:07 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:07 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  595.647411][T22545] binder: 22543:22545 Release 1 refcount change on invalid ref 1 ret -22
[  595.757388][T22559] binder: 22543:22559 ioctl c0306209 200003c0 returned -22
[  595.784131][T22582] binder: 22578:22582 transaction failed 29189/-22, size 24-8 line 2903
16:10:07 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  595.817251][T22565] binder_alloc: binder_alloc_mmap_handler: 22543 20001000-20004000 already mapped failed -16
[  595.822502][T22582] binder_alloc: 22578: binder_alloc_buf, no vma
[  595.834475][T22587] binder: BINDER_SET_CONTEXT_MGR already set
[  595.895892][T22587] binder: 22576:22587 ioctl 40046207 0 returned -16
[  595.895954][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  595.909015][T22577] binder: 22576:22577 Release 1 refcount change on invalid ref 1 ret -22
[  595.917592][T22585] binder: 22543:22585 ioctl c018620b 0 returned -14
[  595.920759][T22559] binder_alloc: 22543: binder_alloc_buf, no vma
16:10:07 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = open(&(0x7f0000000000)='./file0\x00', 0x4e00, 0x40)
ioctl$SG_SCSI_RESET(r1, 0x2284, 0x0)

[  595.956025][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  595.985191][T22593] binder: 22543:22593 Release 1 refcount change on invalid ref 1 ret -22
[  596.072719][T22545] binder: 22543:22545 ioctl c0306209 200003c0 returned -22
[  596.080162][T22601] binder_alloc: 22543: binder_alloc_buf, no vma
[  596.164141][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  596.192198][   T22] binder: undelivered TRANSACTION_ERROR: 29189
16:10:07 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:07 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:07 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0xffff88808eeaf001)

16:10:07 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0xd, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x2, 0x1}], 0x0, 0x0, 0x0})
r1 = syz_open_dev$swradio(&(0x7f0000000040)='/dev/swradio#\x00', 0x0, 0x2)
ioctl$KVM_GET_PIT(r1, 0xc048ae65, &(0x7f0000000080))

16:10:07 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306225, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:07 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000040)={<r2=>r0})
r3 = dup2(r1, r0)
mlockall(0x3)
ioctl$TIOCGPGRP(r3, 0x540f, &(0x7f00000000c0)=<r4=>0x0)
r5 = syz_open_procfs(r4, &(0x7f0000000000)='smaps_rollup\x00')
openat$vfio(0xffffffffffffff9c, &(0x7f0000000440)='/dev/vfio/vfio\x00', 0x8201, 0x0)
getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f0000000180)={{{@in=@broadcast, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r6=>0x0}}, {{@in=@local}, 0x0, @in=@initdev}}, &(0x7f0000000280)=0xe8)
getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f00000002c0)={0x0, 0x0, <r7=>0x0}, &(0x7f0000000300)=0xc)
chown(&(0x7f0000000140)='./file0\x00', r6, r7)
sendfile(r1, r5, 0x0, 0x1)

[  596.543218][T22622] binder: 22614:22622 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2
[  596.573840][T22622] binder: 22614:22622 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2
16:10:07 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  596.598302][T22627] binder: 22612:22627 ioctl c018620b 0 returned -14
[  596.637698][T22615] binder: BINDER_SET_CONTEXT_MGR already set
[  596.645919][T22615] binder: 22613:22615 ioctl 40046207 0 returned -16
16:10:08 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
stat(&(0x7f0000000040)='./file0\x00', &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, <r1=>0x0})
stat(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, <r2=>0x0, <r3=>0x0})
getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffff9c, 0x0, 0x11, &(0x7f0000000480)={{{@in=@loopback, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{@in=@local}}}, &(0x7f00000001c0)=0xe8)
getgroups(0xa, &(0x7f0000000280)=[0x0, 0x0, 0xee00, 0x0, 0xee01, 0xee00, 0xee01, <r5=>0xee01, r3, 0x0])
r6 = getegid()
getgroups(0x4, &(0x7f00000002c0)=[<r7=>0xffffffffffffffff, 0xee01, 0xffffffffffffffff, 0xee00])
getgroups(0x2, &(0x7f0000000380)=[<r8=>0xee01, 0xee01])
fsetxattr$system_posix_acl(r0, &(0x7f0000000000)='system.posix_acl_default\x00', &(0x7f0000000580)={{}, {0x1, 0x4}, [{0x2, 0x3, r1}, {0x2, 0x3, r2}, {0x2, 0x2, r4}], {0x4, 0x1}, [{0x8, 0x5, r5}, {0x8, 0x4, r6}, {0x8, 0x1, r7}, {0x8, 0x1, r8}], {0x10, 0x2}}, 0x5c, 0x1)

[  596.680630][T22615] binder: 22613:22615 Release 1 refcount change on invalid ref 1 ret -22
[  596.693777][T22627] binder: 22612:22627 BC_INCREFS_DONE node 3661 has no pending increfs request
[  596.717002][T22627] binder: 22612:22627 ioctl c0306225 200003c0 returned -22
16:10:08 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  596.766243][T22637] binder: 22636:22637 got transaction with invalid offset (0, min 0 max 24) or object.
16:10:08 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  596.817829][T22637] binder: 22636:22637 got transaction with invalid offset (0, min 0 max 24) or object.
[  596.847276][   T22] binder: undelivered TRANSACTION_ERROR: 29201
[  596.854935][   T22] binder: undelivered TRANSACTION_ERROR: 29201
16:10:08 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
socket$can_raw(0x1d, 0x3, 0x1)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
fsetxattr$security_ima(r0, &(0x7f0000000000)='security.ima\x00', &(0x7f0000000040)=@ng={0x4, 0x1, '['}, 0x3, 0x1)

16:10:08 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  596.989703][T22650] binder: 22649:22650 got transaction with invalid offset (0, min 0 max 24) or object.
[  597.018256][T22651] binder: 22649:22651 got transaction with invalid offset (0, min 0 max 24) or object.
[  597.328930][T22664] binder_alloc: binder_alloc_mmap_handler: 22612 20001000-20004000 already mapped failed -16
[  597.335900][   T22] binder: release 22613:22615 transaction 3663 out, still active
[  597.339682][T22663] binder: 22612:22663 ioctl c018620b 0 returned -14
[  597.354220][T22664] binder: BINDER_SET_CONTEXT_MGR already set
16:10:08 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:08 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.cpu/syz1\x00', 0x1ff)
keyctl$join(0x1, &(0x7f0000000000)={'syz', 0x1})

16:10:08 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:08 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0xfffffffffffff000)

[  597.374578][T22664] binder: 22612:22664 ioctl 40046207 0 returned -16
[  597.379232][T22627] binder_alloc: 22612: binder_alloc_buf, no vma
[  597.420692][T22663] binder_thread_write: 1 callbacks suppressed
[  597.420706][T22663] binder: 22612:22663 BC_INCREFS_DONE u0000000000000000 no match
[  597.428366][T22664] binder: 22612:22664 Release 1 refcount change on invalid ref 1 ret -22
[  597.484526][T22663] binder: 22612:22663 ioctl c0306225 200003c0 returned -22
[  597.491864][T22676] binder_alloc: 22612: binder_alloc_buf, no vma
[  597.502299][ T8164] binder: release 22612:22618 transaction 3660 out, still active
[  597.529977][T22683] binder: BINDER_SET_CONTEXT_MGR already set
[  597.537889][T22683] binder: 22669:22683 ioctl 40046207 0 returned -16
[  597.544649][ T8164] binder: send failed reply for transaction 3660, target dead
16:10:08 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306256, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:08 executing program 0:
r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x224080, 0x0)
sendmsg$rds(r0, &(0x7f0000001180)={&(0x7f0000000040)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10, &(0x7f0000000280)=[{&(0x7f0000000080)=""/233, 0xe9}, {&(0x7f0000000480)=""/143, 0x8f}, {&(0x7f0000000180)=""/19, 0x13}, {&(0x7f0000000540)=""/167, 0xa7}, {&(0x7f00000001c0)=""/41, 0x29}], 0x5, &(0x7f0000000f40)=[@rdma_dest={0x18, 0x114, 0x2, {0x8, 0x4c}}, @mask_fadd={0x58, 0x114, 0x8, {{0x6}, &(0x7f0000000380)=0x7f, &(0x7f00000003c0)=0x63, 0xfa, 0x7, 0x8, 0x2, 0x8, 0x8001}}, @mask_cswp={0x58, 0x114, 0x9, {{0x10001, 0x7}, &(0x7f0000000600)=0x4, &(0x7f0000000640), 0x80, 0x81, 0xfffffffffffffffa, 0xb1, 0x8, 0x5}}, @rdma_args={0x48, 0x114, 0x1, {{0x1, 0x2}, {&(0x7f0000000680)=""/244, 0xf4}, &(0x7f0000000840)=[{&(0x7f0000000780)}, {&(0x7f00000007c0)=""/39, 0x27}, {&(0x7f0000000800)=""/49, 0x31}], 0x3, 0x20, 0x1}}, @mask_fadd={0x58, 0x114, 0x8, {{0x6b5, 0x62f}, &(0x7f0000000880)=0x4, &(0x7f00000008c0)=0xff, 0xfffffffffffffe00, 0x5, 0xe25, 0x99, 0x4, 0x9}}, @rdma_args={0x48, 0x114, 0x1, {{0x3, 0x7}, {&(0x7f0000000900)=""/19, 0x13}, &(0x7f0000000d80)=[{&(0x7f0000000940)=""/134, 0x86}, {&(0x7f0000000a00)=""/190, 0xbe}, {&(0x7f0000000ac0)=""/158, 0x9e}, {&(0x7f0000000b80)=""/242, 0xf2}, {&(0x7f0000000c80)=""/201, 0xc9}], 0x5, 0x1, 0xffffffffffff3a23}}, @rdma_map={0x30, 0x114, 0x3, {{&(0x7f0000000e00)=""/105, 0x69}, &(0x7f0000000e80), 0x30}}, @mask_cswp={0x58, 0x114, 0x9, {{0xfffffffffffffff9, 0x1ee31491}, &(0x7f0000000ec0)=0x4, &(0x7f0000000f00)=0x100000000, 0x6, 0x100000000, 0x9102, 0x7ff, 0x3, 0x7e}}], 0x238, 0x8000}, 0x20000000)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:08 executing program 5:
arch_prctl$ARCH_GET_FS(0x1003, &(0x7f0000000000))
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:10:08 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  597.583978][ T8164] binder: send failed reply for transaction 3663, target dead
[  597.593387][T22683] binder: 22669:22683 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  597.683201][T22695] binder: 22688:22695 ioctl c018620b 0 returned -14
16:10:09 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="006340400000000000000000000000000000000000000000495f7f34ae18b899300000000000000000000000001800000000000032673ebf6017de9784a5bb4058eebadf5639e49bad79c6eb7f391b48a8b1b61fc238431639bccb83828bda77d6752ee3e69f380d7c734fcc49edb542afdd0b6d5ee45551334a1b945daadeb6c8956109423d10f909a7bcc9cadcfc60bc746754afd3d010072ac0d6a7cd8d37cc76dce9f82783d7153b5c19c6c2d422213d6b3de00f55e86a7b3b3b9bf78764ff9b2786431e87c7b87ad64ab40085f993e60a45930f6a534fd8e74cc0f9ab259879c586a2b95a3be20d4e8060395358302a1873e85094ceac70dd2c23c6c9f38d3f061da1b54c2c85d771c7e31054b862837ba5376bc728992f", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000480)=ANY=[@ANYBLOB="00000000000000000bc105d1fb1418b3a80ef22c619c227b704b1b2b08f11897f9278666417757e3b3175ea39f94188dbc5d0a8dbb1f52eb4dffca6d2c94f3bcaa1e964e87963cd7d1813f09b2ebccff3bd6d4c713e33d262c8d294601a9671f784139e2758b97ef9d8cf7f2098bd99ff60be247021f0bfd474552b77ad1ae96df1a4d457a74e734f34bfdf7735fd9e6ed41e6a2555fed1f57e0d30e82cfc519a3dff36527f587c33f82397a26ab9df5796d9ab22933ec1e5c63c178e715fdb821bcceaa33e8059680eb8ef3ca97df293a33b5c6600b3f515f9720b9ffdce3f83b17ae2eac7c3ce87c1e15f9432ac9c84a0c4330709e0a770cbec9862156f3716f761f3800159400b5770180f290c37da04560043aaf1cc0cc0d83b070278bb6d8ad1de572d38eb2"]], 0x0, 0x0, 0x0})
socket$inet6_tcp(0xa, 0x1, 0x0)

[  597.752078][T22689] binder: 22688:22689 ioctl c0306256 200003c0 returned -22
[  597.773689][T22700] binder_alloc: binder_alloc_mmap_handler: 22688 20001000-20004000 already mapped failed -16
[  597.860334][T22695] binder: 22688:22695 ioctl c018620b 0 returned -14
[  597.872011][T22709] binder_alloc: 22688: binder_alloc_buf, no vma
[  597.886616][T22689] binder: BINDER_SET_CONTEXT_MGR already set
[  597.888810][T22708] binder: 22688:22708 BC_INCREFS_DONE u0000000000000000 no match
[  597.899242][T22689] binder: 22688:22689 ioctl 40046207 0 returned -16
16:10:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:09 executing program 0:

[  597.926088][ T8164] binder: send failed reply for transaction 3676 to 22688:22689
16:10:09 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:09 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0x56, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:09 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = creat(&(0x7f0000000000)='./file0\x00', 0x40)
ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc01064b5, &(0x7f0000000080)={&(0x7f0000000040)=[0x0, 0x0, 0x0, 0x0], 0x4})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="0000000000001700"]], 0x0, 0x0, 0x0})

16:10:09 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x6, 0x0)
ioctl$PERF_EVENT_IOC_SET_BPF(r1, 0x40042408, r2)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)

[  598.338900][T22736] binder: 22723:22736 ioctl c018620b 0 returned -14
[  598.445681][T22724] binder: 22723:22724 BC_INCREFS_DONE node 3686 has no pending increfs request
[  598.476652][T22746] binder: BINDER_SET_CONTEXT_MGR already set
[  598.482672][T22746] binder: 22737:22746 ioctl 40046207 0 returned -16
[  598.493099][T22724] binder: 22723:22724 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:09 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$inet6_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='lp\x00', 0x3)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:10:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:09 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x400000, 0x0)
getsockopt$inet_sctp6_SCTP_PR_SUPPORTED(0xffffffffffffff9c, 0x84, 0x71, &(0x7f0000000040)={<r2=>0x0, 0x4}, &(0x7f0000000080)=0x8)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f00000000c0)={r2, @in={{0x2, 0x4e22, @empty}}, [0x0, 0xc32, 0x4, 0x5, 0x80, 0x1000, 0x48c41ab0, 0x101, 0x6, 0x9, 0x8, 0x9e, 0x9, 0x8]}, &(0x7f00000001c0)=0x100)

[  598.516359][T22724] binder: 22723:22724 unknown command 0
[  598.516880][T22739] binder_thread_write: 1 callbacks suppressed
[  598.517027][T22739] binder: 22737:22739 Release 1 refcount change on invalid ref 1 ret -22
[  598.521921][T22724] binder: 22723:22724 ioctl c0306201 200003c0 returned -22
[  598.577700][T22749] binder: 22747:22749 got transaction with invalid offset (0, min 0 max 24) or object.
[  598.602404][T22749] binder_transaction: 19 callbacks suppressed
[  598.602420][T22749] binder: 22747:22749 transaction failed 29201/-22, size 24-8 line 3131
16:10:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  598.629663][T22749] binder: 22747:22749 got transaction with invalid offset (0, min 0 max 24) or object.
[  598.639853][T22749] binder: 22747:22749 transaction failed 29201/-22, size 24-8 line 3131
16:10:10 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x200, 0x0)
write$capi20(r1, &(0x7f0000000080)={0x10, 0x5, 0x86, 0x83, 0x0, 0x8}, 0x10)
bind$vsock_stream(r1, &(0x7f0000000040)={0x28, 0x0, 0xffffffff, @host}, 0x10)

[  598.777169][T22761] binder: 22759:22761 got transaction with invalid offset (0, min 0 max 24) or object.
[  598.794366][T22761] binder: 22759:22761 transaction failed 29201/-22, size 24-8 line 3131
[  598.818148][T22761] binder: 22759:22761 got transaction with invalid offset (0, min 0 max 24) or object.
16:10:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  598.851500][T22761] binder: 22759:22761 transaction failed 29201/-22, size 24-8 line 3131
16:10:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  599.085172][T22777] binder_alloc: binder_alloc_mmap_handler: 22723 20001000-20004000 already mapped failed -16
[  599.113887][T22741] binder: 22723:22741 ioctl c018620b 0 returned -14
[  599.144578][T22777] binder: BINDER_SET_CONTEXT_MGR already set
[  599.164564][T22741] binder: 22723:22741 BC_INCREFS_DONE u0000000000000000 no match
16:10:10 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  599.192461][T22724] binder_alloc_new_buf_locked: 2 callbacks suppressed
[  599.192468][T22724] binder_alloc: 22723: binder_alloc_buf, no vma
[  599.192479][   T22] binder: release 22737:22739 transaction 3688 out, still active
[  599.230097][T22777] binder: 22723:22777 ioctl 40046207 0 returned -16
[  599.230462][   T22] binder: release 22723:22736 transaction 3685 out, still active
16:10:10 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x2, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:10 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$radio(&(0x7f0000000080)='/dev/radio#\x00', 0x2, 0x2)
write$FUSE_BMAP(r1, &(0x7f0000000100)={0x18, 0xfffffffffffffffe, 0x8, {0x79bb036f}}, 0x18)
setsockopt$netrom_NETROM_T4(r1, 0x103, 0x6, &(0x7f0000000000)=0x7, 0x4)
write$P9_RVERSION(r1, &(0x7f0000000480)=ANY=[@ANYBLOB="1500000065ffff09000000000800395032301730a82e75d7c5e96e337c3d39cbb1f7ce2084d92ddea86f23ddb18c6dbbe5156378e37b544e07bc5b8188dfb1523ba00057de1fb41758263a5dc52164aa9da3d28a827995a456b4e80fcf5ae008d300259dc7f1c12f066d99e8c294cd7d7a43eab42966ed26ecd4bbedc314fd863da1414033273e2434fa920aaab17ee13b50eec99f66ea0d220cd58ac049b1c6550ae3d812c7e8"], 0x15)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x100010, r0, 0x0)
ioctl$BLKPBSZGET(r1, 0x127b, &(0x7f00000000c0))
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
getsockopt$inet_sctp6_SCTP_NODELAY(r1, 0x84, 0x3, &(0x7f00000003c0), &(0x7f0000000380)=0xffffffffffffff0c)

16:10:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  599.243433][T22724] binder: 22723:22724 transaction failed 29189/-3, size 24-8 line 3056
[  599.248844][   T22] binder: undelivered TRANSACTION_COMPLETE
16:10:10 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)
ioctl$EVIOCGSW(r1, 0x8040451b, &(0x7f00000000c0)=""/80)

[  599.319942][   T22] binder: send failed reply for transaction 3685, target dead
[  599.333285][T22790] binder: 22784:22790 transaction failed 29189/-22, size 24-8 line 2903
[  599.341387][   T22] binder: send failed reply for transaction 3688, target dead
[  599.405853][T22799] binder: 22792:22799 ioctl c018620b 0 returned -14
[  599.408761][T22790] binder: 22784:22790 transaction failed 29189/-22, size 24-8 line 2903
[  599.443091][ T8164] binder_release_work: 14 callbacks suppressed
[  599.443098][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  599.459148][T22786] binder_alloc: 22785: binder_alloc_buf, no vma
[  599.465946][T22786] binder: 22785:22786 transaction failed 29189/-3, size 24-8 line 3056
[  599.472877][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  599.482585][T22804] binder: BINDER_SET_CONTEXT_MGR already set
[  599.491130][T22804] binder: 22792:22804 ioctl 40046207 0 returned -16
[  599.500124][T22786] binder: 22785:22786 Release 1 refcount change on invalid ref 1 ret -22
[  599.538545][T22794] binder_alloc: 22785: binder_alloc_buf, no vma
[  599.560665][T22786] binder: 22785:22786 BC_ACQUIRE_DONE u0000000000000000 no match
[  599.572601][T22794] binder: 22792:22794 transaction failed 29189/-3, size 24-8 line 3056
[  599.590366][T22804] binder: 22792:22804 BC_INCREFS_DONE u0000000000000000 no match
[  599.622265][T22794] binder: 22792:22794 Release 1 refcount change on invalid ref 1 ret -22
16:10:11 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000080)='/dev/net/tun\x00', 0x0, 0x0)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'nr0\x00', 0x20004003})
ioctl$TUNSETLINK(r1, 0x400454cd, 0x336)
close(r1)
mlockall(0x4)
r2 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x0, 0x0)
ioctl$VHOST_GET_FEATURES(r2, 0x8008af00, &(0x7f0000000180))
getsockopt$EBT_SO_GET_INIT_INFO(r2, 0x0, 0x82, &(0x7f00000000c0)={'filter\x00'}, &(0x7f0000000140)=0x78)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)

16:10:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:11 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x401, 0x0)
getsockopt$inet_sctp6_SCTP_DELAYED_SACK(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000040)=@assoc_value={<r2=>0x0}, &(0x7f0000000080)=0x8)
getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r1, 0x84, 0x18, &(0x7f00000000c0)={r2, 0x5}, &(0x7f0000000100)=0x8)

[  599.644071][T22794] binder: 22792:22794 unknown command 16400
[  599.653829][T22794] binder: 22792:22794 ioctl c0306201 200003c0 returned -22
[  599.682869][T22811] binder_alloc: 22785: binder_alloc_buf, no vma
16:10:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  599.708828][T22811] binder: 22808:22811 transaction failed 29189/-3, size 24-8 line 3056
[  599.734392][T22811] binder_alloc: 22785: binder_alloc_buf, no vma
[  599.759222][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  599.766860][   T22] binder: undelivered TRANSACTION_ERROR: 29189
16:10:11 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB="00000000a2b27a078001ebdb8107d9423be9000000006a4db31e11552178948f960926"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

16:10:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  599.960539][T22827] binder_alloc: 22785: binder_alloc_buf, no vma
[  599.984433][   T22] binder: undelivered TRANSACTION_ERROR: 29189
16:10:11 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  600.152356][T22804] binder_alloc: binder_alloc_mmap_handler: 22792 20001000-20004000 already mapped failed -16
[  600.183841][T22804] binder: 22792:22804 ioctl c018620b 0 returned -14
[  600.229057][T22837] binder_alloc: 22792: binder_alloc_buf, no vma
[  600.256070][T22840] binder: 22792:22840 BC_INCREFS_DONE u0000000000000000 no match
16:10:11 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x3, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:11 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x22a100, 0x0)
r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00')
sendmsg$TIPC_NL_UDP_GET_REMOTEIP(r1, &(0x7f0000000140)={&(0x7f0000000040), 0xc, &(0x7f0000000100)={&(0x7f00000000c0)=ANY=[@ANYBLOB="2800012f", @ANYRES16=r2, @ANYBLOB="100f29bd7000fcdbdf2516000000140006000400020004000200080001002e0e0000"], 0x28}, 0x1, 0x0, 0x0, 0x800}, 0x0)
ioctl$EXT4_IOC_MOVE_EXT(r1, 0xc028660f, &(0x7f0000000180)={0x0, r0, 0x3f, 0x8, 0x5, 0x3})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  600.285303][T22794] binder: 22792:22794 Release 1 refcount change on invalid ref 1 ret -22
[  600.350657][T22842] binder_alloc: 22841: binder_alloc_buf, no vma
[  600.388199][T22848] binder_alloc: 22841: binder_alloc_buf, no vma
[  600.396568][T22855] binder: 22841:22855 Release 1 refcount change on invalid ref 1 ret -22
[  600.398864][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  600.448058][T22858] binder: 22850:22858 ioctl c018620b 0 returned -14
[  600.455322][T22842] binder: 22841:22842 BC_ACQUIRE_DONE u0000000000000000 no match
[  600.506053][T22858] binder: BINDER_SET_CONTEXT_MGR already set
[  600.530247][T22858] binder: 22850:22858 ioctl 40046207 0 returned -16
[  600.562943][T22852] binder_alloc: 22841: binder_alloc_buf, no vma
[  600.585265][T22852] binder: 22850:22852 BC_INCREFS_DONE u0000000000000000 no match
[  600.600641][T22852] binder: 22850:22852 Release 1 refcount change on invalid ref 1 ret -22
[  600.634750][T22852] binder: 22850:22852 unknown command 64
[  600.657733][T22852] binder: 22850:22852 ioctl c0306201 200003c0 returned -22
[  600.684947][T22861] binder_alloc: binder_alloc_mmap_handler: 22850 20001000-20004000 already mapped failed -16
[  600.771623][T22852] binder: 22850:22852 ioctl c018620b 0 returned -14
[  600.796860][T22858] binder: 22850:22858 Release 1 refcount change on invalid ref 1 ret -22
[  600.812423][T22861] binder: 22850:22861 unknown command 64
[  600.822141][T22852] binder: BINDER_SET_CONTEXT_MGR already set
[  600.834645][T22861] binder: 22850:22861 ioctl c0306201 200003c0 returned -22
[  600.844941][T22852] binder: 22850:22852 ioctl 40046207 0 returned -16
16:10:12 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
syz_open_dev$loop(&(0x7f0000000000)='/dev/loop#\x00', 0x6493, 0x200)
sendfile(r0, r1, 0x0, 0x1)

16:10:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:12 executing program 0:
r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
fchdir(r0)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r2 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x5, 0x28300)
ioctl$PPPIOCGFLAGS(r2, 0x8004745a, &(0x7f0000000040))

16:10:12 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x100, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f00000001c0)={0x2, 0x0, [{0x1000, 0x1000, &(0x7f0000000380)=""/4096}, {0x100000, 0xde, &(0x7f00000000c0)=""/222}]})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x10000000003)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0xc41b)

16:10:12 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:12 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  601.149617][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  601.165270][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  601.188661][T22888] binder: 22871:22888 ioctl c018620b 0 returned -14
16:10:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:12 executing program 0:
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x408200, 0x0)
ioctl$sock_inet_SIOCSIFNETMASK(r0, 0x891c, &(0x7f0000000380)={'ip_vti0\x00', {0x2, 0x4e22, @multicast2}})
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f0000000e80)=ANY=[@ANYBLOB="66696c74657200000000000000000000000000000000000000000000000000000700000004000000a80400004001000080020000c0030000c0030000c0030000c003000004000000", @ANYPTR=&(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB="e0000001ac1414bb000000ff000000000a31f7a8abe6000000000000000000000000000000000000ff00ff00ffff00000000000000000000aaaaaaaaaaaa000000000000000000000000000000000000ff00ff00ff000000000000000000000000050c5f000500080008005576657468305f746f5f626f6e64000000726f736530000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000f0004001000000000000000000000000000000000000000000000000000050006d616e676c6500000000000000000000000000000000000000000000000000000000000000000000000000000000848ebd5d991500000000000000000000ac1414bbe00000010f000000ffffffffac1414bbe0000002ffffffffffffffff00000000000000000000000000000000000000000000000000ffff0000ff00000000000000000000aaaaaaaaaabb000000000000000000000000000000000000ffffffff00ff0000000000000000000000020081080000010040000474756e6c300000000000000000000000726f736530000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000f0004001000000000000000000000000000000000000000000000000000050006d616e676c65000000000000000000000000000000000000000000000000867bcde869f1000000000000000000000180c2000001000000000000000000007f000001ac1414aa00000000cf486c20000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0004001000000000000000000000000000000000000000000000000000050006d616e676c650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f0000010f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000e8000000000000000000000000000000000000000000000000002800000000000000000000000000000000000000000000000000000000000000feffffff00000000"], 0xfffffffffffffff4)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x43, 0x0, &(0x7f0000000300)=ANY=[], 0x0, 0x0, 0x0})
getsockopt$TIPC_GROUP_JOIN(r0, 0x10f, 0x87, &(0x7f00000001c0), &(0x7f0000000200)=0x4)
setsockopt$inet_sctp_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f00000000c0)=@int=0xffffffff, 0x4)
getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000003680)={<r2=>0x0, @dev, @broadcast}, &(0x7f00000036c0)=0xc)
sendmsg$nl_route_sched(r0, &(0x7f0000003800)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f00000037c0)={&(0x7f0000003700)=@newqdisc={0xb0, 0x24, 0x200, 0x70bd27, 0x25dfdbfb, {0x0, r2, {0x0, 0xffff}, {0x8, 0xb}, {0xffe0, 0xffff}}, [@TCA_INGRESS_BLOCK={0x8, 0xd, 0xffffffffffff7fff}, @TCA_INGRESS_BLOCK={0x8, 0xd, 0x6}, @TCA_EGRESS_BLOCK={0x8}, @TCA_EGRESS_BLOCK={0x8, 0xe, 0x9}, @TCA_STAB={0x64, 0x8, [@TCA_STAB_DATA={0xc, 0x2, [0xffffffffffffff43, 0x8080, 0xffffff0000000000]}, @TCA_STAB_DATA={0xc, 0x2, [0x10001, 0x400, 0xb52e, 0x2]}, @TCA_STAB_BASE={0x1c, 0x1, {0x100, 0x1000, 0x2bf, 0x2, 0x2, 0x20, 0x3}}, @TCA_STAB_BASE={0x1c, 0x1, {0x1, 0x6, 0x8fa, 0xfffffffffffffff7, 0x1, 0x1, 0x8, 0x3}}, @TCA_STAB_DATA={0x10, 0x2, [0x8, 0x3, 0x3f, 0x2, 0x80]}]}, @TCA_RATE={0x8, 0x5, {0x6, 0x7}}]}, 0xb0}}, 0x4000)
getsockopt$inet6_tcp_int(r0, 0x6, 0x17, &(0x7f0000000080), &(0x7f00000003c0)=0x4)
openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vga_arbiter\x00', 0x400000, 0x0)
ioctl$VIDIOC_ENUMAUDIO(r0, 0xc0345641, &(0x7f0000000240)={0x0, "4b2994d4df0365b56bf62cbd884d56572c458e51cb88b8b8d3d6c23bfb962eb5", 0x4000000000002, 0x1})
ioctl$SNDRV_TIMER_IOCTL_GINFO(r0, 0xc0f85403, &(0x7f0000000280)={{0xffffffffffffffff, 0x3, 0x4, 0x0, 0x1000}, 0xfb15, 0x4, 'id0\x00', 'timer0\x00', 0x0, 0x0, 0x10000, 0x1f, 0x401})

[  601.223321][T22880] binder: 22878:22880 Release 1 refcount change on invalid ref 1 ret -22
[  601.281063][T22876] binder: BINDER_SET_CONTEXT_MGR already set
[  601.317337][T22876] binder: 22871:22876 ioctl 40046207 0 returned -16
[  601.324498][T22898] binder: 22894:22898 unknown command 0
16:10:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  601.352401][T22876] binder: 22871:22876 Release 1 refcount change on invalid ref 1 ret -22
[  601.355257][T22898] binder: 22894:22898 ioctl c0306201 20000440 returned -22
[  601.387507][T22876] binder: 22871:22876 unknown command 0
[  601.419606][T22901] binder: 22894:22901 unknown command 0
[  601.425660][T22876] binder: 22871:22876 ioctl c0306201 200003c0 returned -22
[  601.446624][T22901] binder: 22894:22901 ioctl c0306201 20000440 returned -22
16:10:12 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x101100, 0x0)
ioctl$KDGKBMETA(r1, 0x4b62, &(0x7f0000000040))

16:10:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  601.593816][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  601.601610][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:10:13 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$swradio(&(0x7f0000000280)='/dev/swradio#\x00', 0x1, 0x2)
ioctl$KVM_SET_ONE_REG(r1, 0x4010aeac, &(0x7f0000000180)={0xb5, 0x8})
r2 = syz_genetlink_get_family_id$tipc2(&(0x7f00000000c0)='TIPCv2\x00')
sendmsg$TIPC_NL_PUBL_GET(r1, &(0x7f0000000140)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000100)={&(0x7f0000000640)={0x1ac, r2, 0x309, 0x70bd29, 0x25dfdbfe, {}, [@TIPC_NLA_SOCK={0x34, 0x2, [@TIPC_NLA_SOCK_REF={0x8, 0x2, 0xced}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x7}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x3ff}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0xf191}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}]}, @TIPC_NLA_NET={0x44, 0x7, [@TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0xfffffffffffffff7}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x1}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x100}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x101}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x2}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x400}]}, @TIPC_NLA_BEARER={0x2c, 0x1, [@TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x889}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'ib', 0x3a, 'ipddp0\x00'}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xfff}]}, @TIPC_NLA_MON={0x1c, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x7}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x5}]}, @TIPC_NLA_LINK={0xd8, 0x4, [@TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1}]}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xffffffff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x54, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1d}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x5}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x200}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, [@TIPC_NLA_PROP_MTU={0x8}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xffffffffffffffd0}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}]}]}, 0x1ac}, 0x1, 0x0, 0x0, 0x1000000080}, 0x44)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r3 = mmap$binder(&(0x7f0000ffa000/0x3000)=nil, 0x3000, 0x3000003, 0x20010, r0, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000000)={r3})
setsockopt$inet6_tcp_TLS_TX(r1, 0x6, 0x1, &(0x7f00000001c0), 0x4)

16:10:13 executing program 1:
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0xfffffd36, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r0, 0x400c6615, &(0x7f0000000000))
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:10:13 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:13 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = creat(&(0x7f0000000000)='./file0\x00', 0x10)
timerfd_gettime(r1, &(0x7f0000000040))

16:10:13 executing program 5:
r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x0, 0x0)
sendmmsg$alg(r0, &(0x7f0000001d40)=[{0x0, 0x0, &(0x7f0000000240)=[{&(0x7f00000000c0)="c32ae23e6b79e0170ce8bf7e72edc634013c454f36e2be902cf8746dbab3db24372d31978d898080d97386a6dc638a4e713eb802e8eed648488411744a7fd547e367aa29431e7ddce6842961308f1870003cb2f8b4c220e99e477c430ed4477926499eaf5dff1c88b6977cb90e889cb8e051ec5e35f14c8e3fc0bda80d30d8", 0x7f}, {&(0x7f0000000140)="b309ec19f475ced7e974c286f5ca7a9b8856db129f0a59f7642d6c9c", 0x1c}, {&(0x7f0000000180)="b26c0298643d659210ea678997907e7a4eb179ca4b5c938e611e6de7f61d22df4b4f4c4a729846ef1b9e042623c2de2dd286fd620f82ac8823bb0776fac3806abd7dafd7", 0x44}, {&(0x7f0000000200)="c90d1efe", 0x4}], 0x4, &(0x7f0000000380)=[@iv={0x70, 0x117, 0x2, 0x56, "b482829f7a66241a7e7ec86f3dee967b44511474657ba019c6afa9e26cf5f999e894ee3ce736f1fe7c47de6c8bcfc4f8a66f7ea18e25da68d2d69a5b48a72fa2a9c6d855c484822235c294679725264a579a479d3056"}, @iv={0x90, 0x117, 0x2, 0x79, "4eb811bc71689c4248a37bffc52ed747dc7545c7a1b1830788a89bdb551514d3bec373f6f3f60ed519d9197ef9a594a20c92f8c3e94a7b26fcb77535423919458ebec3d27359a58ca0a7e1c64a5290a7c325f6e142037cd335de8d01870503680e097e088c5a339d899f4a38bb942f558c91c4821eb88cc6ec"}], 0x100, 0x4000084}, {0x0, 0x0, &(0x7f0000001740)=[{&(0x7f0000000280)="9989963b1115bc3da3fefd0dc3a534ec8c29889945f5632f32b09628d47f5a2a8f6ae0b29d6dc5cc9e990d5fc2c0be02ec88a3c47478026cc8ff56463d20316fdd8eb8fd6ecf8e769c409b8fa7679960c7f22bf08f20db1c57985e51904554a0073e08", 0x63}, {&(0x7f0000000480)="2f3313312643d8821095317d0715bd2b248e5400d3473d8f53497e390ec34cb9cd9ea082919a907f9b4bdaadc284930badee56b9ca3c79c8def6d23d6b662b084e8a828e719f972e2028a663a25a99576c2b3a7f701d463528037d0feb8ebd7ec74b8d8f0d930ab6da03cfcfbf25bdadcf7cf2d7523d67e17eb67487f8ff779fce824776e350f82ed6f8e3fb89bcd2ef5211e963152d7d6370a5ebfbde01a8e804de9aaf2a511f549c5c6d86a28ab0e0eca5b26584f2d83e40bc4267", 0xffffffffffffff88}, {&(0x7f0000000540)="9eecc75c9f4c2fbe1832c72d27ce1e182f7eaf3428309dde3d0f707cb6d3ff5803d920daaff574691d6b81bb280051445eeb2d7ac2635d6ed43a205e2901ae9c17439723ce9221d2fa02d14fdec2e362e3ca4e319c8b743803d8c518b31c827be246a20d1c701135d40a989a93ad743fecd2944e4a64fd90891984dfc9eaa9ba850a29353426550c3ec1846651dff98c067020601ceaba46c7d0c9ef7eb867de1c7aa2ee", 0xa4}, {&(0x7f0000000600)="426d80809dc5ac1be47ce8419a46a1c90473521d4c734bbfeaec841658681c19de1865863f1c22d3548cb4a2400ae9da43ef3cab12bc1507b67783f51e7b5bd817c7de96a1a3701444e2014a6d5872fcc578fa28fd156769d403709469d75c6635dcba14f220f53daea9a254d5661d54bc194cd051cd7107d9ad5ed33bc5edb2bc96cad55c31cf7d4379f47b1a53ea36f31280050a51631266019b8e2b78d02703a2c1c649e6c247a3ff467548baf667a12c25923c2f915f5027b068e73ffb4d35f605c44dbb7791fa7d4e0ea16363ad326743e82653911b43cd636fd5e9d90b652aeae1760bb979ca96a162c29386b69b60dec8c36faefab6bc3984518660c23d575c0147f794759202abcea3c116249895b6ffb9ac88f9d4b21b89c32be03149a0be2dcb0ef7deca97dadbd023a496e2bc0f38c3aa834edba2173630b1a981086417e20eb516af5e22a3bd748f98a20e3fca5ca68c312e920c2d8fd97aeb7db2a07ccaf8bc3a2416a37f636cbb14c348b3922e9bea1f6cdd7d2be9cbb9b6158392112fcbda8943f72cbf473750f36a162c3cb6d03a33776548588e2a45a4098b906eee8baddb14f253a64df4b06ba965445f032e850d67e690c7a31594e9b580d3f452b90a4da98fcfd6e49018ddda8b4466827b21bbcf94d49e29be96d7ccca9de8ff1027a4d5792ffbdd32384748e09f4a480a78ba56910d2ec43055b558b19e322ea6855211de800a6b20ddfb98c6151c74b564791058d8a4b8eb13d34cf9a32e51926720c7e5a74769d3282971bb63259ef7b5b8b163d5c00f0ff778b1d5a3417589a3a410544cc277531a6cf048d92e0761c61cf4cbd8c4918c5b98db108fbf682152a816aa7a4dc8d57a44f0f005bdc93d437b24109ab9d8cb88d5f3dcad3ad14bbebe73f9911f6bf4b593fa04c03d24ece0e13fbb7a21ddc393290b31f5c3dd59414e77596792c6e69d41698186b86c03f216af1863e70f255016a0861f58512423c2bc1088e59d0932e9a5cecca445202b122756eea312aa7dcb99715519c3b34b9eff49884fb97ca8cdcbde4ba2f35073390bd615bd2756025f4beba166942ecdc05d56d783767e27bc5685d6306e5e37e5a3388ee9f2ab1c2b308eccda6a302df5748ea7e7451b4fc105b33c8b54a42483649549161c53ad338f9ba5449ca9b12f8248053783a396ae1411b46c04e4389d5acc8ed014feb3dda948a5db75fef63caff677a76853a3803071c78e7914aa4b7dc8c50410f3b6ac8e90af3389d7342246bbeb768afb701fb7b0ebe5fd7ccf0c991510c84f1d9e369c5e1ca34cd903903f625f38966d5c36384afc51696a8b6fe18387f76c41d11af409fe50b0283d172c5398c653cb39145e54184ef33c448fa0393c72b056c0486d38e0fb701faa6e09531535da629ee8e1c5ad0ce9fde6c30347a2177aff20b1595b4d392ea02c872b5e7d63b2d7c1acc48f4aa594193b34a6ee1d7b980b68dd3c2a7929ea79ace175720f73790a88f6b674f54e568bebfd8a482dd0a6dbf31b8ba39c3c9b7b49fafd93902748549af5142fe5ed4f156407c19076c968d859ef5fb244e2128936497bdad7faf1f1f94ba3bf641a90d9770694879b2f937b27ef79d39f1821e0357231250f2fd8381d2767f1b64d2a3f8fe5861b7cfb86817422f45bf1616fa120df61e6d8881c6a8a8f7f768c230513f6f85b1827f0c5f1053746c70a6573bb13a11a5cd150cce785c20bfac7c78df4a46228c70d7092dca02cf00c8eea9ab2fab7893159a76665eaba4d2d7604e85100ea2a8475f3f96e8ca919d6888a662b4c5e1d6bda68fd17408a33df14b93d20b7dba08e468d8803ee6132e4e79cc9b7dcf7442ed3ba85cbf40eab09cfbe49158bd4386315211ef7d521670c8db801a129ea461398e74c4ea9bffad7458f8c0fb554d11251b87d4bb4e6e1b595791b1cd5c25e9913ed489095b07436e3b2414a6fd9820ac3c9a50d1c29da6f9ace4abeceec953b6fe04be23c2da2b65ff3bd45639a077a3c2c82856cacc20d3652f7db6e122e8b53009e1c2f8834a8c7f545a83e7aacf0b6ec86cf4734d724510222fb4fa5efd2c08f44687236a80d55837a1d07906adf60e24382931453bb2d509fc117eb1e133d976c03fc58dcdcf18c6769be93cd99faa9c5059c86196ad1c2deebe1404c89bc0b6155a4c4f41628f1f5f19a2de1a56246a9cf323594322fc5e27b38e32e38559a58c2174db54b32dbd80d477c3180a18310451362468c053fddf38395284e99f084bcdfb7e7151877b6e8652d32e92a13e66d00021b47117430b897e1b34e76048f3ef779752b5b2a9357507bb07b14acf8b06dd2dbed60cd2bee2be44c917d3dd42e04d39dcfbdf05a36bb5935c20b15bc3efec8d03ef2fa6f063f602e98a184811d7b80dba8fa85675be32fa2a555bcd9f80b8f3b788bda7f7cf2ba5584eaa7de7f1beaf33c3fe2db9902e42d8a02540b6b57ec0947267663af8f39b57a0f381a60aafb06090958902fa79d079b0ec319e125f1b4cd3d612d8749207aa62116134f941bfda68dd6d6d4e33c59737982fd668deb8bfe7c9bad0893b589b2f52f2d2f913e2f5cf9bcba86dd60ab3ba9e877f9ee08594436cc8dd2c5d0ae8a2808e9fb006090bc90ed90dedeae1a9d41925e1066f98d709f7ea2034682990c52272b27f833e130004e95e7943770fadbff077ea02a5d5cc824e1704f95aa83359a77edbf19dbaaacaae2b7c2644862b39c35aa4f6cdf2a88bf928320026ccda9586465fdf89f16cd7f0a255a10737f501fd035035d36712116a13c1d41c8b6929d4d6ea880c51e2acd24ee5674c4194e90b5fba8f65a8d0b89a0aa85971f9c6a4d374799faa3683be3bbc74997b4f1a691be870d6c083c5b0033fe41d5295a9bade0486a599a7cc383096c02f6103093a8e65a836c404ea8b0d2267ad30f1a03beea6f9c36f8e181f6b8b599fd95ea9438b2c143e5fa5dad997ed172fc74e9d315eb7452cbe54bd09d364c66936aa933ed0d85811aca617f6ed9711f2a37d6a8a3e803d55a10b56195703c312727fc53fcf75e5c8c6610f5e3c9cdcbc36fc59534c11fcb56758f37a03229ed80164b0746df8b4f05a6e0e9899e664deab2e152375915613781f8a13ea7f7b053eb96e18fc564671940b08afe37a1060d5eea84e05ec8ae7888919bb56df2b8cebddd628a4ebb41836d25eb56bb50d3a206425722bebace46c5177e65bf5c03bb592bb2268b351069389663abe9fb28772f567627af3a08e91403c2c25c172ee37a7e1775a5ecd8a5d226564200fc26577afbd87127024577a87f318449d40aa75d126f0e2a425ca67e1f57e5a547ee4f77a423af995cbd49ee03b53dc8256f799783adecf71165069823adfe257f6ce03a8cbf463da2a17ec158385543bdae799eb159a60a76ee61588c500f9e03f2bada1c2b802b899d8ce960cdaf6aa72e76ff18ad0c2daf27259aac5cc473f8f99b0b3e53f041e0ecdfc236ce79687c146787f474b148bf0fefa721764442ed7a495f3ebe0db6bd98484940ff1fe5ccd976083ae98b5efef30cd551b67d25bd876251f277da770dd41c2d19d0cd0e7db41c05b9df8ccc0e26ad704ed710e8e05e70890384168b892eb08006156dd1430b9cf78075475db2973f5b361a63ff7a59f79a0c1c64e34d6c9dc3fcf37b315671eb70c88b8e6dd0f89f05b409d22ecf6c2a44c75fa656c33cff0fba0213acefdfa2401e35e137a7c9c6864903e93c09fa98d433308d35616b00825ba6b76a27767d11cd34a6a1c10ee1cd6a080a7bbd90be93a16f4316a7ace742da8209c4370087a56f55de426f6e97e996f94b81dca4a25fd22e9980807a0d716b499211d98c63453f2c6176c3fbb74141a5a7eb87a64b3e30975cb41e1a20a508b6e7807315a245b23ab66b134afe593f24c8edb08f483c9d6fabaa2955689c0cf2e9a6133d9dae59395765c7137afd16a36e345b6767fd57f138a22e45a7a5128d7e08993349066a92497bf3a36e600a044d0fd7516a867b60d30f0c2b20d1f6ec8856b84816d5fc976a1f25d1d9c3af53aecc05f9772ec8eb4a483b16beb78319c82e328ac656f7eeebdc662d74957265eb0ed4670ff8b745e41c4090dec9480c60016aed7516eba8d5790d063d26d99ea6b3917ef178ea3f5ca8e638b761ffee52df8565edd002af9985724d2a069abf2851b387782bc81fef3affb95c9a9fd3c171f0553b250cbf25abe68613301e696e127dbac6ef04856a031742bc0f7996e9649a0044fc97d7a1d2a37f73acf61855ea722ef0bf7133663f089f335f27ef8e701b278e61eaaa9d5ad24ff015f8d165e1a0af49dc024a7b3852a7d5b1cb900cea48c3ef5b71093af8b11decc81c56cf6c83e39388c5774907143becaf602aea19e84e5aa57007bfd20218007187741245de1b9a094cd70f78f441fef3947d622b8121fe310d54b8596ee8870c8e9402a88ca214c9da0e7a750b16ad7babe0372f1a715f8f6dfea297b37fec15e3ac0cda5a62878233508c23e6abca3a1954cffc247defba0478ac2ca0863e6c6ad21d224bb0a9b52fa9055dc2725de508ad6c183055c79660aa579604c53fa69e880fcb6c882a6f569af58716e6096fd6d5d49688facc9324aa272b12f91026188412a6f45894e66bdbed487f8ac24d2fffdd8debfad360144f75d5ae9f88c95873706a14be866190842b1dd5dfc05b5e8ae33f6d03f4880963c03e3309e81657727c9490930120f2cebe5813d2c2f57f03d74281252946c27be35c5213952bd328179ba9318bf7141bb1e8276bb40d63711a25837bc9f443a43dd68c6f3f159702b1be93e81e562245f7e69e168e9a990d9c9cdcd6a97e5c24896d187a77b880f8f00f8184f7dbf0410eafc2d450e3016b02c423713884199e70b1f4c06f798ec721d4f69cabb7a54ec0e7435e3ec185330050ad1106a0a31a866c8a3607d04bf4bc417f3f4e7fdc45c69727e28f87b3fe897ab8e19f16182b13038d530ce20d7d8966147973b6d380530e64ca5a0f156b63980be128979505615f96aa905c0d5850901463259b80048a758e0b3a279d19e461c050e49220b62f11a4e910dec5cd9c60f933f3f90e7367d780f01862ad40d71695d59099f793a061d8867fb80ed5ee4a7072e49a7928baebfb8572bc1a629933c2379376a1b27684381780acdfc952bbd4cc58cb3ebedc8f7e61210aa6a3ecf9818343905f5c3ea9048bdfabf168791f7f705e6ef6a52b9ea9042ad7e26a12d85edb2967e2af1310c7c345d85714b1e0e0be7a845c281664f3f3b403f6f0f3a2f6f4cdb80c5ea72ed0cb6acd5588dc8df3c1dae0ae1e90918337b2b2b08223d6b2decfbc7d7fdd7a1613f77233c0d9e4dd4064d266a54ffaaf578e2637dd7aade30434772e80acf394a336c5e1328eaf48b59758419b6223d1f38f980a797081e6dcf98645d79b8e3acdb2d8b0ade550e9eac03a2c163d45f8ad59e7b49a63255bc5c717a3359f79d0911731e6c0e6cb6e29bcfc74e5dc20eb9ad4aeb8eb62d94443d2f9eaeffe688b844fca2f8bccaef1489923facccf4c64f873df37c208bfbec855622ffefc10986678787d22387d8d83a3355e1db5517bc6805fafc9aafb45a8b621e9d9027db13e30fd00fa05bb0ae9d33e8294983b7c7cd0a9497239345ca9b2bd2999ffa3d433084b06a8ae868a144aeffe044446455f6504daf224b8639c403604388ba80cfbef32aba091a55aa9b9c0fd8b2e9f4e67f7f9de3585fc5515c57e70d65743ba1ed11c", 0x1000}, {&(0x7f0000001600)="70498ebcd9c6ee68f051d364bcf8e2833bc04e553b73c708ec5ad9c3da8dc7baefc1345bd6cc0c6ec371c95565d639279e328900d8664019cb99059067643d00789fcf7b9b97f74404432ba12c9c4958f2ad97c15201d54572ca7bf7e107097c773c6adf52fd75658d73c5acede414ec8cfed5dbb9d929de733574d638add32302f3b2c163d596d57d01b1c926b85439cd531d1c9bc9ff7f8ed8fa7f8f349d131a6d29433049a4c5fe0323fb4b5f9a2dc8f3", 0xb2}, {&(0x7f00000016c0)="f0f918d053fd29af729c2d0e01b575f07b05297d05f53dafeff2a12f0acda4aa4c3dad48d1240b566c5412a428c20a36dc30d634ad36d3d29dbd79ef8184119c70119cf66294404e0d901665bacf9a21a7873b4a376e22c80ce1fba8651647c9376d1d38bbbca0ba44d46f76fd9b2f045903598c", 0x74}], 0x6, 0x0, 0x0, 0x4}, {0x0, 0x0, &(0x7f0000000300)=[{&(0x7f00000017c0)="91f1d855a98685d7683c8826af1e05de965c677db53bc822272bc845deebe37dd346aa1b44ead9a77af1825f2bf8a1a744f002ed64f816655a14015a778a625336f0252a98039f5b259d5d9ac965d677be0f08d0176fd6208f5b8ad211f97fc8bbca65997510a60e18e3afe69f1fa8f70f1a9180a51f6a28aca9377a9676585e3f232e20480c508353ee2bd62c481f118cc05a41bf457dc9c6dd60727b5cecd75617a5ee7816c2e47d6ebbd127702fb3ae0303c8028e290f5283ba1f174f574cdfe3f40fdeae8773dd34d4cda379", 0xce}, {&(0x7f00000018c0)="c39430084d1972323d89c047c4720f6c8dc3baa62b107e3fb92870ba6785bdb00646cd7cb4629820c07aad698dd3123ed2333ce4ac6588133f3714ee56f8168851ef648348d4edce621bbeabac731aa414cd3ed5", 0x45}], 0x2, &(0x7f0000001940)=[@assoc={0x18, 0x117, 0x4, 0xfffffffffffffffb}, @op={0x18}], 0x30, 0x800}, {0x0, 0x0, &(0x7f0000001cc0)=[{&(0x7f0000001980)="e367b9f0fd7f64caf65153f02834a1c815674c97ae0cbc31995b7469b08b7497c268975f78977549e9e208dcb1f6c0c8d389984e4456625cde7a53d2af4580f93f92cd40b8611c66c517eae6208eb040f60db3c23d9220a385d680162f41d23fc2b946f5ec", 0x65}, {&(0x7f0000001a00)="1f337bf19fff8a33957d4f9e99baec3bc4f51773ada4270f0bf5c34dcf49cc02479067238ee1b7573332bc81900f2d98d4ddb2ab6e28946efb6b6c2039c8b38d49d9a0169be2b026ed55c627855c08c9e3243005bbeea91b12ea7252625a53837bc58686a3772dcfc00db6951d74af631319599b5be6dcf58eddd77d2724c1000079ab68", 0x84}, {&(0x7f0000001ac0)="abd5116742b4c5bb557a1f306309bc50fa1ca0b44cb903e47ab6bcf0f84cc77bbed45964551f01d9672383755f7c9d9152668236dd88866265b81e32dda639b224b5c7462ebce0152b84b1053007793b9fb3b6076c95ee71a747b722cec332a5abf2e0391230ba4f805fdc7d44fb21e9", 0x70}, {&(0x7f0000001e40)="60eab363bdb9a62531a6b48cdb9ca498db00000000000000540a4d2ad29c2d14460a69ff54624b6b0430575d8bc62fb3ecd378c5d6cdc65c4ece8c90fca4be3075a52560059999ffc0b71a7cf8e1930973d2c6a20000000000000000000000000000", 0x62}, {&(0x7f0000001bc0)="542c82da2c1c3e2a4b81dfa508ae7477c0d18b419d205565225512a4d4d8095d97441e185a957812848d129a8c37d030b37f6e11b62c40bb54ca4e1aecdea6b7ddb7704821d3d0787f62808a9e701d322c0a62a15d645200d1612f185411b9c774e44ba86ca227533ebd13890b899eb4b17fa95e98be2e77eae5ad8c0c0140c1f85dd028e2ea438a1eea247999f974219a33eee8294119a187f5dc83632f04ad978812abd03791948446d1b2cda6799ceafe9017f00ff66f9456151b8ee23228249e043cf8a99d7a3eff94fdd205010df2a526c6638a61cb5b32dc9f3db476d756ca58fcf3a43483c88f890c98d9a17e06525c824ece8fc562b54b", 0xfb}], 0x5, 0x0, 0x0, 0x20000000}], 0x4, 0x4001)
sendto$netrom(r0, &(0x7f0000001ec0)="bfbfa5834c26b59ff888e69635f1023d8917d6b751d76d25666f7ba9405d81dcc0e2f078eb5f59f5391db06dcd6f376b97b0ffdf990a55dda2b6c41bb7d3a234e344fe1c3db1cc7cb0f67f6b6ce27700f0396afca8c9471249430aef5080c6f4789559d44d7548f9341be44cd9654b6ab489b3a6c3b1992dda7f3daca65c2d32f879d373a3e9ff6d01e71b8248ab920e235f8404276c065094fb8aa7d1abbd6c01314c7f09da7dcdef1c22087e59aa04145e552e0c1ffb58056c391b5dfff0dce2c52b8eb17a7b277013dd62b67eb322f6cf3493891c9f8c9629160f845707d83ea9d51b507ecbc9df955f2456c866d31483fe67", 0xf4, 0x40008c4, 0x0, 0x0)
ioctl$VIDIOC_S_TUNER(r0, 0x4054561e, &(0x7f0000001fc0)={0x401, "f1fa8da956202bb54d4b97b69b9b64c9ec63a4f59722fa175114ad1c7c36bbc6", 0x3, 0x408, 0x96, 0x0, 0x0, 0x0, 0x20, 0x7})
syz_open_dev$sndpcmp(&(0x7f0000001b80)='/dev/snd/pcmC#D#p\x00', 0xa4033a, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(r0, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)

[  601.910117][T22903] binder_alloc: binder_alloc_mmap_handler: 22871 20001000-20004000 already mapped failed -16
[  601.921375][T22903] binder: 22871:22903 ioctl c018620b 0 returned -14
[  601.939874][T22926] binder: 22871:22926 Release 1 refcount change on invalid ref 1 ret -22
[  601.954400][T22903] binder: 22871:22903 unknown command 0
[  601.989495][T22903] binder: 22871:22903 ioctl c0306201 200003c0 returned -22
16:10:13 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x5, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:13 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:13 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x3, 0x8000)
r2 = fcntl$getown(r0, 0x9)
getresuid(&(0x7f0000000280)=<r3=>0x0, &(0x7f00000002c0), &(0x7f0000000380))
getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000002ac0)={{{@in6=@mcast1, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{@in=@loopback}, 0x0, @in6=@loopback}}, &(0x7f00000003c0)=0xe8)
sendmsg$netlink(r1, &(0x7f0000002dc0)={&(0x7f0000000040)=@kern={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000002d80)=[{&(0x7f0000000080)={0x16c, 0x3a, 0x100, 0x70bd28, 0x25dfdbfe, "", [@typed={0x8, 0x18, @pid=r2}, @generic="37de6d3e52b74889ed5ba8a27d1c9f46f255be789bbdd08b9c4132197a6c96b7ffe040cc0fceba641e9965bf168b7a1ee2a31329bb5dd4b5a2e8cc68f0f277d8f606d4c6f70d0f23771dfeabdb5e97f2381246473664cbe53268e983436969f969b58127dbd98e12de0339315d19cab3ed31b1d73a6e5801827dfaeb470ada11991eeafaccd9b63c1e89ca718a1c382c5ce1100f881cb2eb8e757f15f8186debc3e9e810167fd64e9bd0dcd687504d1df01f1c0ef83abb76839ec00603447c7abf2989e5ac5f", @typed={0x8, 0x2c, @ipv4=@initdev={0xac, 0x1e, 0x0, 0x0}}, @generic="3e569b2783774e238aef7bafb6fe15efae37652f3e48f9c8ebd7d6eb8d74e4fd92f4de87f3fdb01d65e8cae5c447813b3fd1d6e9df21ee7f79860a4bf2066a7a53467a73676bc1c38b5d4fc84d07a77305c3bbffffe229530e02bb6e336a4a27894669051241d73048a87750b0a02ff36ba37ce9b1ebb973892fbada7f11c776d7d56e160c"]}, 0x16c}, {&(0x7f0000000480)={0x1ac, 0x2f, 0x900, 0x70bd2c, 0x25dfdbfd, "", [@nested={0x19c, 0x87, [@typed={0x8, 0x82, @str='\x00'}, @generic="093bf86a7f6611eb93725f46319b252260e3ed5ff56085fa438713d976a3aaf2654efb698d1309ec9f7d74d1ead3b3741c11059c849c6d4650b7487e551ba8d593d63eb002ed94a020a9306a3f1e7df39c367b45614e830df557979f207cc00b0928c6f622175715719d9a959ba0009c19948c721b0eb167ef4a82a55ce8b27334afde7f9ee1ee2f337912a76eb5ec2cba088609c5d6472e17960fa36d309f5f9c3633649da6c166fe91c50a6542f9d98f9464ca80476f4bd6995b4237518a7f66c711f8307cd38932db5a57ef3d71bc", @generic="82218ee3161ec8c3d484c4f023d4780cf0d2aedfc3b0", @typed={0x68, 0x3f, @binary="8d0cf3b0b2f5553223044d26e1240b8fdc1e3ca63815701d9382b4f38158f7165ac5a8ddcb84a58e68fff008924cd6e239c9eff4ac3d9501517d38044351349beb2dd49f8cae25a924420c769e8e0088cba74858e9d5337922f45e11b26009218c0acdcd"}, @generic="7ac83a2fdf2babfb5b5967f1f9b9407faf37fb9659a5f9a2ccaa68a53262bcb6a393dbbb129d324d791e522ee1af740b8a0848d3e794b3f2ec4c81b288031163"]}]}, 0x1ac}, {&(0x7f0000000640)={0x2470, 0x25, 0x3, 0x70bd2b, 0x25dfdbfe, "", [@typed={0x8, 0x1c, @ipv4=@remote}, @generic="d963295d8d58f255b773494b8b587a6cbba4601bba7c456fb6f7c65d0e1cec9ce22a90912f2f9548504d739dc6149846b3a37eafb7f3ea43bd7700d5ee23168c16525cb6c5362d636badc57691c43b8247c1b990e9012a911cb16fce006abe8d329a16f4d8add7e1b1dcbbc64b7f4a0f31811f75d0dc3b8b5319586ae8c7", @typed={0x8, 0x48, @u32=0x6}, @nested={0xac, 0x29, [@generic="1df3fe9a0a1ddf6f33779d402cc3bcdc9fea9b13cc8aa05be154aa790c93b7235a2961e5540f87b6d6960722a633a68a5608f7cc183ab6eae764a3e52a2dca2632dedbaa2544b5e080eca25cb96e5082db260b873ea9a497ab580af661de3a03b39cc4b7a1420f49d1a2c79666c36bae03ca47653ded3de861e5c9aeab03ea41a5c9ec2228ca2a39689cef1e72c32931329b71004c67d4f234caf9c09f359d5f35a7ec83a60164"]}, @generic="b23443b91c36e41d4c0b659f6f6a85d7edecb7f8fd88b8e2d274d66ec2400e0c7a9c13e8d93e9c4d2ecd855021f8a2a35062dac85c71c7058655c8b71e2d2ad3e1383035c18cafd0bad411354c54c2082eb01b37c939d270ba626cc15456498940216d645d0429d2e77ff201343a34db5569c4d15125dc8ff32d5fa36dda25d04856b6a29408a0932ea53789aa72e3aa3694d0ccdccbcc627e965b18c282912fbd8cbb5ea6ec1b91f08e0a2e", @nested={0x1120, 0x69, [@generic="323a04feff9c51c336e18e72ff49f669b1440eb9b176d529531c66fe89bfdce5988a675b3b8fc77822b78df38979b080d61ab676bb1b", @generic="d5215ba0845ed544958f1f07d29439da26282f1ac4813871d87bf1105278e00451bc4a63b5cec72d3f4fee44e9014a7a10eb523f2b2c1d002fe82efcb36c9557902e48f594148cdca13dbedacd34e292095ea4c21578241bdc4f64e1cd5191ef2420054926d18fc3344cd86b1565e47551652ca47f3531f431fcd69e0b42d10b6e8fef20db41b5805dc0c16ccff2494171a833d6b84bba79dfee7d0ca6f0bd2793dd1f5cbaeb988dff3fbff0e1d0182be699fe5f4dab335bd5430f1c7b87b0cc2c05c4e0192bfaabea9e99b9888ee5e2a3d68803581ed3c0d396e552a9165e56ed04e99c612f4a7839fae44fb9987b5cfaa6bd06808cf41f4e754ec0de75f2a5edddc0d16524d6c58bfa37635e77dd618057fc82ab0b9c7ee82d3b7811c8f618152adbcbdf7c237b80224d94d7e8dea36fffc014ab1b0bb56a27b0d40d97ad4d6551901b2b4e54e82b6850caecd2de5980c260e4679561f4b0947188d48dd3182f69934baf991f267f96a8109302954a0b5a04239632372f339fd2b058021ddd72da1d0f76f40c9fb6720ae218a856b9e4ad2b3d4fa8c705a2556365bd31cc129ee370385d0d1371970d1850eddf21f3e91f8df0178ffcced95402c71e91eb50f41f6c6f1aaf17f5af2b8d995c9df4152a312f96c7991efcdf24d2750ef252b734c8b218f7867d762eaebbb69b00cc00ebf6a57cca0666d323abde8f854e694839c572208417e70de1d1077d7e6a30504cdaf851c1f42f042ccde5861d7d5ed74a99140688e13ed683e62cd8cad5ffd7a6882a25c1482d678939d4c469003bfa0a6e8980f190b3961cc663409b86ba64db58db0accac246e9ea1246cefdf01b47adc62e4423cd9f784d09b441d0d68fa405e8457cde80af8a171a7fb897307e70756bdb9f15e5f767f21e4bbb1a37d2ec8c419493b94f43b88e46ebe4eaeffe7e72da2bf51dc856842603030999fc3d67042a586b18129efc0fceee5a27fce4514ee68b3c1a752311ab2bf182d03063db521c3eba44ba349f186ca98dc2da863a419520bd87c197bbca190a1675834c460679f6a63b1ff5d64acba62a659285fde0b535f6862936513e29cbf5f9e794fe23825c0cbb872bc51f1ed82052f375d5611ba127dbc9f19a2c6866d14036001aed29d6c255ca2126d6939d6ee292ceddc90248b540cc166626e898d5ce55d35a1c7740a0ce5af020b6a8741b58d2ca7419b2a412ea271af69d60582e3cd41820b765f0ef0dfbbc224bf49ac0c14257e251c2a63d3f0638a1aef067ee3671777e7c76a69d5fd13ca9e2ff5f1535ff1e27f59e04597907c1fa4d9af5b902d0880a948110a55b3d135fdb4e805be6db7f340038e541fd1a7a886690d82e838c9da9f1812fee6f9d785d0ec62181b4ae17818d2303adfb1eb59bbfc69e24132e78d10d056a2b39f82bbd120064ed3346ad2a8d09ffc787722976b7dfca741c74c117e6bfb6bee64306db915aabb504bee6d6e4ea7406fe3ad22e8de8a4a1ff944618f85a781ab9cb87f3d753b955f67ba94ca60ea94f2a3d3d0c0281fd4d7ba2a17e4810cee91bbe0e51240fd0fdbc62e96fb14e8f921f4f391d313e805ace6dd78823aedeb355da69d7c4f5c22ff42a48b1b207de8ef2fb63fa9519813810cebcc064f41ecac0158edc4eeb3707f1f6221e570475bf989943090016f91780dc3cc3a5b63acf1bbff1ac1c8459e3b92e1835d0b2c54462eaa550698f806132767f852c45b5c3d2ac9491a2d6496f5ef1fd0315dd2045c456f56a7b4a713bb9878aa3d311b6cced4ec733e2abab8914119cebab390a87f3908c51b02509fed970bdb154d57517ea266e39359639f270f0c6000e61fbd1241964b1f792ed8be5789a38e32394c8b132c9fa9b3776778c85de97ae19080fec5177521ce17a3ed942c1afb69cb4e45f200377d7a8ac62d0019082237e175512520f3c8ae005dad541510ce20d4b3b294b04483c195ee34e34433893c4c6aa7d476496403bc71256043535eb88da344924123a8e228863cadfac85c2bdb96f86e68ba5c4d7c1056dd5504e95a7a5441a98ca09b1843241ea4b50568649c924f636b68f1c64b286b7c14edf9bc1a1c3302f0cf154f45051b38a58d147c282f4da0b5e43820ac48fd0d6707989bc6a70170100e859ca6fa73ac7af8041e77b3fc4af3904ded864be599c1c316ccbde55b506f057904080e0ca58a4bdfa4a27622254bed4ca0dc4bd7f0eaab7912e505b6e9c7663881914922a0d0a176bf6d19fd776ce89b1295b89a5f556eb9d184441f8080e995271cead85766d4eb9b6644c5688a6bb57922cb8e7a1198731ea3d0da8192da09736950a99bc2845f7660449660b799220e0bb5e77944d3b931bef7066054b4bfa0981cd9e0f40eb3484c80461762024cc8b6004166c5de4969196c51d8537afa5a5d57d684745118d1549c48353b5fb3841def0bfc1c37405550d1eff601e8b84de94a6a10082f0d77a4094cea419921ad62c6110605acdc5668d530a58e79d2eb902c68602f4c77e0f7c03196a1a010f52d1e083679b55367cb686ffb65b559928bc1ddc71c1ecf4320041406a6759d710b1b36749edc103a00dfa0eb6f651bb137d23bf7c11b084b16414b26406e1be0954ce19a4a0ed3922c3cede9ebab1256ca27f9b42e10214979037d28469cece6c70a81e4337c2242ece5e62c4b1dc5181949db9bdb127e92dbb51170cdb153374b28a7323f50b799c2ec57c3ff604c9a75837e4562bfb54ab1bdbd1ed57683d64385b005faef787f979272464fdf7cd68fe3005b6fe7162ade6a9272cb1c29fbb70aacec954371ed850630f979be20497252d34f30a6748cc0f8a6663f65eb74be0eabae6366e89b1ae89b8d0dea7c4a349f740bcf61d8b8ec6043985feac74efce709bd6418a7f2343969bd363cb8531a4cc3be3ce119f0fa1accda64567ca4bbf73ef1b516dbe960540604d5bbc4e2762653dc01b25939694e8055cfa786c8f934dfa2fe59b7cff318b25b34c50bc2db08f95c934e2c4a462887e17a389898a1b0c1bb7745dcdf2fd553ec2dbfa1f4f5d3b00c301220c4b90e0b311a97bea163f13ac64654256397929fd9d70533e4816dc978d3b61025b2bf64c4ab9b72e2520fe2d4b31b91398fd13e3d086b9d9fc01cdd17d9e68adec35cfafdb204599fa21d5e12f3e205b9fab9ec244cd58f934b60a66e71f4b9d2321c67e7929ccc2cfe5acb1722ead83284c658fb1aff05849198ee9fbd17af351b6000fe8f59b2324a750639ea18cbf1253e3997135a4424a6d26b7d0f7deafb8e7d6ea51deac1d6432549e0f57c376ac2e910cdc31ca465ef26074721c28e7ff2ac3e479ef76827a9882d5988de09c10e9af30ecfa29317f461950eef763aaf8f24ae53fc45bb39e0e33f7211e7b6f8b3b524ec96d3cb245a7e77ddda4688fde343dbf962cb30ac0f2b484ee8414c21a459fa7a973548f5739fe9fbe24fa03ca5e2b9e048f2e5c83163081386a7493c61a0a84f6fbef23d094cc311e4d5650a3c0dfa84daf55164aa42001094fb2877c4a989451a781c73e97eb839247174e16f0c29b9d6a00ddabbf393e6bf298e7bbe89df6748df3642af7d9f2dd7d7348af041e52e719dd5490a429de98f359646c78ea74fde0c3041164ad075210043a95cb7b105b33c55fb2f52bf00c0806b6f02bf76e7643e333328167479866a09f763684f5033af9163749ad46bad095da9688e3a4c311a419dc71e93fcba6196f622523252f896f18ffefe1ffa2797686fe8f9e2e58fb499d585a4a27c542bd7b0127f9089431278861c986f2cf4b52fe952ea48b0b527aea6d263074a01417ab67024afca221dfe422a5341e855991f9354573eeea553b4c0d02ac09b62b2f18f64e8812388085694edca073a56c1b494df90f928437be946385a4e3123b5c0e186cfdba3ddd91a80642345ff8d49d50c740fe600bf09858f48846b679dcf4e403a234e8b03bac18851925152496811c45b2e7fee990e3d9666e85a76cf1a1459a2c28b5a5338acd35f745dc35827ba3e6348dcfdda42cfa15cd6c130f579529d8b6aa70983316a328ef42e97645e9d8dbebb646a50383323fb633991825c3e790a688dc9a6e44d8b12ce587e148552bb345ce945ad3dbb9862697c2e781193f7ec569effcf508bddfacf8497f88b96999a234d53a5e87767ac23df91ef823421959132e7a71d4e572e00bc90280a03895063337f6db534f2a4c062315e8f49aeb803aa3a33618d95a4109dd18319aaa54489d517f7532db01264a8e181dfbf98d8ba895cf37427f97280a9377270d7643b804973d826cf8e1f4e1e274f2d857bef2def2ef3a5d1b6f25098f20ee60bb0e0e372be49f5f7cbd415a33627af734dd156b259e3eb73e7d867f9ee72f891d8032b07a6d270ac955218ad8135cc092a4a8c02b29ee81d8b95f0bc805983f511276bd1efe8b97319af2d22066f99e88dcfa3ead50725823e66984cc9c718a30607b2b76bd6d72663d6e244797f582faf73e5619d820239eaeb216a3cafe38096b6623e033d0384b4f46f490b020182f902e9748003374bec02818e8d9a4d2c9cb0cfdd6302e9bb1676c2fc77f1bf0126dc83b62c165e4532f1c4ba89c8c7fe31a79ae93aefcc36133a468cf1fd5ac9bd25d512192a6fd9494982919d96b0c81182206b3e83a21bfa5d79caab79ed264789eb4b6b90d669fae1603674c16ec1dad22d1c9582a865a2e1b2ecfba4007570986206fbc6a089e496dc50faf7dc4452decb7ef6d5cd32ab4227981ca432da17a7dfcfe57fedf011b897173bcb0bd97e39318dc2bc237765100157594fa8c42f3475f6d4a9aa42c5ac01806b6e805d44bb4e9284e445bbe826c00f1ce3db7146c8920c0ba482ab85d733a69ca1399692f84fe33ce052a495c1ac5260b602810c005d6cc234a73512a82207ad6a9f8f40b46653c4b9375a474f3c1310ead9c636053d9984484f74cde4ce4111fd447b3582c5c86369d1f7a79c6df3329a5bbeea884699b98b7aa931e2bede847d93f464e17229b801a2d7866c29138020cbd25ea2b507135cd1fa4afa190af3b57c7677aabd6ab821c5c90dba439294030a1c79de7d674ff60f3e0ab27f846f144fa5bafa6e79fe4ef3519c493ebdd1d9b7751c0d6827726afcc6a52ceb5e0a8c7b971698f152a70b4f7b0f5fd7bf67695186c8ac285f80678eda6ab5a9f365405b58a513a73340caa17517db4f37a81be2ce2e9b6ea87570572c944f1faf821474b47572d038df7b5017fd9d85b5db69aa63e11ffb028224fddd39867e2cabe4ac13a877d24c557ba7c1e540ca297646532d5ee49f3b5bea3b75c1e09b05da298de0cde8bca96f5b6eb34ab02848c0692df3ee1be3634b66a2bce2c907aaa2161bf1754dc649d7bc102f9da12bc9e086ff8cf74d56f32cef4d8eda07fbb6aece4c67822d801809fc17e8700cf791fbb2b7a252fa61e9801767f8bad175cc5a5c023cc414c7b8561c2d2278503f7081cade0dcb900c87a46e283c9a1fdadb5381a2c8f73c79a6aa1485f7231ef696d7f8b3c22101e45de27e74495c70954b81d52a2c59f5c8bee229cd30bc1ca1a49866b6ccf10719a2fae054860cf32b4a2f855f35acf919647d42a2036fbbe83b54b5ee8c5c5441b6b7cc6b61d095b5c081e742299d12acbdbea59c62ee3addd77c54a8db481e6ea7f6ffbe6d6de7c13698f6a497e8ad762320a0a6249b81f0b7e8b69ad3a95ff5c84df207f48b7e56c5e9f900c0eb3eff1f439d0a387d8e1b6761a597", @typed={0x4, 0xc}, @generic="801640415da11bac644a94dd171a0ca18794826dc0c704615971e5cc3e4d088e3f2eed2518c3c553520e0f9528c5a767b61bec", @generic="8043d1c65e05362ec4ed15be42ef3db9c4884646aea9c4325bfb1e54006bad448d037c0ecff13d29e94c546e2a6dde6c9c7ea8488203a0022a4f8bf2a40ad75c18b4f167d7e33ba111b9e70c71c65f8118f1ee31f0cf4ab0fd24e6fa7c4214208bce7a09472f5b1af3c8cf4d05254da6e8c207487bc0a8541c29d36e0ad5c6722d244c800618972d4318d7ac4deeef52ae719875d548bd1e6a517ac4d2335756ec9377cd3a74bb3172cc5d6b1045"]}, @generic="439e0a04921034322e945de1dfe6408144407b44befbbbc74c0db9409fc4200f042541d863a2ea1e1f86ad7524e099fd05e8d90b75781cf5352e68626b29693760d00cbc95f5870e72bc331d08087c0e2bf60ff0d89cd268be82a8903a8a55853c530064ff31000f4beda1b5904531e5b4d5d420b6a57be1294786d62eebc64d891b647edce8cf249c04f7c125cec8edb4e6a00354786d5d8651c8b7b8d18fb334e214df2723ac23db97f5d701d2e62586192bcc0faa26047ec6aff2b8bcbbcb9f54712d6625f2f2eb7b926e0609aa89673750a5eb56f4d5f254ffc7ff9d845456f17d3c23ba3cc5a9cea39d5508924d8fc61e81c873084eefb1af71cc4cbbd32f367b3cf65cf68528bbeac76486304fa1afffda9a47d1b51a70bdfaf48ca4fe27e0a3697e9cd3371bf4e8015f0d6b160fc392aebf25d98215c31e96239b04b99eab0d758d653005acd00211c160f1b62967c4973aecba7107727c1e5b0828bfab362f8c7ff404330d56aa9a64f413d3042f77d824a80a338f612de3133260dd49fe6ab137d1b21c69becaf496f5ef27a6fb0131bd2af15e64caf11cdae8931c40c2f5352b1920d513a13e8cc26652d384fa401a1656e79a389adae414ba976f6bccc8d59042062223d2c71a9ffd49bf47ad23626b8f0f3e465aa5004d73a52931afb95345ed804361e4f80a9f5cb53946bec86177c4cbf5adb53f69fdd621833bc0b7eecc79702c35e92df285edd88a4e387eaa971150be5575c00f140a6ff256e92ac082ef64fb89887a93c066b9c84aa7e7bb01acdfec0ec842d7f1b1bcddaf8598da6cdd8f2bfcda9651ed798898316be68130bfd8fd6317e0478b59353555336c57a86f1fe80664545b059b8a6d00267aed883abb5040c696495f840418f84507db7a0ec629ba3dd652c4ac2f66c6230adf2a54c7e84ad120361e002c50f7b3b797264438631a97e7fa2556f6bf124fb3ced2fd81de57bc32791717eb8e27845e404b16663287da506a2a46a04b453fed7f7a0b24306aaaa9f506654ad3dbac2c004b3ab4ab423e1ccacf16615a0fd2b30eccb34b07952a9bb0dc2e0fea1b5b9ef08423e8a68da28d403ce3fba79d668dc799f27deff3e4dbe6ae41b877dfbf65e4d089033b3ae8e3c718be94d729a78e151676c4564f89507a3044ba10bac8e40a753e7189bab26697e083fe4ba3cd06614e752c7edcab4b629ea94db7ceaca8ddde274500b84dde45cebba9d7e4540d069e79243a59c45f48e8a999b24da390f98a5c71d74529c7f657ca9b14db8bf4c6005390dbedd8d3f9eec966cd12d39897445b5a73b94ce2e2960fb756b7bc4af284e0b540d696b642024d16a2f641dc32c3d6308e350256966e2bebf0be9e5c83e85549f593b5be639c8b23e94aaff125502d278dee349e40ebf58cf1cedcdde92a3c981876345af6b36332a11c0508de27ec885ea8d3b65e162e0293e45c75b4466cbe20416787a1fad3526774653b1d099f15a1c2baff7be3f80000250222d074e0c84a95dfe8313bbee8c686e3fbd40397ba263a4893efd6e67e00cf83295bcf40331f3ffa1c636e01073a0c5abcd3dbbfa161680a9dd14f76339bef4c5740ee2ee69a75795cf2503dad00c10e1590f50375aec2d4571fafa172e45a345e91a56a48809f8800b9a813a84a99736661a48f7f8db6842ac07376619739f954c9561c58bd8a9a946d3bcc450c892313f361a4c9bba42bf2bcde8dba16c9702f646c7e277055cc4bb61b7243e336c579d792af7f04336a078210ccf1ea0d548f1b7a1715725e0f6bbc40184684a48673032d63a0b2b05e2e7f4daa2244f1cfd4dadba9cbe01adb4cce7602bd2918439cc0caad9e45fb91d2b1e79b1f97a762e4b6282ed07f4b6cb005e02ecbdbac51036e0b288b0b88b1aab8479c18f8993af1c7884e9e4f50d6f86f1ee5d0995c6d73ae7fb7e7c1c2cc3b58466aa8a4a1992155c658af944544f04c1207ee125a553128caf16a2083594075b1e414d7a750242c07ba59c537124e87646ab22cad3e3fd3cf17f403330520e03da75f4c18a0d5b5d6d10e5b3801e6c86ac02d3044e2d633f19b1c110b69df6228e5a429609729b26c86de227f0473da65774008b9596ab9c1de566c9a1dc2a281b7861e6f2b8c792b238a6ddc0664f54b769a04bda6ecd376d48bcebe41f101ccf76efd40ef78f8e4e3a3774966a030cd644d1985cd0297b10c3800e27172baf961f27bc774c6851614a332fbb9f46e3c0b856947988735e450bbbeb4e9ac9bfb6c209ab8893b2daba340023fe3a85e1b793e34fda11819b410ad472207340f9e2079b5f5d121ba1a3ed72829496e362b99d21d09dcb72bf5dbfa724e45bfd444130814157d25a508923bff006c8a7b3399ab9bbba22527c3c2e1940dca01256ee26b81afd79a0e13033633fd4f688ee144e16ba6d573b07478327665d6d3353e9d5b1c7d9c22c461d736928a675c2fa0d6e6653876281fb5e234a0f6d723237cd75c9a3d18ea0f24095ff5f49ad66ab629021f92d58c3109aab040f106c7d76cad0ed3fd127043f0cf92156953ae2dce1103f72153e2da9cad9f48a23b227fbe887a168ab5326e16d97c8dcc2e278d2d3c452941414c59349518d69c023c053b2ef592bed6b3014cf9c21acd1fa6edb341f1c5202c8c69904b56f0606d63f6083ebe2f04d17cf3c280f1c8236fd5aa115b4991f89292ec67b983d3b9fbfb56d14b31797fee93e059c55a45deff4a9f030fefb46518eb30cd949ec4b1ab24d2184b9144d5ac6aad766211326b053a1f0a3e7bc7ee23851ac5fbc4f80038a7aff98ae88205c82a3a09240c78bb5622e53d2db0b672aec5ecb6ccf8b9ebcadc0d14b4ae8eb65da22fd90fa76bb2455f878d2e0409d97cebba27180c92fb157b131115751ac0688a63021806e942d7cf319799dd53b6d44561df0de09d7f48b5d712723b648f4a054f607ad01f4c161588f6fe90346ff46ef34d6c4616aa8fd1a845b45ab454cebb787cbf02f5dc01f8877cd533b338aaaa2ad6d7c8815bbf2172e4223e31b49824714c34c3a057019e305a555744fc06692efffa81d439952ace0c04d71106bf17a8010aeb7e8cae6a386256b479110723783015840e2f8b9a450c24aaa73da14696d40e96dea75a09404c57808fe5edc61ebe23aa3439a014d93f83f4719810dea0589d23ee426e6ed349cba8f25fbcf4201503965bbd7a2b67f94641c6339753cd7ff1cbf826764610a7bf506930db8466f2baa4b436b46acd69f8b0b4e1748bffbe5e4b0ae164a35d57f2801cef3318ffdb358f6cbf150d0dcff3b65af0d898a73815a06a05db7855aef9d874dab76abb31951ac7f66f3992605399ce4c5a0393fdac623bb180f988d247d4ed8ae100c4222c00f3fca4d965348aa931c5a8ed9bf968ed32d40aecef84e81a5f859672c01eec7c65db7a805db8d56ce1f92e757f077c884d036123580a512d195352184c3e19e18881c8b4a56758e8724fc5097072f330522ed5784e86fde9cad3ca0ad7e22bfff74b0a50127e0a86856162e1899fafebcda40f4b26358914ec042afc4559dc71dde93dc53f1e7b4427e1f39c4ee67049755a07192f77e8faa7df1fc821621db67da34a495f5b390326169b88fbc903ec0fb971d3750ce5bf9fd7668f50fa82574c4289149ce8407585e51a6d2224e8ad4ac3e2fb4b3b80aa2808b5c54f7331cf8c35e1e88c0a5c878fd17de743cad800cd0c55f6c6c0645d734a38152bab093f5d502c940b9d48629455144503dd291642cbcbd570fe12de5f050b0acca8d9066c7a8ae2ff62bf4ca9aa8ae6d33bee0bc87bf103775b4909dbd56822c2ec4d9332ddd40a680c650582e80ecb950b400fbd897a50307a9a0b211dfaefdf483b748c114f485c70c52e9d63f83b570ba5cb56f8ea3aab68d64e838bca90e18320832563cedd572a0d9b1bac1cd3fd50455bfd8c53752795d3f4562f046bcc646a7f7800f54c2553218f384826b59d2ff8fb5dd8ad8a95b6dcc9e914ddba461e733826afce4b13f8005658afb607e8ee1e7099bab15d5d689033d442d93b8326ba446ac4ee49f4917c47ddc05c8244413f29f5027cf2904c5ac6b86a56e3d9fe6e8d3781772360bf71193ee7d637d389f71321c1f38aecfe1e6451c86e1420386c95d558d8d9a564b56cce389db243e248430b48f3df90f83b3427601445176856b60237b48363caf5175636d9fb1f6f4e8845b3d65cdcafe0529063e8d3eec10b340b6262df85bb24cbd0ca0b95e948356d4997fd3fcc448b24b434d6b95a43870aa6d17847f380d5b848b2014a985d0c6e86868626e8a85826ee6dc568111731cdddc640f9dd7f7e46441b3874ddbf94bdad4e7843d3233deb620352fd98c82fef476828c009a03d612a4bf56659f60a41dc35faf4809d0ded5b83acfb61c45ffb5ad780f07bd9acb814c7de2721f36f2f9e72dd1ec0dc8b2326fd887ee462f7bdcd404cdb4eca4f80dd53f351acddeb7e46a955ec2f457e10f1a577263155e04356aad590722c73a4496c36903809e6b658b8532414250edd7583fdec2674b2d479ed317fe9ed7fca05a4475810f06923c2582e7b44c82868628e4b04a629afacd87148e1fa241175a8a5a9ebb017d74effd638d3de979983d0dbd4d73dc24ea2e7d379fda18c9134cf3e1baaf4494f508698d4efa33c8ab08eb0d4c437e5f13f4b5b90ef334eaeda0efc385a735226ef5758177074778a9f633e0b17bc183420cefc96d4b49852db4f5b3fa9093d9386e832a3d429e0efc0edf5dcd6ea79792fa4aa13521e8d38289a7756a94ca6205d87ae4da7864fcd02e71833aa8b8c73e83094bf0371e26bc46c4cb225aedd5e54957bcbe2912a933894bb0d396f2015122d15f469e52f9cd7c0a7ac5f1550c679fe070833f9025f47e623a8b9b6f34d517a470248b5906cec9dd206422d669da8d7f5dfc1cb44b437355b8721577e7da1a53a7b8f3ab6e1665038c61e8e9d3dd06dccfc34df1889633d16b9ca241cacada6d8afdd38930367bb6e8e18ba860659eadab20af5ddc0b894e48432124aff51883a1c37ba9954e1e768abf433856e36f221b86d9e14a03e3ef7cf261c7f863251ba379c2b98435b6a6ed3f45ff2857db7cc3b63193fbd060f251499ed91483a57607a9654fe983773ef407434f6e700b62bd1fbfb76b427965fdf67c17e74fd24c8a72a260495121e1f8d106a20492037a8d89227aececec7be4a4beeddcda6bcbe3cd582cf8cbd848a21662f7a62f14728097406f21df75a6ca30e24744b21507ef8830ca5ba730fc44bc9ad2623ecc35865c32441b493e92651eba425236be824d02d8b1bc5928a28ac34fe43fdc44afa26aad5b9c6d20bc75ef8746ee1937b435d6e6153bcd3d074a6f2d30ad30566fafcc403467179ebb85bb58c6c5b80461b5a9cf775a8c55cdc3d95237c6ec2aab7b66000e302b66f326d521de23147a83b03b292b08948e3e7e2803ef4cd86098a8e1634c41c13363f4611b7ad956d5031c9ddefab748c452bcf08e33ce1ced22b501ed3dfaf26e747b377592535325c471a0449a951c224cfba53b9e86dcc553b391ba1b1a4f95029374a289f41171dce7d8d2b79891d2a066853888163b5d95f9265b5718f7ab360610be0a9a9079b5a7a28023e1bb76fb016efb444d1d3cf9e267fd3daa8a18c426fd755210f5380825cd7a5900520e09c4cffc80379b9e7b40662581f545a4d98611c5413552ad93f630cda7190877ab82774483be7e09b83775670c19ba3f6", @typed={0x8, 0x28, @uid=r3}, @typed={0xe4, 0x0, @binary="acacdd21e4fe9414a01d13fc2546f116e14952ee3550fbf05ab39f13a46fe3ca1c14c75f9db1079ceaa2745eb967c6a9382cd782c5570098be077f48033bbfbab0630970ca5de253e28e6908ee630bb727c0968f933ce6fcc85c285414b4b918eae88fbaf4f6d6d3401abf868dd864b4e50c0f67241e973dae1cf9e4583196cde87f99433ea055e4d0bbbb1653f6e6634ea90269f3d49502c7aa5f326c56759fb666b2174f18d76d2942f69c76c84d8468edc6c11a53d9f79e4147fb58158385745fcddf2ae73add96a9367723898831e4ddd8e46eff9196b7049d53e3b36afe"}, @nested={0x6c, 0x22, [@generic="5e930784fc2b34aa674241db84090d1ea6b12c67f309031c359cdd9fae3f95fd5746526941a63e3705ce18fcd81165670e23d01babddb455", @generic="c569d1ed2ee37112d03687efe43b058f85116ff0096f5b7d6b0d1ab11790dd7ae36cf43f4d9ba3a033346276c0"]}]}, 0x2470}, {&(0x7f0000002bc0)={0x1b0, 0x2f, 0xc00, 0x70bd29, 0x25dfdbff, "", [@nested={0x44, 0x3f, [@typed={0x14, 0x4d, @str='/dev/binder#\x00'}, @typed={0x8, 0x7d, @uid=r4}, @typed={0x14, 0xd, @ipv6=@ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x16}}}, @typed={0x8, 0x52, @u32=0x3}, @typed={0x8, 0x70, @ipv4=@remote}]}, @typed={0x8, 0x64, @u32=0xfff}, @typed={0x8, 0x9, @fd=r0}, @generic="2bd78413da5fa4cdc1edd71997fc945c8ea10388d2f8f92ae3b9829ca6a228f87db15ea9ab8896008cd066ea6d102d3c3ea6722fab8d3b642e0e41c1760051b189b15bc78391d12be65c696375a66cbd3c72b20dd2db4029fd098b67950d8128b47379c981e0e140", @generic="4273217bd5a15e66b06645380ccb6619f7d5b37cce23a8d33b92637e69926a28a4101f6e1525dcb1db4d4456a87b09a5afcf954c526471666cf1d2a54ae58f22f69966212fa77c4a7229f186a90424860368f617604e1b5b078a8a087f337e77a87512d99a7b25093a474f0b38ca620f8fa12a95329ab74710b3297ca9d5c8749d634077fc61d58df0ec8da4c4c8840cdb7ca6e5a0f00d4f44aa6c0fccc728b3e17aa4d2b004a29fd197434c6b8edb40b111363edb58e7b7870e4658c6090ea1bd793c4c5f6fa03be7db90656ee5facff8812514cb8f215add2ea3f727584cd58daa0a5c"]}, 0x1b0}], 0x4, 0x0, 0x0, 0x4}, 0x80)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:13 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:13 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  602.226014][T22957] binder: 22946:22957 ioctl c018620b 0 returned -14
16:10:13 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x901, 0x0)
setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r1, 0x10e, 0x2, &(0x7f0000000040)=0xe, 0x4)

[  602.278800][T22957] binder: BINDER_SET_CONTEXT_MGR already set
[  602.309472][T22957] binder: 22946:22957 ioctl 40046207 0 returned -16
16:10:13 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  602.396769][T22947] binder: 22946:22947 unknown command 0
[  602.432322][T22947] binder: 22946:22947 ioctl c0306201 200003c0 returned -22
16:10:13 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x800)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="0094bba472195262"]], 0x0, 0x0, 0x0})
openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cachefiles\x00', 0x280002, 0x0)

[  602.504158][T22961] binder_alloc: binder_alloc_mmap_handler: 22946 20001000-20004000 already mapped failed -16
[  602.558128][T22961] binder: BINDER_SET_CONTEXT_MGR already set
[  602.558153][T22957] binder: 22946:22957 ioctl c018620b 0 returned -14
[  602.571003][T22961] binder: 22946:22961 ioctl 40046207 0 returned -16
[  602.663224][T22961] binder_thread_write: 6 callbacks suppressed
[  602.663237][T22961] binder: 22946:22961 BC_INCREFS_DONE u0000000000000000 no match
[  602.717515][T22947] binder: 22946:22947 unknown command 0
[  602.723199][T22947] binder: 22946:22947 ioctl c0306201 200003c0 returned -22
16:10:14 executing program 1:
socketpair$unix(0x1, 0x80000001, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x1e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)
ioctl$VIDIOC_QUERYCTRL(r2, 0xc0445624, &(0x7f00000000c0)={0x6, 0x101, "b5954211135e1596b72812020784ecda2b503a6724b59d8b5270d0d3d0bf3eeb", 0x100000001, 0x9, 0x3, 0x3, 0x100})
ioctl$IMGETCOUNT(r0, 0x80044943, &(0x7f0000000000))

16:10:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:14 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x40000, 0x0)
r2 = eventfd(0x4)
ioctl$KVM_IRQFD(r1, 0x4020ae76, &(0x7f0000000040)={r0, 0xfffffffffffffff7, 0x1, r2})

16:10:14 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:14 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
r2 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x77, 0x40000)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x400000000002)
ioctl$sock_rose_SIOCADDRT(r1, 0x890b, &(0x7f0000000140)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0xc0, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @rose={'rose', 0x0}, 0x8, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default]})
ioctl$VIDIOC_TRY_EXT_CTRLS(r3, 0xc0205649, &(0x7f0000000100)={0x0, 0x100000001, 0x2, [], &(0x7f00000000c0)={0xb90b6e, 0x10000, [], @ptr=0x3}})

[  602.941303][T23005] binder: 22991:23005 ioctl c018620b 0 returned -14
16:10:14 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(0xffffffffffffffff, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:14 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000001800000000000000080000000000ffff00000000000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

[  603.019126][T22997] binder: 22991:22997 unknown command 0
[  603.038498][T22997] binder: 22991:22997 ioctl c0306201 200003c0 returned -22
[  603.051444][T23009] binder_alloc: binder_alloc_mmap_handler: 22991 20001000-20004000 already mapped failed -16
16:10:14 executing program 0:
r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rfkill\x00', 0x80000, 0x0)
ioctl$RNDZAPENTCNT(r0, 0x5204, &(0x7f0000000080)=0xfffffffffffffff7)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000040)=ANY=[@ANYBLOB="000000000000000005e39d4357b60002350fe5ef3b96b3a0c8633e7eef649ae69a4e98cb86a156996ae2d9350a"]], 0x0, 0x0, 0x0})

[  603.116648][T23005] binder: 22991:23005 ioctl c018620b 0 returned -14
16:10:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  603.158835][T23020] binder: BINDER_SET_CONTEXT_MGR already set
[  603.201705][T23005] binder: 22991:23005 BC_INCREFS_DONE u0000000000000000 no match
[  603.227754][T23023] binder: BINDER_SET_CONTEXT_MGR already set
[  603.234278][T23020] binder: 22991:23020 ioctl 40046207 0 returned -16
[  603.248770][T23023] binder: 23017:23023 ioctl 40046207 0 returned -16
[  603.258242][T22997] binder: 22991:22997 unknown command 0
[  603.280473][ T8164] binder: release 22991:22997 transaction 3737 out, still active
[  603.289499][T22997] binder: 22991:22997 ioctl c0306201 200003c0 returned -22
16:10:14 executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000180)='/dev/dlm-monitor\x00', 0x400000, 0x0)
ioctl$VIDIOC_QUERY_EXT_CTRL(r1, 0xc0e85667, &(0x7f0000000240)={0xc0000000, 0x100, "14ee08a245087a6c1a1a18c64141987bf01590ec147c59dbf86fec6b17e1e7bf", 0x8, 0x100000001, 0x20877106, 0x800, 0x1e, 0x0, 0xfffffffffffffffd, 0x4, [0x10001, 0x7, 0x1, 0x1]})
syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffff9c, 0xc0306201, &(0x7f0000000440)={0x24, 0x0, &(0x7f0000000080)=ANY=[@ANYRESDEC=r0, @ANYPTR=&(0x7f0000000340)=ANY=[@ANYBLOB="4df6cf55b8e77caa199d3c51061350e7e534237d07be017571f684143cec1fedfcc0d7615e54e3ef08aea23a89519108d887f08e5eefd6ee3b1b00000000000000000000000000000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB="000000000000000088619430933e687c886a694236427bdc422d67767213fb05c317e1378ccd3ecd2130dea4716aa127abe8ac512cf148c0c58a57f4da1097a9299c68da0adfb2582b5c0c5c3e35444438bf0ffb7054223d4ce9368f2c35610ddcd58dbf29979dec890d67d1920182"]], 0x0, 0x0, 0x0})
r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer\x00', 0x0, 0x0)
pivot_root(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000200)='./file0\x00')
getsockopt$inet_mtu(r2, 0x0, 0xa, &(0x7f0000000100), &(0x7f0000000140)=0x4)

16:10:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  603.305926][ T8164] binder: send failed reply for transaction 3737, target dead
16:10:15 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
socket$nl_xfrm(0x10, 0x3, 0x6)
getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000000)={<r2=>0x0}, &(0x7f00000000c0)=0xc)
write$P9_RGETLOCK(r1, &(0x7f0000000100)={0x22, 0x37, 0x2, {0x2, 0x3, 0xfff, r2, 0x4, 'eth0'}}, 0x22)
sendfile(r0, r1, 0x0, 0x1)

16:10:15 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x7, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:15 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x2, 0x0)
getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000140)={<r2=>0x0}, &(0x7f0000000180)=0xc)
r3 = getpgid(r2)
ptrace$peekuser(0x3, r3, 0x98b)
ioctl$VIDIOC_G_CROP(r1, 0xc014563b, &(0x7f0000000040)={0xe, {0x8001, 0x3, 0x80, 0xbc8}})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x28, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
getsockopt$inet_sctp_SCTP_STATUS(r1, 0x84, 0xe, &(0x7f0000000480)={<r4=>0x0, 0xc708, 0x5, 0x7, 0x5, 0xc9, 0x7, 0x200000, {0x0, @in6={{0xa, 0x4e22, 0x40, @remote, 0x6}}, 0x0, 0x100, 0x625b, 0x2, 0x3f}}, &(0x7f00000001c0)=0xb0)
getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f0000000280)={r4, 0x7, 0x1, [0x5]}, &(0x7f00000002c0)=0xa)
lsetxattr$trusted_overlay_nlink(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='trusted.overlay.nlink\x00', &(0x7f0000000100)={'U+'}, 0x28, 0x1)

16:10:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  603.854308][T23055] binder_transaction: 32 callbacks suppressed
[  603.854396][T23055] binder: 23049:23055 transaction failed 29189/-22, size 24-8 line 2903
16:10:15 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
r1 = shmget$private(0x0, 0x4000, 0x205, &(0x7f0000ffc000/0x4000)=nil)
fsetxattr$trusted_overlay_redirect(r0, &(0x7f0000000000)='trusted.overlay.redirect\x00', &(0x7f00000001c0)='./file0\x00', 0x8, 0x2)
shmctl$IPC_INFO(r1, 0x3, &(0x7f00000000c0)=""/218)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:10:15 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(0xffffffffffffffff, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  603.912155][T23060] binder: 23050:23060 ioctl c018620b 0 returned -14
[  603.974302][T23065] binder: 23049:23065 got transaction with invalid offset (0, min 0 max 24) or object.
[  604.002090][T23065] binder: 23049:23065 transaction failed 29201/-22, size 24-8 line 3131
[  604.003674][T23060] binder: 23050:23060 BC_INCREFS_DONE node 3746 has no pending increfs request
[  604.026119][T23071] binder: BINDER_SET_CONTEXT_MGR already set
[  604.040163][T23071] binder: 23062:23071 ioctl 40046207 0 returned -16
[  604.055116][T23060] binder: 23050:23060 unknown command 0
[  604.067362][T23071] binder_thread_write: 4 callbacks suppressed
16:10:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:15 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x802)
r1 = syz_open_dev$usbmon(&(0x7f00000000c0)='/dev/usbmon#\x00', 0x5, 0x2)
recvfrom$llc(r1, &(0x7f0000000100)=""/209, 0xd1, 0x2000, &(0x7f0000000280)={0x1a, 0x311, 0x100000001, 0x3e000000000, 0x8, 0x400}, 0x10)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000040)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  604.067376][T23071] binder: 23062:23071 Release 1 refcount change on invalid ref 1 ret -22
[  604.142059][T23060] binder: 23050:23060 ioctl c0306201 200003c0 returned -22
16:10:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  604.194834][T23080] binder: 23075:23080 got transaction with invalid offset (0, min 0 max 24) or object.
[  604.222579][T23080] binder: 23075:23080 transaction failed 29201/-22, size 24-8 line 3131
16:10:15 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$FS_IOC_GETFSLABEL(r0, 0x81009431, &(0x7f00000000c0))
r1 = dup(r0)
syz_open_dev$sg(&(0x7f0000000080)='/dev/sg#\x00', 0x5, 0x4200)
setsockopt$netlink_NETLINK_LISTEN_ALL_NSID(r1, 0x10e, 0x8, &(0x7f0000000040)=0x3, 0x4)
ioctl$PPPIOCSNPMODE(r1, 0x4008744b, &(0x7f0000000000))
ioctl$SNDRV_CTL_IOCTL_POWER_STATE(r1, 0x800455d1, &(0x7f00000001c0))

16:10:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  604.399143][T23091] binder: 23089:23091 got transaction with invalid offset (0, min 0 max 24) or object.
[  604.427736][T23091] binder: 23089:23091 transaction failed 29201/-22, size 24-8 line 3131
[  604.452703][T23094] binder: 23089:23094 ioctl 81009431 200000c0 returned -22
[  604.477777][T23091] binder: 23089:23091 ioctl 4008744b 20000000 returned -22
[  604.497749][T23091] binder: 23089:23091 ioctl 800455d1 200001c0 returned -22
[  604.524497][T23094] binder: 23089:23094 ioctl 81009431 200000c0 returned -22
[  604.545947][T23091] binder: 23089:23091 got transaction with invalid offset (0, min 0 max 24) or object.
[  604.561664][T23098] binder: 23089:23098 ioctl 4008744b 20000000 returned -22
[  604.569174][T23091] binder: 23089:23091 transaction failed 29201/-22, size 24-8 line 3131
[  604.577954][T23094] binder: 23089:23094 ioctl 800455d1 200001c0 returned -22
[  604.585484][   T22] binder_release_work: 17 callbacks suppressed
[  604.585491][   T22] binder: undelivered TRANSACTION_ERROR: 29201
[  604.605266][   T22] binder: undelivered TRANSACTION_ERROR: 29201
[  604.649836][T23072] binder_alloc: binder_alloc_mmap_handler: 23050 20001000-20004000 already mapped failed -16
[  604.664488][T23072] binder: 23050:23072 ioctl c018620b 0 returned -14
16:10:16 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  604.703569][T23101] binder: BINDER_SET_CONTEXT_MGR already set
[  604.729090][T23106] binder: 23050:23106 BC_INCREFS_DONE u0000000000000000 no match
[  604.783580][T23060] binder: 23050:23060 Release 1 refcount change on invalid ref 1 ret -22
[  604.786474][T23107] binder: 23050:23107 unknown command 0
[  604.819087][ T8164] binder: release 23062:23071 transaction 3749 out, still active
[  604.829994][T23104] binder_alloc_new_buf_locked: 23 callbacks suppressed
[  604.830001][T23104] binder_alloc: 23050: binder_alloc_buf, no vma
[  604.865846][   T22] binder: release 23050:23052 transaction 3745 out, still active
[  604.867782][T23101] binder: 23050:23101 ioctl 40046207 0 returned -16
16:10:16 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x10, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:16 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = socket$inet_smc(0x2b, 0x1, 0x0)
getsockopt$inet_int(r1, 0x0, 0x1e, &(0x7f0000000040), &(0x7f0000000080)=0x4)
syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x800)
fcntl$setlease(r1, 0x400, 0x40)
r2 = open(&(0x7f00000002c0)='./file0\x00', 0x200800, 0x0)
ioctl$NBD_DO_IT(r2, 0xab03)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB="eafee5fffd000000"]], 0x0, 0x0, 0x0})
r3 = openat$ipvs(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/sys/net/ipv4/vs/sync_persist_mode\x00', 0x2, 0x0)
getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000000100)={{{@in6, @in=@dev}}, {{@in6=@mcast1}}}, &(0x7f0000000280)=0xe8)

16:10:16 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(0xffffffffffffffff, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:16 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000180)={<r1=>0xffffffffffffffff, 0xffffffffffffff9c, 0x0, 0xb, &(0x7f0000000140)='\'eth1]em1+\x00'}, 0x30)
r2 = syz_open_dev$mouse(&(0x7f00000001c0)='/dev/input/mouse#\x00', 0x1, 0x400000)
perf_event_open(&(0x7f00000000c0)={0x2, 0x70, 0x6, 0xe3b1, 0x5, 0x20, 0x0, 0x9, 0x20000, 0xc, 0x1c1, 0x0, 0x3, 0x80, 0xc67, 0xff, 0x8, 0x5, 0x8, 0x3ff, 0x8, 0x2, 0x2, 0x1f, 0x7, 0x37, 0x8000, 0x200, 0x6, 0x10001, 0x0, 0x0, 0x400, 0x7fffffff, 0x4, 0x36, 0x1f, 0x7, 0x0, 0x0, 0x2, @perf_bp={&(0x7f0000000000), 0x2}, 0x120, 0x7, 0x100, 0xf, 0xc9e, 0x9, 0x7}, r1, 0x8, r2, 0xa)
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)

[  604.877500][T23107] binder: 23050:23107 ioctl c0306201 200003c0 returned -22
[  604.890405][T23104] binder: 23050:23104 transaction failed 29189/-3, size 24-8 line 3056
[  604.893801][   T22] binder: send failed reply for transaction 3745, target dead
[  604.915905][   T22] binder: send failed reply for transaction 3749, target dead
[  605.009840][T23115] binder: 23113:23115 transaction failed 29189/-22, size 24-8 line 2903
16:10:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  605.064981][T23126] binder: 23113:23126 transaction failed 29189/-22, size 24-8 line 2903
[  605.077930][T23129] binder_alloc: 23119: binder_alloc_buf, no vma
[  605.084248][T23129] binder: 23119:23129 transaction failed 29189/-3, size 24-8 line 3056
[  605.093510][T23128] binder: 23123:23128 ioctl c018620b 0 returned -14
[  605.112108][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  605.125301][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  605.143666][T23135] binder: 23119:23135 Release 1 refcount change on invalid ref 1 ret -22
16:10:16 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f0000000000)=0x9)

16:10:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  605.177121][T23124] binder: BINDER_SET_CONTEXT_MGR already set
[  605.191210][T23129] binder: 23119:23129 BC_ACQUIRE_DONE u0000000000000000 no match
[  605.191334][T23124] binder: 23123:23124 ioctl 40046207 0 returned -16
[  605.250300][T23141] binder_alloc: 23119: binder_alloc_buf, no vma
[  605.277304][T23141] binder: 23140:23141 transaction failed 29189/-3, size 24-8 line 3056
[  605.285758][T23146] binder_alloc: 23119: binder_alloc_buf, no vma
16:10:16 executing program 2:
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  605.294694][T23147] binder: 23140:23147 ioctl 40086602 20000000 returned -22
[  605.308540][T23124] binder: 23123:23124 BC_INCREFS_DONE u0000000000000000 no match
[  605.316908][T23124] binder: 23123:23124 Release 1 refcount change on invalid ref 1 ret -22
16:10:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  605.382681][T23147] binder: 23140:23147 ioctl 40086602 20000000 returned -22
[  605.408577][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  605.418484][   T22] binder: undelivered TRANSACTION_ERROR: 29189
16:10:16 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR=&(0x7f0000000000)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB="00000000000000001debbbb6a2d4b2756b674e00bdec78f14017f9eaee46a959dbb2aef9a11bbeed555fd880e69e95f48dcc465df84f4faa9bc7fbca8c078c3da2955935ff086a9c6bda451eac7dcb2089e205bf47ae099eb8c43649"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
arch_prctl$ARCH_SET_GS(0x1001, 0x3ff)
socket$key(0xf, 0x3, 0x2)

[  605.493569][T23150] binder_alloc: 23149: binder_alloc_buf, no vma
[  605.506258][T23150] binder: 23149:23150 Release 1 refcount change on invalid ref 1 ret -22
[  605.551739][T23150] binder: 23149:23150 BC_ACQUIRE_DONE u0000000000000000 no match
[  605.561216][T23162] binder_alloc: 23149: binder_alloc_buf, no vma
16:10:17 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dsp\x00', 0x0, 0x0)
ioctl$UI_SET_FFBIT(r2, 0x4004556b, 0x5e)
mlockall(0x3)
fcntl$setsig(r0, 0xa, 0x40)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
ioctl$SNDRV_CTL_IOCTL_ELEM_LOCK(r3, 0x40405514, &(0x7f0000000000)={0x0, 0x5, 0x3, 0x8, 'syz0\x00', 0xd393})
sendfile(r1, r3, 0x0, 0x1)

[  605.602810][T23162] binder_alloc: 23149: binder_alloc_buf, no vma
[  605.603259][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  605.638182][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  605.832846][T23171] binder_alloc: binder_alloc_mmap_handler: 23123 20001000-20004000 already mapped failed -16
[  605.873367][T23146] binder: 23123:23146 ioctl c018620b 0 returned -14
[  605.873786][T23171] binder: BINDER_SET_CONTEXT_MGR already set
[  605.893215][T23175] binder: 23123:23175 BC_INCREFS_DONE u0000000000000000 no match
[  605.901737][T23174] binder_alloc: 23149: binder_alloc_buf, no vma
[  605.915158][T23171] binder: 23123:23171 ioctl 40046207 0 returned -16
16:10:17 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x48, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:17 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:17 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x3, 0x40000)
setsockopt$inet6_icmp_ICMP_FILTER(r1, 0x1, 0x1, &(0x7f0000000040)={0x8}, 0x4)
prctl$PR_TASK_PERF_EVENTS_ENABLE(0x20)
setsockopt$inet_opts(r1, 0x0, 0xd, &(0x7f0000000080)="9fe649cf86df18deb3b7f726442a6516b259f7b7f50ce38619d820daf57c5f62aaa1468e3bcf1c62c1340954596720da5441341c03e4c9e5fcf4fc096255b13333f68fea0ed4d3b31cc7f4a945f6f8ab9bec7d7baf4976bdf5ed628617bd873c03bba502ed59dbb44b3f37cfca63db40e0792a5b5cb44610c36ec0ace375bba1f556ff9232d701499ffdca6a4914dddad9087986d9d6149ed70b00f4cd6a7a276b9109ec73076ac8ec56c911939a8aede6eb48ddb42b10ae47e7cb29b0118ca6b039a880f1e199df47", 0xc9)

16:10:17 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
r3 = getpgrp(0x0)
sched_getscheduler(r3)
recvfrom$rose(r1, &(0x7f00000000c0)=""/72, 0x48, 0x60, &(0x7f0000000000)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, 0x1, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}}, 0x1c)
ioctl$KVM_GET_IRQCHIP(r2, 0xc208ae62, &(0x7f0000000140)={0x0, 0x0, @ioapic})
sendfile(r0, r2, 0x0, 0x1)

[  605.922495][T23146] binder: 23123:23146 Release 1 refcount change on invalid ref 1 ret -22
[  605.991950][T23181] binder_alloc: 23149: binder_alloc_buf, no vma
16:10:17 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  606.037167][T23181] binder_alloc: 23149: binder_alloc_buf, no vma
[  606.072025][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  606.091265][   T22] binder: undelivered TRANSACTION_ERROR: 29189
[  606.100901][T23191] binder: 23185:23191 ioctl c018620b 0 returned -14
16:10:17 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x4)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r1 = syz_open_dev$vbi(&(0x7f0000000040)='/dev/vbi#\x00', 0x2, 0x2)
getsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f0000000080), 0x10)

[  606.179829][T23195] binder: BINDER_SET_CONTEXT_MGR already set
[  606.192837][T23195] binder: 23185:23195 ioctl 40046207 0 returned -16
16:10:17 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  606.227223][T23187] binder: 23185:23187 BC_INCREFS_DONE u0000000000000000 no match
16:10:17 executing program 2:
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  606.270431][T23187] binder: 23185:23187 Release 1 refcount change on invalid ref 1 ret -22
16:10:17 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="0063404000000000000000000000000000000000000010000000000000000000000000001800000000000000fc430e0800000010000000", @ANYPTR=&(0x7f0000000180)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB="8000008e000300006edcb6adb7477eac53b3f4ce56f6f531156cb078c3a2f56c0ff2200f3790d869c4e1bb8d0d2c63d3c3579f68f17ab1f4f5b1412b61874ff0b4247a710a1ad33dfe09027d8186207e8ac01dae3cf892c6"], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
r1 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x80000)
getsockopt$inet_mreqn(r1, 0x0, 0x24, &(0x7f0000000040)={@loopback, @remote}, &(0x7f0000000080)=0xc)
ioctl$VIDIOC_DBG_S_REGISTER(r1, 0x4038564f, &(0x7f0000000140)={{0x3, @name="e6a9f34aad9f757c8abb6c2779f422014ad6b8a30055a54b4cecfcc7fcb61639"}, 0x8, 0x401, 0x1})
getsockname$packet(r1, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000280)=0x14)

16:10:17 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  606.511199][T23215] binder: 23204:23215 Release 1 refcount change on invalid ref 1 ret -22
[  606.545704][T23208] binder: 23204:23208 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:18 executing program 0:
syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0)

[  606.841140][T23195] binder_alloc: binder_alloc_mmap_handler: 23185 20001000-20004000 already mapped failed -16
[  606.869778][T23195] binder: 23185:23195 ioctl c018620b 0 returned -14
[  606.924213][T23195] binder: BINDER_SET_CONTEXT_MGR already set
[  606.940086][T23230] binder: 23185:23230 BC_INCREFS_DONE u0000000000000000 no match
[  606.945719][T23195] binder: 23185:23195 ioctl 40046207 0 returned -16
[  606.982957][T23187] binder: 23185:23187 Release 1 refcount change on invalid ref 1 ret -22
16:10:18 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0xc, 0x0, &(0x7f0000000380)=ANY=[@ANYRESDEC=r0, @ANYPTR64=&(0x7f0000000100)=ANY=[@ANYRES64=r0, @ANYBLOB="b065d06baefb9b7c2324fe5e37a7e7079ef193bf97a000fb1739858bced838cd9077d6abc0c1798c6b99adaea3d6e22513ab28e1767fafee78a1aa55e3010f6d79cd03d758ab51a54129c62861082b2faa00bd92581f0650444e746721b49daeb74c97ffb756a630a6fc0393748893d17d131f6a22556f8815c099e94f57e2b82ed8ed89642e017a818a026e012447569e6dd311f4e5f4b8121073", @ANYRES64=r0, @ANYRESHEX=r0], @ANYPTR=&(0x7f0000000280)=ANY=[@ANYPTR, @ANYRESHEX=r0, @ANYRES16=r0, @ANYRESDEC=r0, @ANYRESHEX=r0, @ANYRESHEX=r0, @ANYRES16=r0]], 0xffffff99, 0x0, 0x0})
ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0)
r1 = dup2(r0, r0)
setsockopt$IPT_SO_SET_REPLACE(r1, 0x0, 0x40, &(0x7f0000000480)=@mangle={'mangle\x00', 0x1f, 0x6, 0x570, 0x3c0, 0x2d8, 0x3c0, 0x3c0, 0x1b0, 0x4d8, 0x4d8, 0x4d8, 0x4d8, 0x4d8, 0x6, &(0x7f0000000000), {[{{@ip={@local, @multicast1, 0x0, 0xffffff00, '\x00', '\x00', {0xff}, {0xff}, 0x7f, 0x3, 0x8}, 0x0, 0xc0, 0xf0, 0x0, {}, [@inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x5}}]}, @TPROXY={0x30, 'TPROXY\x00', 0x0, {0x2, 0x7, @broadcast, 0x4e22}}}, {{@ip={@multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, 0xffffffff, 0xffffffff, 'nlmon0\x00', 'eql\x00', {0xff}, {}, 0x2f, 0x1, 0x8}, 0x0, 0x98, 0xc0}, @ECN={0x28, 'ECN\x00', 0x0, {0x31, 0x20, 0x1}}}, {{@ip={@loopback, @multicast2, 0xff0000ff, 0xffffffff, 'veth1\x00', 'netdevsim0\x00', {0xff}, {}, 0x11, 0x1, 0x8}, 0x0, 0x100, 0x128, 0x0, {}, [@common=@set={0x40, 'set\x00', 0x0, {{0x1fffffffc00000, [0x4, 0x1, 0x2, 0x4, 0xfffffffffffff001, 0x8], 0x5}}}, @inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x2}}]}, @TTL={0x28, 'TTL\x00', 0x0, {0x2, 0x6}}}, {{@uncond, 0x0, 0xc0, 0xe8, 0x0, {}, [@inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x3}}]}, @inet=@TOS={0x28, 'TOS\x00', 0x0, {0x5e47, 0x7f}}}, {{@ip={@multicast1, @dev={0xac, 0x14, 0x14, 0x27}, 0xff000000, 0xffffffff, 'veth0_to_team\x00', 'team_slave_1\x00', {0xff}, {}, 0xed, 0x2}, 0x0, 0xf0, 0x118, 0x0, {}, [@common=@inet=@l2tp={0x30, 'l2tp\x00', 0x0, {0x2, 0x1, 0x3, 0x1, 0x3}}, @inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x8}}]}, @inet=@TOS={0x28, 'TOS\x00', 0x0, {0x3, 0x3}}}], {{[], 0x0, 0x70, 0x98}, {0x28}}}}, 0x5d0)

16:10:18 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:18 executing program 1:
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
fcntl$F_GET_FILE_RW_HINT(r0, 0x40d, &(0x7f0000000000))
sendfile(r1, r2, 0x0, 0x1)

16:10:18 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4c, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:18 executing program 2:
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:18 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
ioctl$PERF_EVENT_IOC_PAUSE_OUTPUT(r0, 0x40042409, 0x1)
sendfile(r1, r3, 0x0, 0x1)
ioctl$SG_GET_TIMEOUT(r2, 0x2202, 0x0)

[  607.335935][T23238] binder: 23237:23238 unknown command 808464432
[  607.351759][T23238] binder: 23237:23238 ioctl c0306201 200001c0 returned -22
[  607.378479][T23252] binder: 23239:23252 ioctl c018620b 0 returned -14
[  607.385087][T23238] binder: 23237:23238 unknown command 808464432
[  607.385102][T23238] binder: 23237:23238 ioctl c0306201 200001c0 returned -22
[  607.385170][T23253] binder: BINDER_SET_CONTEXT_MGR already set
16:10:18 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  607.509382][T23253] binder: 23237:23253 ioctl 40046207 0 returned -16
[  607.509400][T23252] binder: BINDER_SET_CONTEXT_MGR already set
[  607.538062][T23247] binder: BINDER_SET_CONTEXT_MGR already set
[  607.544155][T23252] binder: 23239:23252 ioctl 40046207 0 returned -16
[  607.551376][T23247] binder: 23245:23247 ioctl 40046207 0 returned -16
16:10:19 executing program 0:
r0 = syz_open_dev$amidi(&(0x7f0000000040)='/dev/amidi#\x00', 0x2, 0x40200)
r1 = syz_genetlink_get_family_id$tipc2(&(0x7f00000005c0)='TIPCv2\x00')
sendmsg$TIPC_NL_LINK_RESET_STATS(r0, &(0x7f00000002c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x100800}, 0xc, &(0x7f0000000280)={&(0x7f0000000100)={0xf8, r1, 0x1a, 0x70bd25, 0x25dfdbff, {}, [@TIPC_NLA_MEDIA={0x54, 0x5, [@TIPC_NLA_MEDIA_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x401}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x11}]}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x5708}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8073}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}]}, @TIPC_NLA_NET={0x24, 0x7, [@TIPC_NLA_NET_ADDR={0x8, 0x2, 0x9}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x5}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x1}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x5}]}, @TIPC_NLA_MEDIA={0x20, 0x5, [@TIPC_NLA_MEDIA_PROP={0xc, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1f}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}]}, @TIPC_NLA_MEDIA={0x4c, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x11}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1ff}]}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1f}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1c}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x16}]}]}]}, 0xf8}, 0x1, 0x0, 0x0, 0x40000}, 0x80)
r2 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x10000000)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  607.566823][T23240] binder: 23239:23240 Release 1 refcount change on invalid ref 1 ret -22
16:10:19 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:19 executing program 0:
r0 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2)
ioctl$CAPI_SET_FLAGS(r0, 0x80044324, &(0x7f0000000040))
write$vhci(r0, &(0x7f0000000480)=@HCI_EVENT_PKT={0x4, "54aaf9418f6c086069688c455821bd090094a727d290762caa3fc25c01732b04b3f719de16261022cd9e2164c9684f645119c5927ba8fe167b941d9bde5639f1bfdd989e6f528ff1cfcfb1d1e530072dbe3069d5b14730a8efbe6c8168bf9f4551c0605123de4bfb32ac6afcf554ea0a2997eada0165fee6a69b1b575dafa5f96cc3e9d09978c420b0f19e23a868d3a460299fbd4f7680cc8d6ce2ff6f2455f4437de88030cbb66f853bd26599e48a3531c2c6e64668dcfbdc072077e4c8819e8424c0fdb76a0d317056eaebfd934fb7eb340b22bfb8ed83fbd49b2af83a608e96100032164f88679a9eadc3c99af484c80d5920776374e604c8236aece102561743aad29c7a14bc7ac7b558435f5bdbfcb7ccb073aa6f05ed52d5519080abd4bae1b855777e3cdda734de1c93dec88592c70179fef99dd6b99fb4f0fd7830c8294acfee25a923e7b875bb87ac2a488579dcf39c9d9fb83c8274d59d272a4f0077f88d025bbec56dd3d630645a81911b387bb1ead4435714a7bc45371cfb6cfdcbe0ac0bc33752fd699114a225a073e716e70e3e0153a0accbe2e63a6a3e8603121ea161622a8d066b7e5dcbf3f3b59cc92906191d882780b56e86fe6e2c8e72319223808f480d68a9ba97cc458588f3e31393729a7712d49fe9fe962b4ad4720664350d3b6a91bdb743f72881352737467044c955114d3067812471e2dc7648c19992281323e7984f4dd4fe622737259c93701271ccc62450c657749606659b2f0c66127cbdf1f139b6aaa5439ada8193dce9734b25ee4b3778165f658bb684e3184820bfed27e0f570cb6463e3ab746bbcebcda5ba1dfe21ad6870032afc9c30721d8209a50022a40fba2dbfe43350951e205f92d1eb70ac963232d785854513515ac810e56524b2c8210ea06b60bd16907327b4c24dce92872df2f95f9133c5ae867e909145707c7db4cb6a726b44347bf352a893d27cc4d8ffc68b9338075c297b2af868845a2c1f6a7b535837b7091c6c24e68d2fb404c412f47beb7ff5b6cde42deb5e97c2c63d0ca6feffee359ca6218583bb371f299943664cd62a6bb52ef074940b80d26c39e7bd566d12a80b8780d891ef1ec4a06fc4b9c6e4c5bc4a5c91277c7ffd367b3bb15507e5bd50cf3b2f25cb6a41edc5d5e0a2dfa4297191940fffc3d38d88e9e53be0f95a107e923c38c08434d32ba819dbb846663ac2b7168f8847ba7797c6d706abcf5f06f953fd23912d78aaee757a614bae6bb8ee314d7497decfaf92a48bb2c510a00b180c14cb58c1adbb1ec467b91f86d1348908e67f98d1d8aa06434d0fda1d41e50a0fb84b231e49cdc8e5511adbf6ba72e33dc17e4f116d01a652f53c5a481daf71830d144f6d4f7c2c1771578677bf550298b628305b388a984618663794eed395dcc50be5808c0b63a4ac7876e5850201533e0784af11c1a39d8765375a0272f395bc470dfdbc8b3540f23755eae4df443b2e080f219f58c77e373b0a3f4fd7a8d0decf2b9e8e539d1f79d1dd9fdc58c4b404486a905c27f831bdfd62d807dc6fe1d55d64111004f40a0e561ebd70a2d21824654be36ccc23787d173ddf7e8bd756272800540ddec85e1d4b9cb135fa3506ba0f9f4e1e6ae4a42020a4e589ec4ccb1bc1c0bdcc1ae70bbbea1851c625ee3155358a45e88db18e90cc1c0332459f46f3b32453eed6ccb4acbd120419de157c2c3b55c91e6c72d89f7fd9c02a0a08025d211020fdddae3c852814dfce62c2c3ddd52434d3732ff53880f7f2d77c6c930bdddcf2a9061c1f740b5f972621994463439c76c6fc87e05978e3e850c9377d4791b018828d867b9d4ef0ca9309ce1d10e640768216b855ab6d8aad219ce961a852ee9d50535d8b912cb7f6be448e76b50bbb8a365019db2c20d0dc8e11f56bd689cc25c87c519274244a380273919ed24af26f91e3712df1cbad8cd019ad5a99fdf63b01306d923d36de21a53bd634e84fa47f52445904107252826f85c97035e0da09900b30b985c200480ffa7de0da1b84934a5504cc479ce4726145b72b6a16b9bf191436ca694813823ef4fcb5d57cfadeca869ca3ba578d720a1231129fbd68ce740de1ed39eb2e4479183c5676f5ffdfd0908239ef4a38b5ebe76fd78e3597d2f0f13897ae5707c82660845213a4aeb49caf4a6a2e4e28a17c303051908762e5448ee2d8fa346e9d5b3306f8fb96a31d1928e07cb8f7960e7a048cdc3160548ff3ae2d2aac31e54a0324359f89d8ae2728e89a75f2c9c0a6c9542154819a8c489599f5c553a20555df8f6533735a39dde76b1ad9f7ac7f4cabf6084de6df48aefbc724636546b5916b1454db62a81e9594c9afa4ce47752df94e0cb40413ed33d2ef64d3d5ed122fdb343aceb99f703731893cedb6e79b07257edb533e3e2c95983f60122366595414335ddc90b5f9268b3c8cb3e2a728910e154b24ddd5d008bd93e4baee5709c26c4018ec213f0c873858b1010dddd1b731c5e3571736b2ccfab79b3d24079cffdad918c40c197b7f60a280c864ca5a390dc5a6780638f89d8b6863f6284152417f91ad5d8de5508152b6668258d4f498a7643563190cb7a0fbc86565a4ccd764703cc769b25695270323a466aaa323bcc66fb8417d66cb572d45080e815260e6c7629984981d1052441c794e3e378b561f160cadc42373bb6b6de7b727e87612557a1319342656cac5b31ccfd1f0f4d72e5576fd2e51466fe9f15540d0853d347288c4c1c0bf9d2483ecca90f3a6caa041d1a0105886c438b3821bb11201209e7ab61dad9d30aebd78096c52ded0f2296dc28df6d987f1fb56f8cfcae9c0c9cdcce44a33738255224c1697f52d41da794836b14eccfc489d92681236c40d26e0b1aea6bd729ccafd22fe84e2da0879fe44920582dbc6d89593966dea11774d982d0a7a7bf40116c323280c1e4db5b35d54b1a34c1bf5b3c48e33a39f6d86196eb1e4baac5919eb87307d0254b0dc81c24bdf13569f492886183bbb52bdb16c4a1c4bc2cbe52b1a680778af365ca9f4dc17f8b4290cfa0355e026f57483acd4e78a250f084368418de44bea9fafbef6f117e257457988b54979f3dec901b63af8fc63f5ffd5dc786e5783674709912b078893dc465b4c0732bd79b21e33f9fcaa2fa704136b9164aca4cd5b135d914dcb948303048de6dfa9859c6dd29994625e3ec29df09ff81c86c5059d9e125feec31cd9994e4660b52812b1e96de23f71b6ae82056bed3c337a26cf56c91e60154b5f8d01e4fc9e31623c8211a849335d8e31a26f9638d5ec64d220494f9139085bae792e5851c509d45608e2fa765778209e6d9dc58b277cec1d3f35b07c3e3d4a33943bd1e30ce6e63fccbb265c4cdc5c9c64a4206f1ac9882899041f1c18eb7a0fc2c3c803dec9a6d06b6ed777afeb736dc456410f5c7b550b46a94d4978457c4bc0892914fa083c5549b08e6b8622662ddf4b099b0fafb96d1e59886d24730168b4a47265a134a5b36091e89a6978f36a221875636c9e4c4f37c7f055be4f1bc03c54c937de4ccf1a8b8583fcd4a4a346a89c382ae4b1a45da26c3fc28e6b90b3b4bfcb41e56705771a456e235093614be09a590ee4843914dc41dd13addfb2874e925df1b275e7fc428168ca3efe90017c3b9f15aa5ca96ca9d5ef783b5dcb50bf99481d29d0435da1ea33105b07d540f8aca1dba6e756ebedfd103c50d0c05750bb69c1d4c40f543076fabea31eeff9da52ae6eae0908e4c4ae952fd54a20eea1e67fe747af5c1f958315966ab019848a3eb8c91aa1edcfdc89bc8d2b0c3f2511117137c3210989aee516d362e6f660056de342008239ba579e616bed496e464135ea53c395c8f42870163ad96e8f4c2a7f8a9e80093b1d6396ed918e458fec1e4b246f67c17e7344ab4b9d2aa6d941d0459731786c311b042a3441f2c5bb859dee16c0e02e2a973b6b6df6fd8667f4a8b495a8b954bf88df624eff4f571cf52826f6a5161742b2c6fb74d60f570f598c62feee555e19b45856defa180a93140581c985f454e246d97c6e83db999c8deeb038413aaf9648fa3ffc93ff1e23aed947f30290cefa07d55ae04fad067e435cbba9a6f54febdfabf9945ad4ee7e7cfabe4e4d9f11468bf56cf7c98c647cc25d371e54d4ab827d68e5154f9fc55f92b3e2907ed3eef7f5b2d7ff13054babadc3d69d98b4af3f49bf5f625510ac198b9cd751ef28e6c105757efaad4749e5d2ea62a4051c4cbe61f9478d2f25547e5210f382686727daa68c3b0e9c7d02b35442605b81ebbdcdc51c91f4c3e2a7f19acbf959923ab4c17bcb9295ba6459f29ad1a6892570999b49f1c4d99269feee1b981a1936dc5f071f1ac8fcb87843c23e0d9d8a62446366797ab75133262a184bad5699dd3b2578a439dc52b29ebb503cb03eabad3698b284b2183ffcef6c4d504dbaf11ea83f27b08e68634d26606a04483355d787cae3d648b26d8e2e608ecdd6b9ad5b1bdc4b2d6014c3d35964f0fab89ad4f9a9497df060e5e5332657b53c5ba6554825170823689cf570577405573e55bd376629d9e4f3c21450e4c6a3fb692d98715dc3046fbfb91e0674ffa6f3dd4a45fff831cb85b40badd0f8673887b96949ecb5796b54e50edef7df3ed80890c8bd9c0954f6b73048c83aa9bd27c465b3971ea3f5467bab336457a9d907f707ae3c5a15736e19192cfe8304d39f34d0bbf94dbb388ec3b908ffb200f84a199b22b89a40177d6bb6075a8afd082fe08a320df124c2d6aa25c5547cd9006ce990458812496c407dce6d1e44775941ed2ac7fe8cdb6130edef200e3c825660f505e362ab7268c80712dd68b3a44355932a3ed86ceeca7daad2bd897de53db91a2fd4a702ba3590a4843e0edcdded78f67c821fc84e8b90566dcf68c0ccc3e5a3ec94e88ff8bb6003636530f48f7b23df9e31584e056030ae3ed411c2576309ffb612d38dc049a3af685414f2f4f27ca1b22c97e5103fbcc1f2acd43a34752a96bfd8be1e9737f6d439fb5e7dbc3ed18ceb2146908b004aa88e305cce86546aea9a024c4bcde23e05db0e887504c264a4ce589d6541d679e49714da45cce9a6899675c11699799a870b463725067f4b5a0c1e8a20c11abe09a6c4a4d78cb05c7141e5b4f8aef188f33b1a883723ca9a37e2ead8c2c70be80c106428829e6af41294b4ed6e2677aa22b2c8b2773b7172f8101f193f0a7a87e2cf0e95e0f766816330b5a11ccf5544f86124f0b0a8fe896770c8b1e32833d9ca81d6f1ac982e292934282f56610010436faccb572c1914335edeb390cf206bee6bc7b25755fa7f6c12f409e019e9377961ac624022e530dfb8636eef690c7703c32c276e56e5ed353b8725412e8e301da6d7dffb91e9b1863c1421e336a05b5e712f6cb6f2c2960fe1a958acba65e43e6ba3804194294fd4183374aa0fd151febff914fc75aab642ef145796960d5c2def45e5d3ad05705ff3e061768f05ce8096e93e1764df87dc23caba9374b7d1ef526efe4d94b475c125d90357edf56d3327a07231112bc1a2e51f45ed36352401390ee72c563d9fc4ce8e01a8a7b53a642ab17bb370858a0e1bc9b9595687e53eea299993e826470b963ea6c6dfa6ff6abdb6a0cab114e71aadf8dbfb5068b0a8389f1a6906d91c54f133b40bb892eeff637de94eae8c0f1916c08925f997277ecbd47a579aaa8daaabea60f8aa96930936eb2a487edcff60b460662824fab1fb42d108055bcfdc69b75b4f74cdbfe49dec0e97acbe778d9e1b24"}, 0x1001)
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:19 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:19 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000100800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB, @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

16:10:19 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:19 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x8, 0x0, &(0x7f0000000000)=[@release={0x40046306, 0x4}], 0x19f, 0x0, 0x0})

[  608.133158][T23257] binder_alloc: binder_alloc_mmap_handler: 23239 20001000-20004000 already mapped failed -16
[  608.182929][T23257] binder: 23239:23257 ioctl c018620b 0 returned -14
[  608.183788][T23293] binder_thread_write: 2 callbacks suppressed
[  608.183816][T23293] binder: 23239:23293 BC_INCREFS_DONE u0000000000000000 no match
[  608.239082][T23299] binder: 23294:23299 ioctl c0306201 20000440 returned -14
16:10:19 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000000)=<r2=>0x0)
sched_rr_get_interval(r2, &(0x7f00000000c0))
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r3, 0x0, 0x1)

16:10:19 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:19 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
r1 = perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x80)

16:10:19 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:19 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:19 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x60, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:20 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:20 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0x0, 0xffffffffffffffff)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000423d46aa61d78232bbe0972ca5e9867415918b028e002644459889f14a3655b7679a3b8446edc3944b4bca0485bba2063874c00d61faecb008dea1db8262b4a0c815f524bf20851f3830ff93a0817af68d61b472bd1c0ebe", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

[  608.675804][T23322] binder: 23305:23322 ioctl c018620b 0 returned -14
[  608.732947][T23314] binder: 23311:23314 BC_ACQUIRE_DONE u0000000000000000 no match
[  608.756008][T23310] binder: BINDER_SET_CONTEXT_MGR already set
[  608.762025][T23310] binder: 23305:23310 ioctl 40046207 0 returned -16
16:10:20 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:20 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000000)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

[  608.870104][T23310] binder_transaction: 25 callbacks suppressed
[  608.870135][T23310] binder: 23305:23310 transaction failed 29189/-3, size 24-8 line 3056
[  608.912971][T23310] binder: 23305:23310 BC_INCREFS_DONE u0000000000000000 no match
[  608.945811][T23339] binder: 23336:23339 transaction failed 29189/-3, size 24-8 line 3056
16:10:20 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:20 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000100)=ANY=[@ANYRES32=r0, @ANYRES32=r0], 0xfffffffffffffe69, 0x0, 0x0})

[  609.204676][T23348] binder: 23346:23348 ioctl c0306201 20000080 returned -14
[  609.415694][T23353] binder_alloc: binder_alloc_mmap_handler: 23305 20001000-20004000 already mapped failed -16
[  609.497631][T23352] binder: 23305:23352 transaction failed 29189/-3, size 24-8 line 3056
[  609.552967][T23356] binder: 23305:23356 ioctl c018620b 0 returned -14
[  609.569330][T23340] binder_thread_write: 5 callbacks suppressed
[  609.569346][T23340] binder: 23305:23340 Release 1 refcount change on invalid ref 1 ret -22
[  609.590799][T23353] binder: 23305:23353 BC_INCREFS_DONE u0000000000000000 no match
16:10:21 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x80, 0x0)
sendto$inet6(r1, &(0x7f00000000c0)="45f10c1ad834d297710dc257a91715ae9529ee18a83c97b06cdc00e8b5f28a46b11ba8f38b76fb1de42524ad09c31daf75804b098faa3c135308695947cd8236e8621d9329c5b09f79886a9530ce9095282c0c4ca07faedb32cd9dbfea25fa9d0a400e9635f4a1caa7acf839f62cc8fc937ff1f542bf1d4449fe6f568f1d53bd3afd28c66f4bc8aeab7025357142a9a162a1b4e20209f254c315db6ac03f95b46c934fa407d73d4ad1e38644e0c6838834ed12479e1d7eacc4eb3c81db4f6391dce25576567ea336646414679e", 0xcd, 0x4040080, &(0x7f00000001c0)={0xa, 0x5d9, 0xf7, @loopback, 0x18}, 0x1c)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:10:21 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:21 executing program 0:
r0 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x10401, 0x0)
getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000080)={{{@in=@dev, @in=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r1=>0x0, <r2=>0x0}}, {{@in=@broadcast}, 0x0, @in6}}, &(0x7f0000000180)=0xe8)
clock_gettime(0x3, &(0x7f0000000a80)={<r3=>0x0, <r4=>0x0})
sendmsg$can_bcm(r0, &(0x7f0000000480)={&(0x7f00000001c0)={0x1d, r1}, 0x10, &(0x7f00000002c0)={&(0x7f0000000380)={0x7, 0x100, 0x1, {r3, r4/1000+10000}, {}, {0x3, 0x7fff, 0x8, 0x4}, 0x1, @canfd={{0x4, 0x51f2, 0xdc1c}, 0x2b, 0x2, 0x0, 0x0, "937ac9cb3087c6db50466ddd71f26d6d74bee7e8b46ed137a2f2e750c122a9a475bda9f94be3a6a98bcd04714029c7fa218be15b46d26dfe6cad12c2f31f4d38"}}, 0x80}, 0x1, 0x0, 0x0, 0x800}, 0x80)
r5 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$sock_SIOCBRADDBR(r0, 0x89a0, &(0x7f0000000280)='team0\x00')
setsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000500)={{{@in=@multicast2, @in=@multicast2, 0x4e21, 0x0, 0x4e23, 0x3, 0xa, 0x80, 0x80, 0x3b, r1, r2}, {0x7, 0x9, 0x9, 0x7, 0x1, 0x4, 0x8, 0x5}, {0x7ff, 0x1, 0x10001, 0x15f}, 0x7, 0x6e6bb9, 0x0, 0x1, 0x1, 0x1}, {{@in=@multicast1, 0x4d4, 0x33}, 0x2, @in6=@empty, 0x3505, 0x1, 0x0, 0x4, 0xfff, 0x9, 0x4}}, 0xe8)
recvmsg$kcm(r0, &(0x7f0000000a40)={&(0x7f0000000600)=@generic, 0x80, &(0x7f0000000940)=[{&(0x7f0000000680)=""/185, 0xb9}, {&(0x7f0000000740)=""/66, 0x42}, {&(0x7f00000007c0)=""/160, 0xa0}, {&(0x7f0000000880)=""/145, 0x91}], 0x4, &(0x7f0000000980)=""/180, 0xb4}, 0x40)
getsockopt$bt_BT_SNDMTU(r0, 0x112, 0xc, &(0x7f0000000040)=0x1, &(0x7f00000004c0)=0x2)
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

16:10:21 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:21 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$TIOCGPGRP(r2, 0x540f, &(0x7f0000000000)=<r3=>0x0)
r4 = getpid()
r5 = geteuid()
sendmsg$netlink(r2, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)=[{&(0x7f0000000180)=ANY=[@ANYBLOB="180000002a0b0da25e88ae900f3d00000325bd7000ffdbdf2508004c00", @ANYRES32=r5], 0x18}], 0x1, 0x0, 0x0, 0x40}, 0x4000004)
kcmp(r3, r4, 0x2, r0, r0)
r6 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
socket$inet_smc(0x2b, 0x1, 0x0)
sendfile(r1, r6, 0x0, 0x1)

16:10:21 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x68, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  609.855818][T23376] binder: 23369:23376 transaction failed 29189/-22, size 24-8 line 2903
[  609.882630][T23379] binder: 23366:23379 ioctl c018620b 0 returned -14
[  609.905999][ T8164] binder_release_work: 11 callbacks suppressed
[  609.906007][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:10:21 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  609.950479][T23372] binder: BINDER_SET_CONTEXT_MGR already set
[  609.958446][T23372] binder: 23368:23372 ioctl 40046207 0 returned -16
[  609.965721][T23379] binder: 23366:23379 BC_INCREFS_DONE node 3798 has no pending increfs request
16:10:21 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0x0, 0x800)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="006340400000000000000000000b000000003293d556eb42991cd34677df167c03b500000000000000000000000000000000000018000000008000008e8f0800000000000000", @ANYPTR=&(0x7f0000000200)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})

[  610.009700][T23372] binder: 23368:23372 Release 1 refcount change on invalid ref 1 ret -22
[  610.111722][ T8164] binder: undelivered TRANSACTION_COMPLETE
16:10:21 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:21 executing program 0:
syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r0 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000080)='/proc/capi/capi20\x00', 0x400c01, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffff9c, 0x8933, &(0x7f00000000c0)={'vcan0\x00', <r1=>0x0})
getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c, &(0x7f0000000340)={<r2=>0x0, 0x7e, "f49823d97964d969ec81d5db1bfcfecc0afdfedb6523e71d86248b207b71dcec7eee9cb460b097e751261ec53b9529ba2e8e8017af02676b1f6be9bcaa7043ac0b9f4351f2353fa71b3b07e51f540e543dc76ac7fc24ad556eca3364b8f8f05c632089baffbfd68ec8b7df73f869cfd0fdeb24c379d176a3344c16fab485"}, &(0x7f0000000440)=0x86)
getsockopt$inet_sctp6_SCTP_GET_PEER_ADDR_INFO(r0, 0x84, 0xf, &(0x7f0000000480)={<r3=>r2, @in={{0x2, 0x4e21, @broadcast}}, 0x1, 0x5, 0x3, 0x81}, &(0x7f0000000000)=0x98)
setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f0000000040)={r3, 0x400, 0x3}, 0x8)
setsockopt$inet6_IPV6_PKTINFO(r0, 0x29, 0x32, &(0x7f0000000100)={@remote, r1}, 0xffffffffffffff6f)
r4 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00')
sendmsg$TIPC_CMD_GET_NETID(r0, &(0x7f0000000300)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x4012000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000280)={0x1c, r4, 0x8, 0x70bd27, 0x25dfdbff, {}, ["", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x80}, 0x8001)

16:10:21 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:21 executing program 0:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4c, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  610.547342][T23410] binder: 23406:23410 ioctl c018620b 0 returned -14
[  610.617905][T23416] binder_alloc: binder_alloc_mmap_handler: 23366 20001000-20004000 already mapped failed -16
[  610.639429][T23407] binder: BINDER_SET_CONTEXT_MGR already set
[  610.648287][ T8164] binder: release 23368:23372 transaction 3800 out, still active
[  610.656682][T23407] binder: 23406:23407 ioctl 40046207 0 returned -16
[  610.689157][T23415] binder: BINDER_SET_CONTEXT_MGR already set
[  610.731646][T23413] binder: 23366:23413 ioctl c018620b 0 returned -14
[  610.731990][T23415] binder: 23366:23415 ioctl 40046207 0 returned -16
[  610.738759][T23407] binder_alloc_new_buf_locked: 7 callbacks suppressed
[  610.738766][T23407] binder_alloc: 23366: binder_alloc_buf, no vma
[  610.795482][T23413] binder: 23366:23413 BC_INCREFS_DONE u0000000000000000 no match
[  610.819834][   T22] binder: release 23366:23367 transaction 3797 out, still active
[  610.835860][   T22] binder: send failed reply for transaction 3797, target dead
[  610.843212][T23407] binder: 23406:23407 transaction failed 29189/-3, size 24-8 line 3056
[  610.843461][T23420] binder: 23406:23420 BC_INCREFS_DONE u0000000000000000 no match
[  610.859438][T23388] binder_alloc: 23366: binder_alloc_buf, no vma
[  610.881495][   T22] binder: send failed reply for transaction 3800, target dead
[  610.899826][T23388] binder: 23366:23388 transaction failed 29189/-3, size 24-8 line 3056
[  610.911569][   T22] binder: undelivered transaction 3803, process died.
[  610.940099][T23422] binder: 23406:23422 Release 1 refcount change on invalid ref 1 ret -22
16:10:22 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)
setsockopt$bt_BT_POWER(r1, 0x112, 0x9, &(0x7f0000000000)=0x1000, 0x1)

16:10:22 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:22 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:22 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = syz_genetlink_get_family_id$tipc2(&(0x7f00000000c0)='TIPCv2\x00')
sendmsg$TIPC_NL_MEDIA_GET(r1, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x48000800}, 0xc, &(0x7f0000000100)={&(0x7f0000000380)=ANY=[@ANYBLOB="30030000", @ANYRES16=r2, @ANYBLOB="10002dbd7000fbdbdf250b000000740004000c00010073797a31000000000c00010073797a30000000000c00010073797a30000000000c00010073797a30000000001c00070008000100090000000800010016000000080002000700000024000700080001000000000008000200ff010000080003000500000008000400010000000c0101002c0004001400010002000000e000000100000000000000001400020002004e21e000000200000000000000000c00020008000200500000002c000200080004000200000008000300b018000008000400060000000800020002000000080001001b00000038000400200001000a004e2400000002fe800000000000000000000000000011000001001400020002004e24e000000200000000000000002400020008000200f7ffffff0800040004000000080001000a00000008000100190000001000010069623a766574683000000000100001007564703a73797a32000000001400020008000200ffffff7f0800020049040000140002000800010012000000080001001600000010000200080001de0100008004000400140009000800010075f7ffff0700020002000000ac000100100001007564703a73797a31000000003c00020008000400000800000800020009000000080001001800000008000300ff0f00000800020004000000080003007d000000080004002000000008000300ff0100001000010069623a62637366300000000044000400200001000a004e2000000007fe80000000000000000000000000000f20000000200002000a004e22fffffff70000000000000000000000000000000150a80000cc00010044000400200001000a004e240000000400000000000000000000ffff0000000108000000200002000a004e2400000004fe800000000000000000000000000021ff000000180001006574683a6272696467655f736c6176655f3100001c0002000800030002000000080004000002000008000400010000001c000200080002000000000008000100030000000800040008000000340002000800030007000000080002002000000008000200710a0000080003000100000008000100150000000800010015000000"], 0x330}}, 0xc0)
mlockall(0x4)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)

16:10:22 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6c, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:22 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  611.230846][T23438] binder: 23430:23438 ioctl c018620b 0 returned -14
16:10:22 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x4000000000004)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  611.304203][T23435] binder: BINDER_SET_CONTEXT_MGR already set
[  611.332015][T23435] binder: 23425:23435 ioctl 40046207 0 returned -16
16:10:22 executing program 0:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  611.351129][T23451] binder: 23425:23451 Release 1 refcount change on invalid ref 1 ret -22
16:10:22 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:22 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
r1 = perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
getpgid(0x0)
mkdir(&(0x7f0000000000)='./file0\x00', 0x40)
ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f0000000100))
r2 = fcntl$getown(r1, 0x9)
r3 = syz_open_procfs(r2, &(0x7f0000000180)='cgroup\x00')
sendfile(r0, r3, 0x0, 0x1)

16:10:22 executing program 0:
syz_open_dev$audion(0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r0, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(0xffffffffffffffff, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:22 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  611.713794][T23472] binder: BINDER_SET_CONTEXT_MGR already set
[  611.755181][T23472] binder: 23466:23472 ioctl 40046207 0 returned -16
[  611.783196][T23472] binder: 23466:23472 Release 1 refcount change on invalid ref 1 ret -22
[  611.986129][T23446] binder_alloc: binder_alloc_mmap_handler: 23430 20001000-20004000 already mapped failed -16
[  612.002834][ T8164] binder: release 23425:23451 transaction 3810 out, still active
[  612.010517][T23446] binder: 23430:23446 ioctl c018620b 0 returned -14
[  612.045180][T23480] binder: BINDER_SET_CONTEXT_MGR already set
[  612.066646][T23480] binder: 23430:23480 ioctl 40046207 0 returned -16
[  612.085368][T23481] binder: 23430:23481 BC_INCREFS_DONE u0000000000000000 no match
[  612.130132][T23446] binder_alloc: 23430: binder_alloc_buf, no vma
[  612.148023][T23438] binder: 23430:23438 Release 1 refcount change on invalid ref 1 ret -22
[  612.165621][   T22] binder: release 23430:23431 transaction 3807 out, still active
[  612.183505][T23446] binder: 23430:23446 transaction failed 29189/-3, size 24-8 line 3056
[  612.195747][   T22] binder: send failed reply for transaction 3807, target dead
[  612.211449][   T22] binder: send failed reply for transaction 3810, target dead
[  612.226637][   T22] binder: send failed reply for transaction 3813 to 23466:23472
16:10:23 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x0)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:23 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:23 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x400, 0x8000)
getsockopt$inet_sctp6_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f00000000c0), &(0x7f0000000100)=0x4)
getsockopt$TIPC_CONN_TIMEOUT(r1, 0x10f, 0x82, &(0x7f0000000140), &(0x7f0000000180)=0x4)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
lseek(r0, 0x0, 0x3)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:10:23 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x0)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:10:23 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x74, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:23 executing program 0:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = dup(r2)
shutdown(r3, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:23 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  612.428338][T23506] binder: 23495:23506 ioctl c018620b 0 returned -14
[  612.446513][T23509] binder_alloc: 23490: binder_alloc_buf, no vma
16:10:23 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendmsg$unix(r1, &(0x7f0000000400)={&(0x7f00000000c0)=@abs={0x1, 0x0, 0x4e21}, 0x6e, &(0x7f0000000300)=[{&(0x7f0000000140)="c5f9accbc39c7f808941bf48644f25dea2d9a534da29e4130503908b537fa041d85272207be759933bb71a61f0e6f4f1e6d2dc79942e9a15cfa64382b43f32ab0a6a0da6ad9cbc8bb378e64a55782d76cb40313672a2993138e3e1f6075e48cd818b18ba7a5ed51015ce08335ef0f39eb4260dbc60ecde0d9e2c208365df12152d148e530c50d0140769a8ea71745cdb5a23a8d44795132b152e7ffa6d186860dbcaa6c28c1aa09fb7d70977437827ce98db9c73be3087125905d46d6f62", 0xbe}, {&(0x7f0000000200)="7f6374c806bde8c4d74ead86b463998b31283dbea5164ab15cfac9d6535470742026cbc8e8733bae0a795c528828e2c2ba3195077486d1f38cd10129695079add4d37f7a3422980234045bd54642170a71e7371463b482c23a0cd418251c4a9bf3c9778206da654944981d627960cc37df6fce415fa818b891760d7332c9bdb5fa756c7e75d9eff494e2168b4cdb593c1c62d7a9df75d1861df431e58025ab0a8e919e8e29d8f3c98440e801b18f24b397848df18f9a66a1362d85b8cdb60e9d1eb0abd0f110834d5c8e864875382c236e89ccc5581c7deac1b1aaf0287d80", 0xdf}, {&(0x7f0000000000)="c2fa9356d1c37f6b882a8b41badec8d44b6e632cb9495f909a06aba95c27c07d8f992af162fb0ec3b8", 0x29}, {&(0x7f0000000380)="3be0db1610bcd1dc2ae4d859bbf2493adfafe9be0ccf949093823acc410ae7fb3b25e47d33f2b3009cc375bcc9af3ae3b860e89b07fcf34c1dabc997d147b858e83bdcffbeebda145d242a0290bc7f3b3bd72ef55e10d384304e9f0a90272224c8dba4dd1074621e3618d210", 0x6c}], 0x4, 0x0, 0x0, 0x4000804}, 0x40)
sendfile(r0, r2, 0x0, 0x1)

[  612.476261][T23509] binder: 23490:23509 transaction failed 29189/-3, size 24-8 line 3056
[  612.490288][T23506] binder: BINDER_SET_CONTEXT_MGR already set
[  612.556197][T23513] binder: BINDER_SET_CONTEXT_MGR already set
[  612.562327][T23513] binder: 23489:23513 ioctl 40046207 0 returned -16
[  612.562385][T23501] binder_alloc: 23490: binder_alloc_buf, no vma
[  612.576342][T23506] binder: 23495:23506 ioctl 40046207 0 returned -16
[  612.576453][T23509] binder: 23490:23509 Release 1 refcount change on invalid ref 1 ret -22
16:10:24 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  612.610980][T23501] binder: 23489:23501 transaction failed 29189/-3, size 24-8 line 3056
[  612.626448][T23496] binder_alloc: 23490: binder_alloc_buf, no vma
[  612.626670][T23506] binder: 23495:23506 BC_INCREFS_DONE u0000000000000000 no match
[  612.636726][T23520] binder: 23489:23520 Release 1 refcount change on invalid ref 1 ret -22
[  612.673319][T23509] binder: 23490:23509 BC_ACQUIRE_DONE u0000000000000000 no match
[  612.682544][T23512] binder: 23495:23512 Release 1 refcount change on invalid ref 1 ret -22
[  612.730114][T23496] binder: 23495:23496 transaction failed 29189/-3, size 24-8 line 3056
16:10:24 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  612.817454][T23501] binder: 23489:23501 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:24 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:24 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  613.166792][T23538] binder_alloc: binder_alloc_mmap_handler: 23495 20001000-20004000 already mapped failed -16
[  613.185781][T23512] binder: 23495:23512 ioctl c018620b 0 returned -14
16:10:24 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x0)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:24 executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x10)

[  613.216502][T23538] binder_alloc: 23495: binder_alloc_buf, no vma
[  613.256890][T23539] binder: 23495:23539 BC_INCREFS_DONE u0000000000000000 no match
[  613.316192][T23506] binder: 23495:23506 Release 1 refcount change on invalid ref 1 ret -22
[  613.422327][T23552] binder_alloc: 23546: binder_alloc_buf, no vma
[  613.455635][T23552] binder: 23546:23552 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:25 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc0\x00', 0x900, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
bpf$OBJ_PIN_MAP(0x6, &(0x7f0000000100)={&(0x7f00000000c0)='./file0\x00', r1}, 0x10)

16:10:25 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:25 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x7a, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:25 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000240)='/dev/vfio/vfio\x00', 0x1, 0x0)
ioctl$KVM_PPC_GET_SMMU_INFO(r2, 0x8250aea6, &(0x7f0000000280)=""/130)
r3 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0xd14, 0x6200)
ioctl$VIDIOC_SUBDEV_QUERY_DV_TIMINGS(r3, 0x80845663, &(0x7f00000000c0))
dup2(0xffffffffffffffff, r0)
getsockopt$bt_sco_SCO_OPTIONS(r3, 0x11, 0x1, &(0x7f0000000180)=""/117, &(0x7f0000000200)=0x75)
fcntl$getflags(r0, 0x3)
getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r2, 0x84, 0x7c, &(0x7f0000000380)={<r4=>0x0, 0xffff, 0x5}, &(0x7f00000003c0)=0x8)
getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r2, 0x84, 0x13, &(0x7f0000000400)={r4, 0x5}, &(0x7f0000000440)=0x8)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
fsync(r1)
r5 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r5, 0x0, 0x1)

16:10:25 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  614.117364][T23569] binder: 23559:23569 ioctl c018620b 0 returned -14
16:10:25 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x0)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  614.220233][T23569] binder: 23559:23569 BC_INCREFS_DONE node 3827 has no pending increfs request
16:10:25 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  614.329655][T23581] binder: BINDER_SET_CONTEXT_MGR already set
[  614.339303][T23581] binder: 23573:23581 ioctl 40046207 0 returned -16
16:10:25 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:25 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:26 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  614.859605][T23602] binder_alloc: binder_alloc_mmap_handler: 23559 20001000-20004000 already mapped failed -16
16:10:26 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  614.941072][T23600] binder: 23559:23600 ioctl c018620b 0 returned -14
[  614.967616][T23600] binder: BINDER_SET_CONTEXT_MGR already set
[  614.969273][T23607] binder: 23559:23607 BC_INCREFS_DONE u0000000000000000 no match
16:10:26 executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x2)

[  615.007992][T23606] binder_alloc: 23559: binder_alloc_buf, no vma
[  615.065959][   T22] binder: release 23573:23581 transaction 3829 out, still active
[  615.084083][T23600] binder: 23559:23600 ioctl 40046207 0 returned -16
[  615.104346][T23606] binder_transaction: 2 callbacks suppressed
[  615.104364][T23606] binder: 23559:23606 transaction failed 29189/-3, size 24-8 line 3056
[  615.177165][ T8164] binder: send failed reply for transaction 3826 to 23559:23564
[  615.184827][ T8164] binder: send failed reply for transaction 3829, target dead
[  615.208121][ T8164] binder: undelivered TRANSACTION_COMPLETE
[  615.233670][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:10:27 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x5)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
ioctl$VHOST_VSOCK_SET_GUEST_CID(r1, 0x4008af60, &(0x7f0000000000))
sendfile(r0, r1, 0x0, 0x1)
syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x2, 0x2)

16:10:27 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:27 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:27 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$NBD_SET_TIMEOUT(r2, 0xab09, 0x3)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r3, 0x0, 0x1)
ioctl$sock_netdev_private(r0, 0x89f3, &(0x7f00000000c0)="48d606cba60a4d9252b774cdedff41d7087b94fd5c5a378305a6228037063403d637679e50c8c4a8c2d83572d888452018c66dff6bb303271e358c4868e1e47b9299e80270a5f9e89dcc41922f634366d9867eada85a9eee50a4f8d21983263fbfa71deb467b14e675eb18299e23bc996c15")

16:10:27 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x300, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:27 executing program 0:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  615.796716][T23633] binder: 23622:23633 ioctl c018620b 0 returned -14
16:10:27 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  615.872692][T23634] binder: BINDER_SET_CONTEXT_MGR already set
[  615.883194][T23633] binder: 23622:23633 BC_INCREFS_DONE node 3835 has no pending increfs request
[  615.894812][T23634] binder: 23629:23634 ioctl 40046207 0 returned -16
[  615.902335][T23636] binder: BINDER_SET_CONTEXT_MGR already set
[  615.934138][T23634] binder_thread_write: 2 callbacks suppressed
[  615.934152][T23634] binder: 23629:23634 Release 1 refcount change on invalid ref 1 ret -22
[  615.949462][T23636] binder: 23628:23636 ioctl 40046207 0 returned -16
[  615.950136][T23648] binder: 23628:23648 Release 1 refcount change on invalid ref 1 ret -22
16:10:27 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:27 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:27 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:27 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  616.540024][T23674] binder_alloc: binder_alloc_mmap_handler: 23622 20001000-20004000 already mapped failed -16
[  616.577515][T23673] binder: 23622:23673 ioctl c018620b 0 returned -14
16:10:27 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  616.595949][   T22] binder: release 23629:23634 transaction 3837 out, still active
[  616.635156][   T22] binder: release 23628:23648 transaction 3840 out, still active
[  616.652924][T23674] binder_alloc: 23622: binder_alloc_buf, no vma
[  616.655705][T23649] binder: BINDER_SET_CONTEXT_MGR already set
[  616.665175][T23649] binder: 23622:23649 ioctl 40046207 0 returned -16
[  616.684999][T23677] binder: 23622:23677 BC_INCREFS_DONE u0000000000000000 no match
[  616.733778][T23674] binder: 23622:23674 transaction failed 29189/-3, size 24-8 line 3056
[  616.781754][   T22] binder: release 23622:23623 transaction 3834 out, still active
[  616.792253][   T22] binder: send failed reply for transaction 3834, target dead
[  616.816299][   T22] binder: send failed reply for transaction 3837, target dead
[  616.840769][   T22] binder: send failed reply for transaction 3840, target dead
16:10:28 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
fcntl$addseals(r1, 0x409, 0x8)
sendfile(r0, r1, 0x0, 0x1)

16:10:28 executing program 0:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:28 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:28 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x2)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:10:28 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:28 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x500, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:28 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  617.070463][T23697] binder_alloc: 23692: binder_alloc_buf, no vma
[  617.083788][T23697] binder: 23692:23697 transaction failed 29189/-3, size 24-8 line 3056
[  617.089511][T23712] binder: BINDER_SET_CONTEXT_MGR already set
[  617.095977][T23714] binder: 23701:23714 ioctl c018620b 0 returned -14
[  617.130950][T23719] binder: 23692:23719 Release 1 refcount change on invalid ref 1 ret -22
[  617.142286][T23720] binder_alloc: 23692: binder_alloc_buf, no vma
[  617.155745][T23712] binder: 23699:23712 ioctl 40046207 0 returned -16
[  617.169273][T23709] binder: BINDER_SET_CONTEXT_MGR already set
16:10:28 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
setsockopt$bt_hci_HCI_DATA_DIR(r1, 0x0, 0x1, &(0x7f0000000000)=0x8001, 0x4)
sendfile(r0, r2, 0x0, 0x1)

[  617.175300][T23709] binder: 23701:23709 ioctl 40046207 0 returned -16
[  617.187731][T23697] binder: 23692:23697 BC_ACQUIRE_DONE u0000000000000000 no match
[  617.203480][T23707] binder: 23699:23707 Release 1 refcount change on invalid ref 1 ret -22
16:10:28 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  617.235753][T23720] binder: 23699:23720 transaction failed 29189/-3, size 24-8 line 3056
[  617.261139][T23709] binder_alloc: 23692: binder_alloc_buf, no vma
16:10:28 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  617.340184][T23723] binder: 23701:23723 BC_INCREFS_DONE u0000000000000000 no match
[  617.365730][T23709] binder: 23701:23709 transaction failed 29189/-3, size 24-8 line 3056
[  617.413758][T23709] binder: 23701:23709 Release 1 refcount change on invalid ref 1 ret -22
16:10:28 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  617.478537][T23707] binder: 23699:23707 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:28 executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x5)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
ioctl$VHOST_VSOCK_SET_GUEST_CID(r1, 0x4008af60, &(0x7f0000000000))
sendfile(r0, r1, 0x0, 0x1)
syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x2, 0x2)

[  617.799377][T23745] binder_alloc: binder_alloc_mmap_handler: 23701 20001000-20004000 already mapped failed -16
[  617.906673][T23744] binder: 23701:23744 ioctl c018620b 0 returned -14
[  617.952631][T23723] binder_alloc: 23701: binder_alloc_buf, no vma
[  617.968117][T23744] binder: 23701:23744 BC_INCREFS_DONE u0000000000000000 no match
[  618.018636][T23745] binder: 23701:23745 Release 1 refcount change on invalid ref 1 ret -22
[  618.061436][T23723] binder: 23701:23723 transaction failed 29189/-3, size 24-8 line 3056
16:10:29 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_dev$usbmon(&(0x7f00000000c0)='/dev/usbmon#\x00', 0x10001, 0x40000)
getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f00000003c0)={<r3=>0x0, @rand_addr, @loopback}, &(0x7f0000000400)=0xc)
connect$packet(r2, &(0x7f0000000440)={0x11, 0x7, r3, 0x1, 0x8, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}}, 0x14)
r4 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r4, 0x0, 0x1)
ioctl$PPPIOCSMRRU(r4, 0x4004743b, &(0x7f0000000000)=0x3f)
fcntl$setlease(r1, 0x400, 0x0)

16:10:29 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:29 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:29 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x600, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:29 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$FS_IOC_GETFSLABEL(r0, 0x81009431, &(0x7f00000000c0))
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  618.548576][T23769] binder: 23758:23769 ioctl c018620b 0 returned -14
16:10:29 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:30 executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f0000223fd4)=[@in6={0xa, 0x4e23}], 0x1c)
sendto$inet6(r0, &(0x7f0000aaff09)="b8", 0x1, 0x0, 0x0, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f0000f81000)={0x0, @in6={{0xa, 0x4e23, 0x0, @loopback}}}, &(0x7f0000f81000)=0x90)

[  618.650383][T23770] binder: BINDER_SET_CONTEXT_MGR already set
[  618.658981][T23770] binder: 23766:23770 ioctl 40046207 0 returned -16
[  618.707049][T23770] binder: 23766:23770 Release 1 refcount change on invalid ref 1 ret -22
16:10:30 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:30 executing program 0:
r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0xf7c, 0x8000000000001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x2}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r1 = socket$inet6(0xa, 0x40000000000002, 0x0)
bind$inet6(r1, &(0x7f0000000080)={0xa, 0x4e24, 0x0, @dev, 0x3}, 0x1c)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$loop_ctrl(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$sock_FIOGETOWN(0xffffffffffffffff, 0x8903, 0x0)
ioctl$sock_SIOCSPGRP(r0, 0x8902, 0x0)
syz_open_procfs(0x0, 0x0)
pipe(&(0x7f0000000380))
ioctl$SIOCGSTAMP(0xffffffffffffffff, 0x8906, 0x0)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r2, &(0x7f0000000000)={0xa, 0x8000002}, 0x1c)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = socket$inet6(0xa, 0x1000000000002, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000000)={<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff})
r6 = dup2(r5, r3)
write$P9_RSTATFS(r6, &(0x7f0000000280)={0x43}, 0x43)
recvmmsg(r4, &(0x7f0000000b80)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0)
getsockopt$inet_mtu(0xffffffffffffffff, 0x0, 0xa, 0x0, 0x0)
madvise(&(0x7f0000003000/0x4000)=nil, 0x4000, 0x0)

16:10:30 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:30 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:30 executing program 0:
r0 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100)='/dev/net/tun\x00', 0x2, 0x0)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000300)={'nr0\x01\x00', 0x4005})
bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000880)={0xffffffffffffffff, 0x9, 0x8}, 0xc)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
sendmsg$kcm(0xffffffffffffffff, 0x0, 0x0)
openat$tun(0xffffffffffffff9c, &(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x0)
r2 = socket$kcm(0x29, 0x5, 0x0)
ioctl$TUNSETVNETHDRSZ(r1, 0x400454d8, &(0x7f0000000080)=0x81)
ioctl$TUNGETIFF(r1, 0x800454d2, &(0x7f0000000000))
ioctl$PERF_EVENT_IOC_SET_FILTER(r2, 0x8914, &(0x7f0000000500)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;=\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4NW\xe4:>6\xbdH\xd2\xa8[\xf4\xfdJ\x80N\x83\xf2\xf3\xcf7\x8aCZ\xf5\xe2\x87\xd4\xe2s7\xb4\xad\xa1\x1b&!\x982\xeck+8Dk;\x95\xfe7q\xe9\xf4,\xa3\x0f\xb2\x1e\x12\xf0\xa3\xd8\xbc-\x85EJ\xf9\xfc\xc0#-\x8f\xd9\tD\x8b\x01\xf4lY=1\xea\x1c\x92de\xe3ZA\x99\a\x9c<\xa4\x11(\xb1|\xb0\x1f\xbf[R+\xe0\xfd\x02\x02*\xda7\xfe\xcc\x14\xb6\xc8\xc8\x83\x18\x83\xb8Z\x11\x06\xf2\xf8g\x02\rR\x9f\x17\xa3P\xf2\r\xd3\xbfQ\xa9\x8c\xfd\xa7\f.68\xa4\x83\xfd?\x87\x94\v\xb4x\xb0|L\x11\x03\x94\xc0\t=\x17\x95P\x89\xf2\xca\x97\xbb\xe0u\x12L\x9b\x85\x96\xe0\b\xbf\n\x02\x8bS\x9c\xecyl\xec\x9b\xf5\x85\xeb\x80\xfe>\r&')
r3 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000040)='io.stat\x00', 0x0, 0x0)
write$cgroup_subtree(r1, &(0x7f00000000c0)={[{0xf5ffffff, 'c\x86\xdd'}]}, 0xfdef)
ioctl$sock_kcm_SIOCKCMATTACH(0xffffffffffffffff, 0x89e0, &(0x7f0000000900))
sendmsg$kcm(0xffffffffffffffff, 0x0, 0x0)
write$cgroup_int(r3, &(0x7f0000000340), 0x12)
sendmsg$kcm(0xffffffffffffffff, 0x0, 0x0)
sendmsg(0xffffffffffffffff, &(0x7f00000006c0)={&(0x7f0000000100)=@in={0x2, 0x0, @local={0xa}}, 0x80, &(0x7f0000000640), 0x0, &(0x7f0000000800)=ANY=[@ANYBLOB="2000000000130008091300d8f2ffffc02a63de5ab900"], 0x16}, 0x0)
perf_event_open(0x0, 0x0, 0x10, r0, 0x0)
recvmsg(0xffffffffffffffff, 0x0, 0x1)
r4 = bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000780), 0x4)
bpf$BPF_PROG_DETACH(0x9, &(0x7f00000007c0)={0x0, r4, 0x0, 0x3}, 0x14)
openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000680)='cpuacct.usage_percpu\x00', 0x0, 0x0)

[  619.299410][T23777] binder_alloc: binder_alloc_mmap_handler: 23758 20001000-20004000 already mapped failed -16
[  619.311373][T23809] device nr0
 entered promiscuous mode
[  619.326294][T23815] binder: BINDER_SET_CONTEXT_MGR already set
[  619.342509][T23777] binder: 23758:23777 ioctl c018620b 0 returned -14
[  619.349306][T23815] binder: 23758:23815 ioctl 40046207 0 returned -16
[  619.357917][ T2993] binder: release 23766:23770 transaction 3854 out, still active
[  619.378011][T23817] binder_alloc: 23758: binder_alloc_buf, no vma
[  619.389935][T23818] binder: 23758:23818 BC_INCREFS_DONE u0000000000000000 no match
[  619.403336][T23817] binder: 23758:23817 transaction failed 29189/-3, size 24-8 line 3056
[  619.429977][T23759] binder: 23758:23759 Release 1 refcount change on invalid ref 1 ret -22
[  619.442802][ T8164] binder: release 23758:23777 transaction 3851 out, still active
[  619.464506][ T8164] binder: send failed reply for transaction 3851, target dead
[  619.489377][ T8164] binder: send failed reply for transaction 3854, target dead
16:10:30 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x4)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:10:30 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:30 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
pause()
mlockall(0x3)
ioctl$SNDRV_CTL_IOCTL_PCM_INFO(r1, 0xc1205531, &(0x7f00000000c0)={0xffffffffffffffc0, 0x7, 0x80000001, 0x9, [], [], [], 0x3, 0x8, 0x7b67, 0x40000, "d1073307d83cf47b7d0ad1a54437b3f3"})
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
setsockopt$bt_BT_SNDMTU(r2, 0x112, 0xc, &(0x7f0000000000)=0x1, 0x2)

16:10:30 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:30 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x700, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  619.655511][T23838] binder: 23829:23838 ioctl c018620b 0 returned -14
[  619.674880][T23824] binder_alloc: 23823: binder_alloc_buf, no vma
[  619.700226][T23824] binder: 23823:23824 transaction failed 29189/-3, size 24-8 line 3056
[  619.731297][T23830] binder: BINDER_SET_CONTEXT_MGR already set
[  619.738213][T23824] binder: 23823:23824 Release 1 refcount change on invalid ref 1 ret -22
[  619.749367][T23830] binder: 23829:23830 ioctl 40046207 0 returned -16
[  619.768059][T23830] binder_alloc: 23823: binder_alloc_buf, no vma
16:10:31 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$int_out(r0, 0x2, &(0x7f0000000000))
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  619.786970][T23830] binder: 23829:23830 transaction failed 29189/-3, size 24-8 line 3056
[  619.802160][T23824] binder: 23823:23824 BC_ACQUIRE_DONE u0000000000000000 no match
[  619.824332][T23842] binder: 23829:23842 BC_INCREFS_DONE u0000000000000000 no match
[  619.843744][T23830] binder: 23829:23830 Release 1 refcount change on invalid ref 1 ret -22
16:10:31 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:31 executing program 0:
r0 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100)='/dev/net/tun\x00', 0x2, 0x0)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000300)={'nr0\x01\x00', 0x4005})
bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000880)={0xffffffffffffffff, 0x9, 0x8}, 0xc)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
sendmsg$kcm(0xffffffffffffffff, 0x0, 0x0)
openat$tun(0xffffffffffffff9c, &(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x0)
r2 = socket$kcm(0x29, 0x5, 0x0)
ioctl$TUNSETVNETHDRSZ(r1, 0x400454d8, &(0x7f0000000080)=0x81)
ioctl$TUNGETIFF(r1, 0x800454d2, &(0x7f0000000000))
ioctl$PERF_EVENT_IOC_SET_FILTER(r2, 0x8914, &(0x7f0000000500)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;=\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4NW\xe4:>6\xbdH\xd2\xa8[\xf4\xfdJ\x80N\x83\xf2\xf3\xcf7\x8aCZ\xf5\xe2\x87\xd4\xe2s7\xb4\xad\xa1\x1b&!\x982\xeck+8Dk;\x95\xfe7q\xe9\xf4,\xa3\x0f\xb2\x1e\x12\xf0\xa3\xd8\xbc-\x85EJ\xf9\xfc\xc0#-\x8f\xd9\tD\x8b\x01\xf4lY=1\xea\x1c\x92de\xe3ZA\x99\a\x9c<\xa4\x11(\xb1|\xb0\x1f\xbf[R+\xe0\xfd\x02\x02*\xda7\xfe\xcc\x14\xb6\xc8\xc8\x83\x18\x83\xb8Z\x11\x06\xf2\xf8g\x02\rR\x9f\x17\xa3P\xf2\r\xd3\xbfQ\xa9\x8c\xfd\xa7\f.68\xa4\x83\xfd?\x87\x94\v\xb4x\xb0|L\x11\x03\x94\xc0\t=\x17\x95P\x89\xf2\xca\x97\xbb\xe0u\x12L\x9b\x85\x96\xe0\b\xbf\n\x02\x8bS\x9c\xecyl\xec\x9b\xf5\x85\xeb\x80\xfe>\r&')
r3 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000040)='io.stat\x00', 0x0, 0x0)
write$cgroup_subtree(r1, &(0x7f00000000c0)={[{0xf5ffffff, 'c\x86\xdd'}]}, 0xfdef)
ioctl$sock_kcm_SIOCKCMATTACH(0xffffffffffffffff, 0x89e0, &(0x7f0000000900))
sendmsg$kcm(0xffffffffffffffff, 0x0, 0x0)
write$cgroup_int(r3, &(0x7f0000000340), 0x12)
sendmsg$kcm(0xffffffffffffffff, 0x0, 0x0)
sendmsg(0xffffffffffffffff, &(0x7f00000006c0)={&(0x7f0000000100)=@in={0x2, 0x0, @local={0xa}}, 0x80, &(0x7f0000000640), 0x0, &(0x7f0000000800)=ANY=[@ANYBLOB="2000000000130008091300d8f2ffffc02a63de5ab900"], 0x16}, 0x0)
perf_event_open(0x0, 0x0, 0x10, r0, 0x0)
recvmsg(0xffffffffffffffff, 0x0, 0x1)
r4 = bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000780), 0x4)
bpf$BPF_PROG_DETACH(0x9, &(0x7f00000007c0)={0x0, r4, 0x0, 0x3}, 0x14)
openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000680)='cpuacct.usage_percpu\x00', 0x0, 0x0)

16:10:31 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:31 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  620.262726][T23857] device nr0
 entered promiscuous mode
16:10:31 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  620.406328][T23865] binder_alloc: binder_alloc_mmap_handler: 23829 20001000-20004000 already mapped failed -16
[  620.479107][T23864] binder: 23829:23864 ioctl c018620b 0 returned -14
[  620.511102][T23864] binder_alloc: 23829: binder_alloc_buf, no vma
[  620.554042][T23865] binder: 23829:23865 BC_INCREFS_DONE u0000000000000000 no match
[  620.605339][T23864] binder: 23829:23864 transaction failed 29189/-3, size 24-8 line 3056
[  620.620369][T23871] binder_alloc: 23870: binder_alloc_buf, no vma
[  620.635474][T23871] binder: 23870:23871 transaction failed 29189/-3, size 24-8 line 3056
[  620.674450][T23871] binder: 23870:23871 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:32 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x2000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:32 executing program 5:
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0xffffffffffffff2d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0xffffffdfffffffff)
r0 = getpgid(0xffffffffffffffff)
r1 = syz_open_procfs(r0, &(0x7f00000000c0)='net/rt_acct\x00')
fcntl$getownex(0xffffffffffffffff, 0x10, &(0x7f0000000000))
sendfile(0xffffffffffffffff, r1, 0x0, 0x1)
getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f00000012c0)={{{@in6=@initdev, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r2=>0x0}}, {{@in6=@dev}, 0x0, @in=@local}}, &(0x7f00000013c0)=0xe8)
fstat(r1, &(0x7f0000001400)={0x0, 0x0, 0x0, 0x0, <r3=>0x0})
gettid()
r4 = geteuid()
syz_mount_image$erofs(&(0x7f0000000100)='erofs\x00', &(0x7f0000000180)='./file0\x00', 0xff, 0x2, &(0x7f0000001280)=[{&(0x7f00000001c0)="5e9ba78fd8f059334ab56ad18dea3d9a105c77108a64f3c150b7514a7f833a9837a9f2a2977f3ec282febf99422646481f7ce776dd67b1534382fbe5104e589abd970a041b7de7238af51a17df0e3211cbfabf011ac8d110d443f87adeeb621378bab9d66d2516cb606655be139f641c0fa5765e4d00a2b04b5ad292f590576ec97e4c5d876a289ba071d21d5d741d222ac158e1bcd4edaa", 0x98, 0x8}, {&(0x7f0000000280)="b9f0096dbdb8741c470ed1db0f3a8e2641a110998085663474585d1af51503216e32af1e083a7da1a393e4e511b6be83237183f5acb0f92f2ffd9db6a6a2b437cb74ec2853912e7ca696d86411b6909ad4e66ed91701780beea2ff7bbcbf4242afbb9c59ee42e6422a2595bc323c4d340f3d5783455c1a8288978d1b43580c98e6f5ae4ac8b583360c4476f711f29c6e80134c90678db0a8dce63f982baf54616645a9a593981787cbd1c11f51e0cc9c7fe02e39e38b3e0d5e9699be894127f5270b2b1822dc825c9a1b257a63ee76424829316d14d1e132be35ef08291b73996cda2684cac93aeaa5a1d2a39b3bcde1270690bbd3ea9a61b613c5e86a2ab83fa297080502f73489c5f6b034f8dec4eb4707c0966943a592bd23aca2e342426763361c8ea4512aab6c284c0aea1b7b313b26cba8d38c60aa2c02587e133856999a38dffe4248c8ff9724a888ead7dfc6c4c0f9150e544714b5a79679a2c9c90e49e1800facbfb30639b9747f7b856f6e4feb0431138eb13fcc9def7574e9bab46a72975108a79f18de6735b43a7ec7264c8b439956c42413da6d80f51f0c75ba18b16875d300a3ca63378a376c6ef35dfa9815b6ff8d5a5b380c716484837f64fb1a87be11d3e5725714006a4b737fc10584833ba386d043ac526d70f9e6290e7af21bd4059310a4b5bdf5894a5062bbb8e9c19c62327a8e2e289cb8b4e993679fbe1094d650d2beecab2ddcc8795dca0b9c560920cac9445e09ef2b12e440d86301c197038f5a70f224786bb683a65e7609ad7bdba4f3daf7c6fadeff7a72eafbb973292f3eb5fb4b9dd476dc875679c35b90c1ba163572f48a139ed1a13e98b7ce2eb6ce83718f238683a6b331f00baf5a7b009412f4275f96d46a947fa6dea0fe090d6c913055d2b082002b326cde25ed68430202d6cf157c1edc57eeb5929b38b3972b8540cbaab3d192abafa649a0868b80764c0c916d62b346f6afb1a21897f104f9e5d08480cdc9a4a1d2b88fa2529ecd1b2b566e09e52f43c3580c65b7b3cf4bf126bddd8823497e629555aa22c6838262b53ced8bf45520399fb2c800618f543579b9465fef47ee9880861347cdf7f320145e3154856ab71def6e84d536b579e6a32764608383531a88268901956fd569e5c119a6e22da287291c13389c8d7844168f987cc9699619cd5c99f08b754614ca9f6b0f10863ea095c7f810cb6193b8efa0fb69a5be0b7c968c85a0786597f973152fb2d02966e8f5985341cbe81f51bebe604faca0be8510b1e1056ca6dd99cc3b5c572b2f963981cb061604ecaa8bca016ef3be0508b336b57a53944ec2ec739af573412c745b74bdf02a209637402a53464be1e22fcb661d008d1dc90592aa249d2170423d8d5c87220139a4a674ba4435d53f996ac18a7e58f0fb4d2510153a984b0918688bd8506d5b8b3b5683067f9f25152cc28f2cfcad6016188ee28fd4f253d154cc7217e4812dcf8c09c70587b54554f0b52b9cb1730958715800b7e7d3b6cdf47c394397a07b1c697468798a76d69b6c77f3e9e5d5fcfa39efaabfa5bdc118821d7fad35fb5801204b97e6888b173dec4eb7fe5fd29567d5815e8234fe0458d0d1efbd6ef087610f682654e308542b3cdfea8f540f5cee46c4c44599b5274a8aa038f7fbac9b7896d51b4ec887fa2ca10c1d8ffa8e62a7c5a6c0c13cf6f8065dd7aaf1ce6d49814b1c455d02bd7cf6e7e0a54b7f6d4aa6202b4a3451b3dd1f4b77ae7144befe972a3596c300f74ea4706e70fa3aac106a7ca6a84b895ab2f41bf059771d1991a49279ab50e0e54c1c9bc4173221f0f4e70cb2a38f98ed02d85b237140ce1545521a1173b21355bf1c75f69f2aa686d3cb9ca8351e73919a7498b30d37026827d8a4637ebe9470f7004c56128eedb967ff9ecc29a466156b2cbba517a6b2e5368b4f6e68640504ad08071a9e05c07dc94ff54060f517dc1081f40a3e268334084ae1bc2586e6948287abea5a16466f85f636794ee76d89ea81cec30906a28dacea668bdb54de157f91e0a46d9490ec3810beaaa0bab9d897806b42a1e4880b5ac33b7e9661bca59bb711d96d37776fe5ae1945905a8db48ea65dcfd63e9fc13832c572e90995a15f7eded0886053492aa574c402d21f57227e3aaaf03b0151b1fc150770aab97d18b7fccf270ef270aedf667eec454654267891f739d5224c118b1e4cdcf6d5e3cee507278a8f415c320e57adbc984f35c5025a0352274ca8bf78721162795349d034df5a3e8c8ff26374fdb478b957e0791069d82e62fc4944a25621d2a9448c2b98ef4ad2145413fb4f1931fe3d5658d501d579328286ee4c5559bc45e7ab5c3100361fa7ef998c8d7aa2e1730c599d627604e52ef1b7c28cef6a9ff2d85e432557f9c2adeedb9e87e5d9114a80129f2e01af6052a38fe8ee585c55912845d01584cf234000b71e7330459a01ca5fc1fe6b890196dc27fed0f4163f997363e1e0ca85475f2a4dfbaf7ff78ab883bebcecea1e16c8840ceec1c17b8f12cb591984c48a583aeaca63f877a3d6c9ada0b183768ea6c1f67b3bf2f9fcacdcef03c34a0d593743b9426df232b669812eaab2031a5cb699ce4d40f35d43ed70bc8f9ed93670cafe8cd45c133c1e1b5cecd4063dec2538d25ba62196f6eea905599ea3fc15d4800a5053f0305055f9b16a96476486bb618ba129996516608ce4119316754bf875a3d9085abae9fd8edab97945d1cab44456a958c06432dd21a0087c519daecd16731bab1ec12bbc944459edca70e0fd10685fd41229d65442755084bfa8361c4d6613205838e398bc4ba80556520a8f0d49c335bf6854ec6a20e75ee248aa56e317dd4badf5076d642706fd4e63ae8e8f4d01b7fae6160bd2de96993e4ecc8e8cab597045fe806b1b49cca3f19aef062c3cc3f6252734f6393785523b69954ffcdd386561e90b3f8c076aa49269a7dd2f75e27a7ba0b8a4a07216cf0931e1ebe517ec1878e5682146bf9014b11c14e16006ffdd855928448ec51569ecbd3abb4c47c4cc5401fd75dbef4badc41c8e0c0d562d9d647b4f9d31f0874e652c6cae46f0ccfd5ca7bcc31c2434465918cf4e4a9cf082c8d22cfb60082e02497ab024f2d1e69cbb3562e756dbf7e8f5610686fc796f64f0c1174d8e3e88e51862602bcf24bc73d06143085280cba85ac17eaf4fcfec016cae92a0dea4f6053757892937fce34fc33a0b3660777a85c0584d8f84d5ce9fd89c60a6603c864a22a55c703b7e29a03fdfbf275652f036c740fd2ce02f3b415f9d5ad6fc448f9db9766913472df3e169556dcef703964751a7f296e6d805373555ff4bd8006a4b845cefef3c5ac3de2afb97435c2331d3bcf34ff8b36924dad93960f7341119a99875a76c1b4bd063d6fdfcfe0d3b66c7ed624ce07d42c2ffbf4efda952cbf30ef7d175c54fc6999a909631b81f5f9a3a517f892347143e0df1baebaa34d9b4d22090899a4cd7704c9505f147574cdc353f359fe8f64d770733b2240becaf799ae50a3587914dcc6095411610fef9d4d04a9f1ec2b7704e55d8e6c2cfed6413e11da6b9f35328d847bb56ac207b971d3cd7010bcd80e054a3b4f5182dd669f3cb236f266303a081ed600358f4eaba2a50bb03a36dd99b523bc91634029ca6d7b0defe5c4a92f350947a42361721a549e6efc305765c0b63b34abe42d7efdf62798ffbfed5aec424b22c3dc36473defeb8ae33ea7e3d3e11bdc440066a21f3bd6f228882dca30cda69d95aa57c4101b50a44887cd4a9de42f68b0bf43635938ea23082b248beb5a824e8ca8d8ab0bc6f85789fafa43a3240143b483bd12a362fa46b326b6e3a332cb7f35adb316ac4ed65ef3471eaa14cb4f6a6bd49800d6db6c9f27af1ec30bb1acc093027fffb385d3eb6731743debeeb30dce4de480186473afcb64d64b3846eaafd95aadff421ab6df9edf4049043aba11ae8510c28aa9a67b68825fd9f667c10d916dc6e08ce52e92d29f623dd720571ae7750e73273a043b21b2f7291960e229d0c1f8782674e32715dadab1a7ff5bd420ce215bc18ab803d78ed3c723f5b26ee55f4a24e696523d2dd8a83ab7d63fc4e8ce324a1f929215e0ba325fc66de519d84685cbc122985af1fb5630cde4e39073430a2c0d19e6e80ad9cc4019cc0ac4bf8daec39ccdae04a22199921c3edde7ae816658a1b07f4e1678febfefd106b0fd28b98f55b09eb98bb2a1ed75e0e06f054510f42836e86db96a08d3672b08bf4a2bc57bc7334a32c3f5a6e2ff2bad91a07da79cbee4755102c38670977597bc70d9cfda79cc098b985da9579f1916064e83fdeb8a9f4ccfd838841db009040a60b2fa95905dfda9d56711c4b166eafc2fd21c91e816837f462b18770a9d39ab2c5884fe00743eae2d1dee6e3e0ece6085fdc0cec96496cd92b5001d4f2c7b113ef2d5eadda54838249466d1dc7e30f1c0682cb0c42358892f8408d232c6ac300a781cddfcb4ae42401787dc14ea1a767d186050294c308830c6a47575c73c97b3e4c51480ab78e328523f9cf65500a6a8ed0c9cb9b456adb48f8c75d4575191b3d4d894489d3b627cbe5cc2910bbd5ac163cad8bb2cb2b741b98ce2bb1c7e86096d09311f78db20f586a496c78683b96e8d8f1eb4a166425df881924d717a3a4a7918b353a73bff5bfd073994a8c95c402dfc733d7412ccb25f314c9a6a884ba4019aaa2a60fe3006e6d298e90f736fef08b3d160fced2548e42a1d766e277e0e9fd1c017cc01fab0ba590465bdaaf7e910d8ad527413fa13035916a518ae97cb23ed12e98034359cd2fe1447f94e19965fb560847410b0ba746e5d499d7bd25f9758a995e2b62b2881c1e00289e193b518eb3417f0ffd0054730913cf713eb48659086d51c7356530b884c74c19b6d55e53086af38af5071fc296382b8c3f5f5e311f3330bf174765cba345c142c4a6fe62ee836daa31c1cbf1e232086258591472f9c0b5387a4b297ea4ad7aebcf1c91389064af660e5fac1c6ce62c24b43370d412bec62a60873f79a9dd11b5918cba0d1ca63d2f552684abcf71aab59c67509ad5223dc3d9e7f644cb72d8ac99d90b505c2d102dea7aa1fca49b3e1bebd9bb4847b04ab3fa11affd7194923ffc7fba63c90b48d1d04be473af07a0d7a2bd1b8fb52696c0fbc57cc5ae82fcb1efd1bc91f77a236400c6e20f0ae1d5c03aecc90e555be721de617cc492fc42499abb47c2940c02951fc563108cc7d3c350dec4a06fbb846af1cede3a56eaffb67a9e9193469eb6bda060b6328c768efd2da503bc00e2be770d3e4d8ddf5e1c3aa846e2293d6169b8511088f3efd0b085426c27cc41bacd52cf323948b231d3afc92adf1a758e84bebb87b571d5012043670d68e3809a1c3e999483a5ecd237368e42033a9fae043006a87f06d6ee522bd1ced94451a679f357210c50d5e02c7f62b2a4fe2688ee6937f47fc46f7d3ac00d2fa99f6153bbc33d43e5eb681d0479b2d3b1ad3392c7afd8d99ac82149ab35e4a4114598047e08c6901c580cfa93359ba49de2c28c67c28b20b9908f542b816b30eb66339d8907656f340b9d9ad90bbf2b7806256529b9756da31d9bf8dfba2a84b964c410cd21412b6bf356e8a28342e2eb4e7696fdc40c22046fa5a874e9322ddc63c1dea2f9176e9097760c0a6f9692a159c54824c982b48533617936da60a2bc6dc29b8dcb6ada2ca6f4186ec9c193fbdb0dc0caca5323a6435c82a212645084e887c656b924ec3f3938211bd619c6", 0x1000}], 0x4004, &(0x7f0000001480)={[{@nouser_xattr='nouser_xattr'}], [{@smackfsfloor={'smackfsfloor'}}, {@context={'context', 0x3d, 'system_u'}}, {@uid_gt={'uid>', r2}}, {@euid_eq={'euid', 0x3d, r3}}, {@fowner_eq={'fowner', 0x3d, r4}}, {@obj_user={'obj_user', 0x3d, 'net/rt_acct\x00'}}]})

[  620.879672][T23882] binder: 23879:23882 ioctl c018620b 0 returned -14
[  620.962017][T23882] binder: BINDER_SET_CONTEXT_MGR already set
[  621.002453][T23882] binder: 23879:23882 ioctl 40046207 0 returned -16
[  621.041387][T23887] erofs: read_super, device -> /dev/loop5
[  621.075209][T23880] binder: 23879:23880 transaction failed 29189/-3, size 24-8 line 3056
[  621.084915][T23887] erofs: options -> nouser_xattr,smackfsfloor=,context=system_u,uid>00000000000000000000,euid=00000000000000000000,fowner=00000000000000000000,obj_user=net/rt_acct
[  621.105910][T23887] erofs: cannot find valid erofs superblock
[  621.165729][T23882] binder: 23879:23882 BC_INCREFS_DONE u0000000000000000 no match
[  621.211710][T23880] binder_thread_write: 2 callbacks suppressed
[  621.211725][T23880] binder: 23879:23880 Release 1 refcount change on invalid ref 1 ret -22
16:10:32 executing program 5:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='oom_score\x00')
getsockopt$EBT_SO_GET_INFO(r0, 0x0, 0x80, &(0x7f00000000c0)={'nat\x00'}, &(0x7f0000000140)=0x78)
r1 = syz_open_dev$sg(&(0x7f00000000c0)='/dev/sg#\x00', 0x0, 0x8c02)
write(r1, &(0x7f0000000000)="b63d06003f0004000000ed69d2bc7037cebc82c2de96aa0faeaa6f1602b9107d425db695bbe9cad006de5db6ec75d2e1", 0x30)
socketpair$unix(0x1, 0x4, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r2, r3, 0x0, 0x1)
remap_file_pages(&(0x7f0000ffb000/0x2000)=nil, 0x2000, 0x0, 0x9, 0x1020)

16:10:32 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:32 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:32 executing program 0:
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000080)='./cgroup.net/syz0\x00', 0x200002, 0x0)
r1 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
close(r1)
ioctl$PERF_EVENT_IOC_SET_BPF(0xffffffffffffffff, 0x40042408, 0xffffffffffffffff)
r2 = openat$cgroup_ro(r0, 0x0, 0x0, 0x0)
ioctl$TUNSETOFFLOAD(r2, 0x400454d0, 0x18)
socket$kcm(0x2, 0x3, 0x2)
ioctl$PERF_EVENT_IOC_SET_FILTER(r1, 0x8914, &(0x7f0000000380)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;<\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xc6\x0f\xd7\x14\x0f\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4N')
r3 = openat$cgroup_ro(r2, &(0x7f0000000100)='cgroup.stat\x00', 0x0, 0x0)
ioctl$TUNSETLINK(r3, 0x400454cd, 0x10f)
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000040)={'nr0\x01\x00', 0x801})
ioctl$TUNSETLINK(r4, 0x400454cd, 0x308)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'veth1_to_bridge\x00', 0x4000})
socketpair$unix(0x1, 0x0, 0x0, 0x0)
ioctl$SIOCSIFHWADDR(r4, 0x8924, &(0x7f0000000000)={'ipddp0\x00', @random="ed5f10915bd6"})
openat$cgroup_root(0xffffffffffffff9c, &(0x7f00000000c0)='./cgroup.cpu/syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(0xffffffffffffffff, 0x0, 0x2, 0x0)
ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x40082406, &(0x7f0000000700)='\x00')
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)

[  621.598145][T23913] binder: 23902:23913 transaction failed 29189/-3, size 24-8 line 3056
[  621.629496][T23913] binder: 23902:23913 Release 1 refcount change on invalid ref 1 ret -22
[  621.639109][T23883] binder_alloc: binder_alloc_mmap_handler: 23879 20001000-20004000 already mapped failed -16
[  621.674337][T23883] binder: 23879:23883 ioctl c018620b 0 returned -14
[  621.703302][T23916] binder: BINDER_SET_CONTEXT_MGR already set
[  621.721546][T23903] binder: 23902:23903 BC_ACQUIRE_DONE u0000000000000000 no match
[  621.770969][T23916] binder: 23879:23916 ioctl 40046207 0 returned -16
[  621.782933][T23911] device nr0
 entered promiscuous mode
[  621.848767][T23883] binder_alloc_new_buf_locked: 2 callbacks suppressed
[  621.848776][T23883] binder_alloc: 23902: binder_alloc_buf, no vma
[  621.873386][T23916] binder: 23879:23916 BC_INCREFS_DONE u0000000000000000 no match
[  621.897070][T23882] binder: 23879:23882 Release 1 refcount change on invalid ref 1 ret -22
[  621.897451][T23883] binder: 23879:23883 transaction failed 29189/-3, size 24-8 line 3056
16:10:33 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:33 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x3f00, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:33 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080))
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r0 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
ioctl$SNDRV_RAWMIDI_IOCTL_DRAIN(r0, 0x40045731, &(0x7f0000000000)=0x10001)

16:10:33 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x10001, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x2, 0x2, 0xfffffffffffffffc, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x1, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc}, 0x0, 0xffffffffffffffff, r1, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:10:33 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  622.418018][T23943] binder: 23928:23943 ioctl c018620b 0 returned -14
[  622.490342][T23938] binder: BINDER_SET_CONTEXT_MGR already set
[  622.501342][T23938] binder: 23936:23938 ioctl 40046207 0 returned -16
[  622.531494][T23938] binder: 23936:23938 Release 1 refcount change on invalid ref 1 ret -22
[  623.137720][T23953] binder_alloc: binder_alloc_mmap_handler: 23928 20001000-20004000 already mapped failed -16
16:10:34 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(r0, 0xffffffffffffffff)
r2 = perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$FS_IOC_SETFLAGS(r2, 0x40086602, &(0x7f0000000000)=0x4925)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r3, 0x0, 0x1)

16:10:34 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  623.200032][T23947] binder: 23928:23947 ioctl c018620b 0 returned -14
[  623.200836][T23955] binder: BINDER_SET_CONTEXT_MGR already set
[  623.274307][T23955] binder: 23928:23955 ioctl 40046207 0 returned -16
[  623.302454][T23953] binder_alloc: 23928: binder_alloc_buf, no vma
[  623.315654][T23953] binder: 23928:23953 transaction failed 29189/-3, size 24-8 line 3056
[  623.429214][T23966] binder: BINDER_SET_CONTEXT_MGR already set
[  623.436580][T23966] binder: 23962:23966 ioctl 40046207 0 returned -16
[  623.468154][T23966] binder_alloc: 23928: binder_alloc_buf, no vma
[  623.488106][T23966] binder: 23962:23966 transaction failed 29189/-3, size 24-8 line 3056
[  623.513405][T23966] binder: 23962:23966 Release 1 refcount change on invalid ref 1 ret -22
[  623.550642][T23966] binder: 23962:23966 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:35 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:35 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:35 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:35 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(r1, r0)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)

[  624.843767][   T22] binder: release 23936:23938 transaction 3873 out, still active
16:10:36 executing program 0:
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000080)='./cgroup.net/syz0\x00', 0x200002, 0x0)
r1 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
close(r1)
ioctl$PERF_EVENT_IOC_SET_BPF(0xffffffffffffffff, 0x40042408, 0xffffffffffffffff)
r2 = openat$cgroup_ro(r0, 0x0, 0x0, 0x0)
ioctl$TUNSETOFFLOAD(r2, 0x400454d0, 0x18)
socket$kcm(0x2, 0x3, 0x2)
ioctl$PERF_EVENT_IOC_SET_FILTER(r1, 0x8914, &(0x7f0000000380)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;<\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xc6\x0f\xd7\x14\x0f\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4N')
r3 = openat$cgroup_ro(r2, &(0x7f0000000100)='cgroup.stat\x00', 0x0, 0x0)
ioctl$TUNSETLINK(r3, 0x400454cd, 0x10f)
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000040)={'nr0\x01\x00', 0x801})
ioctl$TUNSETLINK(r4, 0x400454cd, 0x308)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'veth1_to_bridge\x00', 0x4000})
socketpair$unix(0x1, 0x0, 0x0, 0x0)
ioctl$SIOCSIFHWADDR(r4, 0x8924, &(0x7f0000000000)={'ipddp0\x00', @random="ed5f10915bd6"})
openat$cgroup_root(0xffffffffffffff9c, &(0x7f00000000c0)='./cgroup.cpu/syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(0xffffffffffffffff, 0x0, 0x2, 0x0)
ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x40082406, &(0x7f0000000700)='\x00')
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)

16:10:36 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000180)='/dev/btrfs-control\x00', 0xc00, 0x0)
setsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r1, 0x84, 0x8, &(0x7f00000001c0)=0x3, 0x4)
getsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000000280)={<r2=>0x0, @empty, @local}, &(0x7f0000000440)=0xfffffe32)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r1, 0xc04c5349, &(0x7f0000000200)={0x9, 0x400, 0x81})
ioctl$TUNSETIFINDEX(r1, 0x400454da, &(0x7f0000000380)=r2)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = creat(&(0x7f0000000000)='./file0\x00', 0x60)
getsockopt$IP6T_SO_GET_INFO(r3, 0x29, 0x40, &(0x7f00000000c0)={'raw\x00'}, &(0x7f0000000140)=0x54)
r4 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r4, 0x0, 0x1)

16:10:36 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4800, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:36 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
ioctl$TIOCGPGRP(r1, 0x540f, &(0x7f0000000000)=<r3=>0x0)
syz_open_procfs(r3, &(0x7f00000000c0)='coredump_filter\x00')

16:10:36 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:36 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  624.905229][   T22] binder: send failed reply for transaction 3870 to 23928:23947
[  624.913340][   T22] binder: send failed reply for transaction 3873, target dead
[  624.965430][   T22] binder: undelivered TRANSACTION_ERROR: 29189
16:10:36 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  625.039446][T24020] binder: 24002:24020 ioctl c018620b 0 returned -14
[  625.096939][T24024] binder_alloc: 24009: binder_alloc_buf, no vma
[  625.112216][T24012] binder: BINDER_SET_CONTEXT_MGR already set
[  625.122861][T24024] binder: 24009:24024 transaction failed 29189/-3, size 24-8 line 3056
[  625.141038][T24012] binder: 24002:24012 ioctl 40046207 0 returned -16
[  625.200045][T24013] binder: 24009:24013 Release 1 refcount change on invalid ref 1 ret -22
16:10:36 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  625.262598][T24012] binder_alloc: 24009: binder_alloc_buf, no vma
16:10:36 executing program 0:
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000080)='./cgroup.net/syz0\x00', 0x200002, 0x0)
r1 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
close(r1)
ioctl$PERF_EVENT_IOC_SET_BPF(0xffffffffffffffff, 0x40042408, 0xffffffffffffffff)
r2 = openat$cgroup_ro(r0, 0x0, 0x0, 0x0)
ioctl$TUNSETOFFLOAD(r2, 0x400454d0, 0x18)
socket$kcm(0x2, 0x3, 0x2)
ioctl$PERF_EVENT_IOC_SET_FILTER(r1, 0x8914, &(0x7f0000000380)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;<\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xc6\x0f\xd7\x14\x0f\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4N')
r3 = openat$cgroup_ro(r2, &(0x7f0000000100)='cgroup.stat\x00', 0x0, 0x0)
ioctl$TUNSETLINK(r3, 0x400454cd, 0x10f)
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000040)={'nr0\x01\x00', 0x801})
ioctl$TUNSETLINK(r4, 0x400454cd, 0x308)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'veth1_to_bridge\x00', 0x4000})
socketpair$unix(0x1, 0x0, 0x0, 0x0)
ioctl$SIOCSIFHWADDR(r4, 0x8924, &(0x7f0000000000)={'ipddp0\x00', @random="ed5f10915bd6"})
openat$cgroup_root(0xffffffffffffff9c, &(0x7f00000000c0)='./cgroup.cpu/syz1\x00', 0x200002, 0x0)
openat$cgroup_subtree(0xffffffffffffffff, 0x0, 0x2, 0x0)
ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x40082406, &(0x7f0000000700)='\x00')
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)

[  625.336908][T24020] binder: 24002:24020 BC_INCREFS_DONE u0000000000000000 no match
[  625.375810][T24012] binder: 24002:24012 transaction failed 29189/-3, size 24-8 line 3056
16:10:36 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  625.446850][T24012] binder: 24002:24012 Release 1 refcount change on invalid ref 1 ret -22
16:10:37 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x0, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:37 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  625.766753][T24062] binder_alloc: binder_alloc_mmap_handler: 24002 20001000-20004000 already mapped failed -16
[  625.803419][T24064] binder_alloc: 24050: binder_alloc_buf, no vma
[  625.817442][T24061] binder: 24002:24061 ioctl c018620b 0 returned -14
[  625.829616][T24041] device nr0
 entered promiscuous mode
[  625.835832][T24064] binder: 24050:24064 transaction failed 29189/-3, size 24-8 line 3056
[  625.864192][T24061] binder: BINDER_SET_CONTEXT_MGR already set
[  625.864279][T24066] binder: 24002:24066 BC_INCREFS_DONE u0000000000000000 no match
[  625.891121][T24051] binder: 24050:24051 Release 1 refcount change on invalid ref 1 ret -22
[  625.909863][T24062] binder_alloc: 24050: binder_alloc_buf, no vma
16:10:37 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x0, 0x0)
ioctl$TIOCMBIC(r1, 0x5417, &(0x7f00000000c0)=0x1)
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

[  625.931683][T24051] binder: 24050:24051 BC_ACQUIRE_DONE u0000000000000000 no match
[  625.949292][T24061] binder: 24002:24061 ioctl 40046207 0 returned -16
[  625.980055][T24062] binder: 24002:24062 transaction failed 29189/-3, size 24-8 line 3056
[  626.045324][T24067] binder: 24002:24067 Release 1 refcount change on invalid ref 1 ret -22
16:10:38 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2)
mmap$binder(&(0x7f0000ffe000/0x2000)=nil, 0x2000, 0x6, 0x98113, r2, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r3, 0x0, 0x1)
ioctl$EXT4_IOC_RESIZE_FS(r0, 0x40086610, &(0x7f00000000c0)=0x7)

16:10:38 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:38 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4c00, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:38 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x0, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:38 executing program 5:
r0 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x1, 0x2)
setsockopt$l2tp_PPPOL2TP_SO_RECVSEQ(r0, 0x111, 0x2, 0x1, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)

[  627.171980][T24096] binder: 24085:24096 ioctl c018620b 0 returned -14
[  627.221752][T24087] binder: BINDER_SET_CONTEXT_MGR already set
[  627.238147][T24087] binder: 24085:24087 ioctl 40046207 0 returned -16
[  627.264452][T24087] binder_alloc: 24050: binder_alloc_buf, no vma
[  627.305803][T24087] binder: 24085:24087 transaction failed 29189/-3, size 24-8 line 3056
[  627.352486][T24087] binder: 24085:24087 BC_INCREFS_DONE u0000000000000000 no match
[  627.377894][T24087] binder: 24085:24087 Release 1 refcount change on invalid ref 1 ret -22
16:10:38 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x0, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:39 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x0, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  627.923271][T24118] binder_alloc: binder_alloc_mmap_handler: 24085 20001000-20004000 already mapped failed -16
[  627.991986][T24117] binder: 24085:24117 ioctl c018620b 0 returned -14
[  628.006354][T24118] binder: BINDER_SET_CONTEXT_MGR already set
[  628.021883][T24118] binder: 24085:24118 ioctl 40046207 0 returned -16
[  628.031778][T24117] binder: 24085:24117 BC_INCREFS_DONE u0000000000000000 no match
16:10:40 executing program 0:
perf_event_open(&(0x7f0000000180)={0x200000001, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='memory.events\x00', 0x26e1, 0x0)
ioctl$PERF_EVENT_IOC_PAUSE_OUTPUT(r0, 0x40086602, 0x400007)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000680)='memory.events\x00', 0x7a05, 0x1700)
write$cgroup_subtree(r0, &(0x7f0000000100)=ANY=[], 0xff4a)
write$cgroup_subtree(r1, &(0x7f0000000000)=ANY=[], 0x20032600)
ioctl$EXT4_IOC_MIGRATE(r1, 0x6609)

16:10:40 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x0, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:40 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
ioctl$TIOCMGET(r1, 0x5415, &(0x7f0000000000))
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x1)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
setsockopt$inet6_tcp_TLS_RX(r1, 0x6, 0x2, &(0x7f00000000c0), 0x4)
sendfile(r0, r2, 0x0, 0x1)

16:10:40 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:40 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080))
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r0 = syz_open_procfs(0x0, &(0x7f0000000000)='smaps_rollup\x00')
ioctl$LOOP_GET_STATUS64(r0, 0x4c05, &(0x7f00000000c0))

16:10:40 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:40 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  628.797231][T24148] binder: 24135:24148 ioctl c018620b 0 returned -14
[  628.828904][T24151] binder_alloc: 24137: binder_alloc_buf, no vma
[  628.862934][T24151] binder: 24137:24151 transaction failed 29189/-3, size 24-8 line 3056
[  628.882193][T24141] binder: BINDER_SET_CONTEXT_MGR already set
[  628.928705][T24141] binder: 24135:24141 ioctl 40046207 0 returned -16
[  628.935466][T24138] binder: 24137:24138 Release 1 refcount change on invalid ref 1 ret -22
[  628.980628][T24151] binder: 24137:24151 BC_ACQUIRE_DONE u0000000000000000 no match
[  628.984000][T24148] binder_alloc: 24137: binder_alloc_buf, no vma
16:10:40 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  629.022960][T24148] binder: 24135:24148 transaction failed 29189/-3, size 24-8 line 3056
16:10:40 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x0, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  629.076525][T24152] binder: 24135:24152 BC_INCREFS_DONE u0000000000000000 no match
[  629.115952][T24141] binder: 24135:24141 Release 1 refcount change on invalid ref 1 ret -22
16:10:40 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  629.164496][T24152] binder_alloc: binder_alloc_mmap_handler: 24135 20001000-20004000 already mapped failed -16
[  629.199694][T24148] binder: 24135:24148 ioctl c018620b 0 returned -14
16:10:40 executing program 0:
perf_event_open(0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$kcm(0x10, 0x2, 0x10)
bpf$BPF_PROG_QUERY(0x10, 0x0, 0x0)
sendmsg$kcm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000001240)="2e0000002a00815fe45ac187185095cf0e00b0eba0b4d65cdbaa98cbb30007fff00000000000000051894d5d1dac", 0x2e}], 0x1}, 0x0)

[  629.213492][T24148] binder_alloc: 24135: binder_alloc_buf, no vma
[  629.252914][T24152] binder: 24135:24152 BC_INCREFS_DONE u0000000000000000 no match
[  629.263568][T24177] binder: BINDER_SET_CONTEXT_MGR already set
[  629.286631][T24148] binder: 24135:24148 transaction failed 29189/-3, size 24-8 line 3056
[  629.295985][T24177] binder: 24166:24177 ioctl 40046207 0 returned -16
[  629.318101][T24167] binder_alloc: 24135: binder_alloc_buf, no vma
[  629.322667][T24141] binder: 24135:24141 Release 1 refcount change on invalid ref 1 ret -22
[  629.344863][T24167] binder: 24166:24167 transaction failed 29189/-3, size 24-8 line 3056
16:10:40 executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
sendto$inet6(r0, &(0x7f0000000280)=':', 0x1, 0x1f4, 0x0, 0x0)

16:10:40 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  629.390634][T24177] binder: 24166:24177 Release 1 refcount change on invalid ref 1 ret -22
16:10:40 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0xffffffffffffffff)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:10:40 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6800, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:40 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  629.717442][T24205] binder: 24199:24205 ioctl c018620b 0 returned -14
[  629.786622][T24206] binder: BINDER_SET_CONTEXT_MGR already set
[  629.792710][T24206] binder: 24193:24206 ioctl 40046207 0 returned -16
[  629.816105][T24202] binder: 24193:24202 Release 1 refcount change on invalid ref 1 ret -22
16:10:41 executing program 0:

16:10:41 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:41 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dlm-monitor\x00', 0x1, 0x0)
mkdirat(r1, &(0x7f0000000180)='./file0\x00', 0x81)
r2 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0xffffffffffffd000, 0x200000)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_POOL(r3, 0xc058534b, &(0x7f00000000c0)={0x5, 0x2, 0x8, 0x81, 0x7, 0x40})
mlockall(0x3)
r4 = fcntl$getown(r2, 0x9)
syz_open_procfs(r4, &(0x7f00000001c0)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:10:41 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f00000000c0)={'team0\x00', <r2=>0x0})
setsockopt$l2tp_PPPOL2TP_SO_SENDSEQ(r1, 0x111, 0x3, 0x0, 0x4)
sendmsg$nl_route(r1, &(0x7f0000000180)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="1c0000005e00010226bd7000fedbdf2500000000", @ANYRES32=r2, @ANYBLOB="b04069479578b8"], 0x1c}, 0x1, 0x0, 0x0, 0x20000810}, 0x0)
r3 = socket$inet6(0xa, 0x6, 0x20)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$sock_SIOCADDDLCI(r3, 0x8980, &(0x7f00000001c0)={'\x00\x00\x00\x80\x00', 0x3})
mlockall(0x3)
r4 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r4, 0x0, 0x1)

16:10:41 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:41 executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000001a00)='/dev/net/tun\x00', 0x1, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'nr0\x01\x00\x00\xdf\xcf\x00', 0x3001})
r1 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
close(r1)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000340)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x0)
ioctl$PERF_EVENT_IOC_SET_FILTER(r1, 0x8914, &(0x7f0000000e00)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;=\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4NW\xe4:>6\xbdH\xd2\xa8[\xf4\xfdJ\x80N\x83\xf2\xf3\xcf7\x8aCZ\xf5\xe2\x87\xd4\xe2s7\xb4\xad\xa1\x1b&!\x982\xeck+8Dk;\x95\xfe7q\xe9\xf4,\xa3\x0f\xb2\x1e\x12\xf0\xa3\xd8\xbc-\x85EJ\xf9\xfc\xc0#-\x8f\xd9\tD\x8b\x01\xf4lY=1\xea\x1c\x92de\xe3ZA\x99\a\x9c<\xa4\x11(\xb1|\xb0\x1f\xbf[R+\xe0\xfd\x02\x02*\xda7\xfe\xcc\x14\xb6\xc8\xc8\x83\x18\x83\xb8Z\x11\x06\xf2\xf8g\x02\rR\x9f\x17\xa3P\xf2\r\xd3\xbfQ\xa9\x8c\xfd\xa7\f.68\xa4\x83\xfd?\x87\x94\v\xb4x\xb0|L\x11\x03\x94\xc0\t=\x17\x95P\x89\xf2\xca\x97\xbb\xe0u\x12L\x9b\x1f\xf6P\rSj\x95\xd9o\x03\xd4\x85\x96\xe0\b\xbf\n\x02\x8bS\x9c\xecyl\xec\x9b\xf5\x85\xeb\x80\xfe>\r&')
r3 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='cpuac\b\x00\xc0F\xfb\xebge_percpu_sys\x00', 0x0, 0x0)
bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f0000000440), 0x4)
ioctl$PERF_EVENT_IOC_SET_OUTPUT(r3, 0x2405, r3)
ioctl$PERF_EVENT_IOC_SET_BPF(0xffffffffffffffff, 0x40042408, 0xffffffffffffffff)
bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000500)={r3, r3, 0x0, 0x3}, 0x10)
socket$kcm(0x29, 0x0, 0x0)
r4 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$TUNSETSNDBUF(0xffffffffffffffff, 0x400454d4, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[], 0xfdef)
close(r0)
recvmsg(r3, &(0x7f0000000300)={&(0x7f0000000040)=@tipc=@name, 0x80, &(0x7f00000002c0)=[{&(0x7f00000000c0)=""/80, 0x50}, {&(0x7f0000000240)=""/95, 0x5f}], 0x2, &(0x7f0000000380)=""/86, 0x56}, 0x2)
sendmsg$kcm(r3, &(0x7f0000001780)={&(0x7f0000001480)=@ll={0x11, 0x10, 0x0, 0x1, 0x200000, 0x6, @broadcast}, 0x80, &(0x7f0000001740), 0x0, &(0x7f0000002a40)=[{0x18, 0x0, 0x0, "e5"}], 0x18}, 0xc000)
ioctl$PERF_EVENT_IOC_DISABLE(r4, 0x2401, 0x6)
socket$kcm(0x29, 0x2, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000140)={0xffffffffffffffff, r4, 0x0, 0x0, 0x0}, 0x30)

16:10:41 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  630.191876][T24228] device nr0
 entered promiscuous mode
[  630.455656][T24074] binder: release 24193:24202 transaction 3895 out, still active
[  630.469083][T24242] binder_alloc: binder_alloc_mmap_handler: 24199 20001000-20004000 already mapped failed -16
16:10:41 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  630.501721][T24241] binder: 24199:24241 ioctl c018620b 0 returned -14
[  630.514892][T24242] binder: BINDER_SET_CONTEXT_MGR already set
[  630.534164][T24245] binder: 24199:24245 BC_INCREFS_DONE u0000000000000000 no match
[  630.570377][T24241] binder_alloc: 24199: binder_alloc_buf, no vma
[  630.583017][T24242] binder: 24199:24242 ioctl 40046207 0 returned -16
[  630.594816][T24241] binder: 24199:24241 transaction failed 29189/-3, size 24-8 line 3056
[  630.620495][ T8164] binder: release 24199:24200 transaction 3892 out, still active
[  630.642200][ T8164] binder: send failed reply for transaction 3892, target dead
[  630.659914][T24249] binder_alloc: 24248: binder_alloc_buf, no vma
16:10:42 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6c00, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  630.680171][T24249] binder: 24248:24249 transaction failed 29189/-3, size 24-8 line 3056
[  630.691047][ T8164] binder: send failed reply for transaction 3895, target dead
[  630.715265][T24254] binder: 24248:24254 Release 1 refcount change on invalid ref 1 ret -22
16:10:42 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)='security.evm\x00', &(0x7f0000000100)=@md5={0x1, "09213bc073499dd509f232d70b8ca024"}, 0x11, 0x1)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  630.775083][T24249] binder: 24248:24249 BC_ACQUIRE_DONE u0000000000000000 no match
[  630.833353][T24259] binder: 24256:24259 ioctl c018620b 0 returned -14
16:10:42 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f00000000c0)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)
ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(r0, 0x40106614, &(0x7f0000000000))

[  630.922308][T24257] binder: BINDER_SET_CONTEXT_MGR already set
[  630.946076][T24257] binder: 24256:24257 ioctl 40046207 0 returned -16
[  630.989941][T24257] binder_alloc: 24248: binder_alloc_buf, no vma
[  631.022202][T24257] binder: 24256:24257 transaction failed 29189/-3, size 24-8 line 3056
[  631.041682][T24268] binder: 24256:24268 BC_INCREFS_DONE u0000000000000000 no match
[  631.064193][T24257] binder: 24256:24257 Release 1 refcount change on invalid ref 1 ret -22
16:10:42 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:42 executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000001a00)='/dev/net/tun\x00', 0x1, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'nr0\x01\x00\x00\xdf\xcf\x00', 0x3001})
r1 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
close(r1)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000340)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x0)
ioctl$PERF_EVENT_IOC_SET_FILTER(r1, 0x8914, &(0x7f0000000e00)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;=\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4NW\xe4:>6\xbdH\xd2\xa8[\xf4\xfdJ\x80N\x83\xf2\xf3\xcf7\x8aCZ\xf5\xe2\x87\xd4\xe2s7\xb4\xad\xa1\x1b&!\x982\xeck+8Dk;\x95\xfe7q\xe9\xf4,\xa3\x0f\xb2\x1e\x12\xf0\xa3\xd8\xbc-\x85EJ\xf9\xfc\xc0#-\x8f\xd9\tD\x8b\x01\xf4lY=1\xea\x1c\x92de\xe3ZA\x99\a\x9c<\xa4\x11(\xb1|\xb0\x1f\xbf[R+\xe0\xfd\x02\x02*\xda7\xfe\xcc\x14\xb6\xc8\xc8\x83\x18\x83\xb8Z\x11\x06\xf2\xf8g\x02\rR\x9f\x17\xa3P\xf2\r\xd3\xbfQ\xa9\x8c\xfd\xa7\f.68\xa4\x83\xfd?\x87\x94\v\xb4x\xb0|L\x11\x03\x94\xc0\t=\x17\x95P\x89\xf2\xca\x97\xbb\xe0u\x12L\x9b\x1f\xf6P\rSj\x95\xd9o\x03\xd4\x85\x96\xe0\b\xbf\n\x02\x8bS\x9c\xecyl\xec\x9b\xf5\x85\xeb\x80\xfe>\r&')
r3 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='cpuac\b\x00\xc0F\xfb\xebge_percpu_sys\x00', 0x0, 0x0)
bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f0000000440), 0x4)
ioctl$PERF_EVENT_IOC_SET_OUTPUT(r3, 0x2405, r3)
ioctl$PERF_EVENT_IOC_SET_BPF(0xffffffffffffffff, 0x40042408, 0xffffffffffffffff)
bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000500)={r3, r3, 0x0, 0x3}, 0x10)
socket$kcm(0x29, 0x0, 0x0)
r4 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$TUNSETSNDBUF(0xffffffffffffffff, 0x400454d4, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[], 0xfdef)
close(r0)
recvmsg(r3, &(0x7f0000000300)={&(0x7f0000000040)=@tipc=@name, 0x80, &(0x7f00000002c0)=[{&(0x7f00000000c0)=""/80, 0x50}, {&(0x7f0000000240)=""/95, 0x5f}], 0x2, &(0x7f0000000380)=""/86, 0x56}, 0x2)
sendmsg$kcm(r3, &(0x7f0000001780)={&(0x7f0000001480)=@ll={0x11, 0x10, 0x0, 0x1, 0x200000, 0x6, @broadcast}, 0x80, &(0x7f0000001740), 0x0, &(0x7f0000002a40)=[{0x18, 0x0, 0x0, "e5"}], 0x18}, 0xc000)
ioctl$PERF_EVENT_IOC_DISABLE(r4, 0x2401, 0x6)
socket$kcm(0x29, 0x2, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000140)={0xffffffffffffffff, r4, 0x0, 0x0, 0x0}, 0x30)

16:10:42 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:42 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  631.508211][T24285] device nr0
 entered promiscuous mode
16:10:43 executing program 1:
socketpair$unix(0x1, 0x7, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock\x00', 0x4000, 0x0)
getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r1, 0x84, 0x1d, &(0x7f0000000280)={0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000180)=0x5c6)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$TIOCGSID(r1, 0x5429, &(0x7f00000001c0)=<r2=>0x0)
sched_rr_get_interval(r2, &(0x7f0000000200))
mlockall(0x3)
getpgid(0xffffffffffffffff)
ioctl$TIOCGPGRP(0xffffffffffffff9c, 0x540f, &(0x7f00000000c0)=<r3=>0x0)
r4 = syz_open_procfs(r3, &(0x7f0000000000)='net/sctp\x00')
sendfile(r0, r4, 0x0, 0x1)

[  631.584995][T24297] binder_alloc: binder_alloc_mmap_handler: 24256 20001000-20004000 already mapped failed -16
[  631.614775][T24296] binder: 24256:24296 ioctl c018620b 0 returned -14
[  631.622362][T24287] binder_alloc: 24286: binder_alloc_buf, no vma
[  631.640227][T24287] binder: 24286:24287 transaction failed 29189/-3, size 24-8 line 3056
[  631.678835][T24297] binder: BINDER_SET_CONTEXT_MGR already set
[  631.685713][T24303] binder: 24286:24303 Release 1 refcount change on invalid ref 1 ret -22
[  631.698055][T24287] binder: 24286:24287 BC_ACQUIRE_DONE u0000000000000000 no match
[  631.717901][T24297] binder: 24256:24297 ioctl 40046207 0 returned -16
[  631.718071][T24268] binder_alloc: 24286: binder_alloc_buf, no vma
16:10:43 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(r0, r0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mount(0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$KVM_ASSIGN_SET_INTX_MASK(0xffffffffffffffff, 0x4040aea4, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = socket$inet(0x10, 0x3, 0xc)
sendmsg(r3, &(0x7f0000011fc8)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000000)="2400000004061f001cfffd946fa2830020200a000900010006e700000000a3a20404ff7e", 0x24}], 0x1}, 0x0)
getsockopt$sock_cred(r2, 0x1, 0x11, 0x0, &(0x7f00000000c0))
getsockopt$inet_IP_XFRM_POLICY(r3, 0x0, 0x11, &(0x7f0000000180)={{{@in=@dev, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{}, 0x0, @in=@local}}, &(0x7f0000000100)=0xe8)
write$ppp(r1, &(0x7f0000000440)="734ced3b5e4b3043133a42a979d18064dcce35095fb3ea87cd02cdd3750c277bdb8a1e2da3c2a1354c7c1f44b8808e7b423d98d8a2092f8d4c389f0654a4ac53cb5a0619d68052f788393f4594d5a052c45a4d55afd2308ce79b56640196f166432aa6676ce2fcbc566a4ceb12de16212d4d62bb3d6aba476327893aa724d93e58b1c6c49ca6adfad29f7793deed9c007b3f373472667c4370095af3ecd08875fe06a95fd4b865372aa785f1963085c3b4266774c40239e7eaff9396e89738a2260369ea28a740e6a64f8e81e0c10b1bd51106406403da618485b1b41558eff99be83b6933b7c2af6b6b449637114de324", 0xf1)
getgroups(0x4, &(0x7f0000000280)=[0xffffffffffffffff, 0x0, 0xffffffffffffffff, <r5=>0xee00])
getsockopt$IPT_SO_GET_INFO(r1, 0x0, 0x40, &(0x7f0000000580)={'mangle\x00'}, &(0x7f0000000600)=0x54)
write$FUSE_CREATE_OPEN(r1, &(0x7f0000000380)={0xa0, 0x0, 0x8, {{0x4, 0x2, 0x2, 0xff, 0x10001, 0xffffffffffffff81, {0x3, 0x5, 0x7c4b26ee, 0xc42, 0x9, 0x7551, 0xfffffffffffffffe, 0x2, 0x2, 0x16, 0x20, r4, r5, 0x1, 0x2}}, {0x0, 0x2}}}, 0xa0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
mount(&(0x7f00000002c0)=@loop={'/dev/loop', 0x0}, &(0x7f0000000300)='./file0\x00', &(0x7f0000000540)='9p\x00', 0x20000, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r6, 0x0, 0x1)

[  631.770243][T24296] binder: 24256:24296 BC_INCREFS_DONE u0000000000000000 no match
[  631.796105][T24296] binder: 24256:24296 Release 1 refcount change on invalid ref 1 ret -22
[  631.861476][T24268] binder: 24256:24268 transaction failed 29189/-3, size 24-8 line 3056
16:10:43 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x7400, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  631.913121][T24308] netlink: 'syz-executor5': attribute type 1 has an invalid length.
[  631.933182][T24308] netlink: 4 bytes leftover after parsing attributes in process `syz-executor5'.
[  632.064103][T24314] binder: 24311:24314 ioctl c018620b 0 returned -14
[  632.155749][T24316] binder: BINDER_SET_CONTEXT_MGR already set
[  632.183190][T24316] binder: 24311:24316 ioctl 40046207 0 returned -16
[  632.201627][T24312] binder: 24311:24312 transaction failed 29189/-3, size 24-8 line 3056
[  632.257715][T24316] binder: 24311:24316 BC_INCREFS_DONE u0000000000000000 no match
16:10:43 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:43 executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000001a00)='/dev/net/tun\x00', 0x1, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'nr0\x01\x00\x00\xdf\xcf\x00', 0x3001})
r1 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
close(r1)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000340)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x0)
ioctl$PERF_EVENT_IOC_SET_FILTER(r1, 0x8914, &(0x7f0000000e00)='nr0\x01\x00`\xa1\x9e\xf9\xd2\xc6s\xd9\xa1W\x1c\xb9\xe16\x9b\xcda\xef~Iy:\xe1\x87\x12\xec\xeb\x1d\xaav\x94\x97\x80\v\x7f\xbb\xd3[\x17\f\x10u\x1d9\xae\xb6`\xd8c\xe4\x9b\x8cO;=\xadH\x90+[-l\xfd\n\xbd7,c\xbc\xf5\xd7\r\xf3\xfdM.\x8dD<\x88\xbc\x0eV7\xdd\x82\xfc45\xbe\xd4\xde]i<\x9ax\x1c\x86>\x05\xd8\xa6\xf8h\x9a[\xe2\x92\x16\x06\x1f?\xf5?\x8bk9fx\xe7\xba\x15^\xf9\x15-~C\xb1\xec\xcb#1\xeb\x8e\xb1\xedU\x86\xdc\xf8\xb3\xb0\xb9\x996\x1aD\xff,\"\xc2\xab\xbe\xf4-\xd2N\xab\xe6r3F\xa6\xe4l\x04\x99\xa2\x14B\xd8\xd0\r\xcbW\xf0\x13\xffu\x95\xed\xd0\xff\ai0\xde6u\xd3A\x17\xa4N\xb0\xe4\xf82\x93m\xa4NW\xe4:>6\xbdH\xd2\xa8[\xf4\xfdJ\x80N\x83\xf2\xf3\xcf7\x8aCZ\xf5\xe2\x87\xd4\xe2s7\xb4\xad\xa1\x1b&!\x982\xeck+8Dk;\x95\xfe7q\xe9\xf4,\xa3\x0f\xb2\x1e\x12\xf0\xa3\xd8\xbc-\x85EJ\xf9\xfc\xc0#-\x8f\xd9\tD\x8b\x01\xf4lY=1\xea\x1c\x92de\xe3ZA\x99\a\x9c<\xa4\x11(\xb1|\xb0\x1f\xbf[R+\xe0\xfd\x02\x02*\xda7\xfe\xcc\x14\xb6\xc8\xc8\x83\x18\x83\xb8Z\x11\x06\xf2\xf8g\x02\rR\x9f\x17\xa3P\xf2\r\xd3\xbfQ\xa9\x8c\xfd\xa7\f.68\xa4\x83\xfd?\x87\x94\v\xb4x\xb0|L\x11\x03\x94\xc0\t=\x17\x95P\x89\xf2\xca\x97\xbb\xe0u\x12L\x9b\x1f\xf6P\rSj\x95\xd9o\x03\xd4\x85\x96\xe0\b\xbf\n\x02\x8bS\x9c\xecyl\xec\x9b\xf5\x85\xeb\x80\xfe>\r&')
r3 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='cpuac\b\x00\xc0F\xfb\xebge_percpu_sys\x00', 0x0, 0x0)
bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f0000000440), 0x4)
ioctl$PERF_EVENT_IOC_SET_OUTPUT(r3, 0x2405, r3)
ioctl$PERF_EVENT_IOC_SET_BPF(0xffffffffffffffff, 0x40042408, 0xffffffffffffffff)
bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000500)={r3, r3, 0x0, 0x3}, 0x10)
socket$kcm(0x29, 0x0, 0x0)
r4 = perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$TUNSETSNDBUF(0xffffffffffffffff, 0x400454d4, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[], 0xfdef)
close(r0)
recvmsg(r3, &(0x7f0000000300)={&(0x7f0000000040)=@tipc=@name, 0x80, &(0x7f00000002c0)=[{&(0x7f00000000c0)=""/80, 0x50}, {&(0x7f0000000240)=""/95, 0x5f}], 0x2, &(0x7f0000000380)=""/86, 0x56}, 0x2)
sendmsg$kcm(r3, &(0x7f0000001780)={&(0x7f0000001480)=@ll={0x11, 0x10, 0x0, 0x1, 0x200000, 0x6, @broadcast}, 0x80, &(0x7f0000001740), 0x0, &(0x7f0000002a40)=[{0x18, 0x0, 0x0, "e5"}], 0x18}, 0xc000)
ioctl$PERF_EVENT_IOC_DISABLE(r4, 0x2401, 0x6)
socket$kcm(0x29, 0x2, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000140)={0xffffffffffffffff, r4, 0x0, 0x0, 0x0}, 0x30)

16:10:43 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:43 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  632.537933][T24323] device nr0
 entered promiscuous mode
[  632.570013][T24333] binder_alloc_new_buf_locked: 1 callbacks suppressed
[  632.570021][T24333] binder_alloc: 24324: binder_alloc_buf, no vma
[  632.600374][T24333] binder: 24324:24333 transaction failed 29189/-3, size 24-8 line 3056
16:10:44 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  632.664186][T24326] binder_thread_write: 1 callbacks suppressed
[  632.664200][T24326] binder: 24324:24326 Release 1 refcount change on invalid ref 1 ret -22
[  632.701268][T24309] netlink: 'syz-executor5': attribute type 1 has an invalid length.
[  632.748311][T24309] netlink: 4 bytes leftover after parsing attributes in process `syz-executor5'.
[  632.799180][T24326] binder: 24324:24326 BC_ACQUIRE_DONE u0000000000000000 no match
[  632.808159][T24343] binder_alloc: binder_alloc_mmap_handler: 24311 20001000-20004000 already mapped failed -16
[  632.843721][T24341] binder: 24311:24341 ioctl c018620b 0 returned -14
[  632.889045][T24343] binder: BINDER_SET_CONTEXT_MGR already set
[  632.894707][T24346] binder: 24311:24346 BC_INCREFS_DONE u0000000000000000 no match
[  632.895113][T24343] binder: 24311:24343 ioctl 40046207 0 returned -16
[  632.934158][T24316] binder: 24311:24316 Release 1 refcount change on invalid ref 1 ret -22
[  633.015768][T24341] binder_alloc: 24324: binder_alloc_buf, no vma
[  633.041748][T24341] binder: 24311:24341 transaction failed 29189/-3, size 24-8 line 3056
16:10:44 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x7a00, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:44 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  633.317930][T24353] binder: 24350:24353 ioctl c018620b 0 returned -14
[  633.443366][T24351] binder: 24350:24351 BC_INCREFS_DONE node 3911 has no pending increfs request
[  633.545599][T24363] binder: BINDER_SET_CONTEXT_MGR already set
[  633.564028][T24363] binder: 24357:24363 ioctl 40046207 0 returned -16
[  633.612675][T24358] binder: 24357:24358 Release 1 refcount change on invalid ref 1 ret -22
16:10:45 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:45 executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0)
r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000100)='/dev/fuse\x00', 0x2, 0x0)
mount$fuse(0x0, &(0x7f0000000200)='./file0\x00', &(0x7f0000000300)='fuse\x00', 0x0, &(0x7f0000000400)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x4000}, 0x2c, {'user_id'}, 0x2c, {'group_id'}})
setxattr$trusted_overlay_origin(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.origin\x00', 0x0, 0x0, 0x0)
read$FUSE(r0, &(0x7f0000001000), 0x1000)
write$FUSE_INIT(r0, &(0x7f0000000100)={0x50, 0x0, 0x1}, 0x50)
read$FUSE(r0, &(0x7f00000040c0), 0x1000)
write$FUSE_ENTRY(r0, &(0x7f0000002000)={0x90, 0x0, 0x2}, 0x90)

[  634.062196][T24362] binder_alloc: binder_alloc_mmap_handler: 24350 20001000-20004000 already mapped failed -16
[  634.113212][T24362] binder: 24350:24362 ioctl c018620b 0 returned -14
[  634.113736][T24378] binder: BINDER_SET_CONTEXT_MGR already set
[  634.160284][T24378] binder: 24350:24378 ioctl 40046207 0 returned -16
16:10:45 executing program 1:
uselib(&(0x7f0000000800)='./file0\x00')
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)
write$RDMA_USER_CM_CMD_CREATE_ID(r1, &(0x7f0000000940)={0x0, 0x18, 0xfa00, {0x4, &(0x7f0000000900)={<r2=>0xffffffffffffffff}, 0x2, 0xb}}, 0x20)
write$RDMA_USER_CM_CMD_INIT_QP_ATTR(r1, &(0x7f0000000980)={0xb, 0x10, 0xfa00, {&(0x7f0000000840), r2, 0x8}}, 0x18)
r3 = geteuid()
getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000000600)={{{@in=@remote, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{@in6=@ipv4={[], [], @loopback}}, 0x0, @in6=@local}}, &(0x7f0000000700)=0xe8)
syz_mount_image$reiserfs(&(0x7f0000000000)='reiserfs\x00', &(0x7f00000000c0)='./file0\x00', 0x100000000, 0x8, &(0x7f0000000540)=[{&(0x7f0000000100)="60da7acf20255a2af6df01d48d4b4feff62cf48873fad7bf7d1865a0182fc4fe8d0d12", 0x23, 0x7}, {&(0x7f0000000140)="db9a05d211971dab6da723dacdc3d66aaf8046d09b6a778cce1485ca8e378a32c0b7db34b3bc64c1225bdbd26b722c99e02d5ec7ba96eb66be0880b8cead86414c97d97d396ef30d4776fd34bc5d3df91b418363b8b694838727b439cbeb12bd7a6f4ef6f9984e5b235da389c19f29057ce5bdbc0fa7d13f78dc7e33a439497b163119cfbd75dca98203f027cdb7fd1f74896cd79ceb0d5dcd0fc9bb51cd1409fc", 0xa1, 0xfff}, {&(0x7f0000000200)="2527b4e743ae262d00d0d5030353afd4c10bf74efb", 0x15, 0x7cd}, {&(0x7f0000000240)="3765baed6ac30cd9d90a51fde791ffb8b325cd730586d94c9d19f0bb001c2ee8cc919e4416bf39084c1039a4b546cfb56b4c71ebde53a2486cc7fb4987495152e8c235f320b1b17111d2e255192c9cf0b60d955cc30e3e3a9eece9339e8a53405b9b73d128b7bd5eda81807be20e9dc432e99b49d39cc465d8ae320d81808cc5fea3160190c120637f6d1714964196542d", 0x91, 0x3a}, {&(0x7f0000000380)="a1f2c1d9cd3cd2451fed41b56a66e31fc4ff1bd30ecf6cfb7892b3d100100985e149f0b8a095c73e986d8c4851e40d60333d3ba728e01937fbbdf807b640867f97bd293c2f2b5b9dabed378e45fe7f77573e2d25128daffcaba6d406551835336ad91df72962d0f08ad238e57246fe07eaf03b1522839fdf9cf3cf2c2197bcc295fa7664f86005a32fb4e3cbdb6b8008cdcdcb97f075f79b16403a270c0b8dde4d0a457b1f773dc6cf44588bea4c046962ee139eb81fd3af939169fa10f162fce2f271b8d2a0b3eff246e2e1c6c60d", 0xcf, 0x6}, {&(0x7f0000000300)="6181f69dc707b891ec26d170720f0225372cc15ac7ec02657d0873319a8f93ded7cf", 0x22, 0x2}, {&(0x7f0000000480)="527fae3141af3e78086882631337178a146a0b694ea7e2c19cd456787375214117d28164dcf66aab3e66eabf4db22e6ed04077355777a815800d46f3cd95e8bd8b9aa13148ef9ede4df459faf123f8c3ea384e52adc357df95689600f509b54d7570ef8c88487030", 0x68}, {&(0x7f0000000500)="d5f14312aa5d6f05e10394c31cb4fca360cdc45fcde5982574c7ad54f0efa1aa04935e8107d331072ac0f5fdc9edc88b1d0f6efbe81e72069b1e4f", 0x3b, 0x40}], 0x2, &(0x7f0000000740)=ANY=[@ANYBLOB='nouser_xattr,smackfsroot=smaps_rollup\x00,pcr=00000000000000000034,fowner=', @ANYRESDEC=r3, @ANYBLOB=',obj_role=smaps_rollup\x00,euid<', @ANYRESDEC=r4, @ANYBLOB="e036"])

[  634.229400][   T22] binder: release 24357:24358 transaction 3913 out, still active
[  634.257313][ T8164] binder: send failed reply for transaction 3910 to 24350:24353
[  634.275962][ T8164] binder: send failed reply for transaction 3913, target dead
[  634.323064][ T8164] binder: undelivered TRANSACTION_COMPLETE
[  634.348235][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  635.196001][T24387] REISERFS warning (device loop1): super-6502 reiserfs_getopt: unknown mount option "smackfsroot=smaps_rollup"
16:10:47 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x1000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:47 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:47 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:47 executing program 5:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
mlockall(0x4)
r2 = getpgid(0xffffffffffffffff)
r3 = syz_open_procfs(r2, &(0x7f0000000340)='smaps_rollup\x00')
link(&(0x7f0000000140)='./file0\x00', &(0x7f0000000180)='./file0\x00')
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x280000000, 0x10000, 0x3, 'queue1\x00', 0x7ff})
ioctl$UI_SET_MSCBIT(r3, 0x40045568, 0x5)
sendfile(r0, r3, 0x0, 0x1)
ioctl$DRM_IOCTL_AGP_ALLOC(r3, 0xc0206434, &(0x7f0000000280)={0x0, <r4=>0x0, 0x1, 0x1})
ioctl$DRM_IOCTL_SG_ALLOC(r3, 0xc0106438, &(0x7f00000002c0)={0x1, r4})
getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, &(0x7f0000000000), &(0x7f00000000c0)=0x4)

16:10:47 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, &(0x7f0000a07fff))

16:10:47 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, &(0x7f0000a07fff))

16:10:47 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  635.899429][T24414] binder: 24397:24414 ioctl c018620b 0 returned -14
[  635.931139][T24412] REISERFS warning (device loop1):  reiserfs_fill_super: Cannot allocate commit workqueue
[  635.941956][T24402] binder_alloc: 24398: binder_alloc_buf, no vma
[  635.971715][T24402] binder: 24398:24402 transaction failed 29189/-3, size 24-8 line 3056
[  636.001689][T24423] binder: BINDER_SET_CONTEXT_MGR already set
[  636.011166][T24402] binder: 24398:24402 Release 1 refcount change on invalid ref 1 ret -22
16:10:47 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, &(0x7f0000a07fff))

[  636.019942][T24423] binder: 24397:24423 ioctl 40046207 0 returned -16
[  636.037071][T24406] binder_alloc: 24398: binder_alloc_buf, no vma
[  636.058713][T24406] binder: 24397:24406 transaction failed 29189/-3, size 24-8 line 3056
16:10:47 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  636.071480][T24402] binder: 24398:24402 BC_ACQUIRE_DONE u0000000000000000 no match
[  636.094578][T24423] binder: 24397:24423 BC_INCREFS_DONE u0000000000000000 no match
16:10:47 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, &(0x7f0000a07fff))

[  636.147032][T24406] binder: 24397:24406 Release 1 refcount change on invalid ref 1 ret -22
16:10:47 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
openat$full(0xffffffffffffff9c, &(0x7f0000000240)='/dev/full\x00', 0x4b2000, 0x0)
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
getsockopt$inet_sctp6_SCTP_MAX_BURST(r2, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={<r3=>0x0}, &(0x7f00000000c0)=0x8)
getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r1, 0x84, 0x6d, &(0x7f0000000100)={r3, 0xea, "959cfe83a94b6b5becd412758bc39b57b56ba9ca711cd0ea8cc1b73b33cb4bf237447a71200b6d980a04930bff06f5c5b15d7084a65ca72f282a9c5188bd37ff8da5d5ae2c8c0eec4702754e9b21fbab210347c52403da01826d7636d14837fbfae4c31bf704b1c598cc91d152fc12d7cfcf21806c2b760e8fac91ae702e7cd27529f53546c4a826ae6cadcc6ffc1937596cca3f0033680c9de4ef2f0f02d6b9023441ec702b98b639d88f676598320cb42b349e2da48dbd06ab703e1a50ad6ee5543e53460d57685bbe677fdb839bdfef8573d23504c7c7be75753305c49127d85414a04f2689e83093"}, &(0x7f0000000200)=0xf2)

16:10:47 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  636.649955][T24450] binder_alloc: binder_alloc_mmap_handler: 24397 20001000-20004000 already mapped failed -16
[  636.674169][T24436] binder: 24397:24436 ioctl c018620b 0 returned -14
[  636.734068][T24450] binder: 24397:24450 transaction failed 29189/-22, size 24-8 line 2903
[  636.756421][T24455] binder: 24397:24455 BC_INCREFS_DONE u0000000000000000 no match
[  636.777655][T24455] binder: 24397:24455 ioctl c0306201 200003c0 returned -14
[  636.811975][T24454] binder: 24397:24454 Release 1 refcount change on invalid ref 1 ret -22
16:10:48 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x2000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  637.028107][T24463] binder: 24458:24463 ioctl c018620b 0 returned -14
16:10:48 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x8}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
syz_open_dev$sndctrl(&(0x7f0000000000)='/dev/snd/controlC#\x00', 0x7, 0xe4000)
sendfile(r0, r1, 0x0, 0x1)

16:10:48 executing program 0:
ioctl$KDGKBLED(0xffffffffffffffff, 0xc0045405, &(0x7f0000a07fff))

16:10:48 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:48 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:48 executing program 0:
ioctl$KDGKBLED(0xffffffffffffffff, 0xc0045405, &(0x7f0000a07fff))

[  637.263707][T24477] binder: BINDER_SET_CONTEXT_MGR already set
[  637.297252][T24477] binder: 24465:24477 ioctl 40046207 0 returned -16
16:10:48 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  637.318445][T24467] binder: 24465:24467 Release 1 refcount change on invalid ref 1 ret -22
16:10:48 executing program 0:
ioctl$KDGKBLED(0xffffffffffffffff, 0xc0045405, &(0x7f0000a07fff))

16:10:48 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:48 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, &(0x7f0000a07fff))

[  637.767594][T24499] binder_alloc: binder_alloc_mmap_handler: 24458 20001000-20004000 already mapped failed -16
[  637.801215][T24497] binder: 24458:24497 ioctl c018620b 0 returned -14
[  637.831358][T24499] binder: BINDER_SET_CONTEXT_MGR already set
[  637.862705][T24499] binder: 24458:24499 ioctl 40046207 0 returned -16
[  637.862824][T24463] binder_alloc: 24458: binder_alloc_buf, no vma
[  637.902978][T24497] binder: 24458:24497 BC_INCREFS_DONE u0000000000000000 no match
[  637.930563][   T22] binder: release 24458:24459 transaction 3922 out, still active
[  637.956580][T24463] binder: 24458:24463 transaction failed 29189/-3, size 24-8 line 3056
[  637.965677][   T22] binder: send failed reply for transaction 3922, target dead
[  637.973152][   T22] binder: send failed reply for transaction 3925 to 24465:24467
[  638.026901][   T22] binder: undelivered TRANSACTION_ERROR: 29189
16:10:49 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
getsockopt$TIPC_NODE_RECVQ_DEPTH(r1, 0x10f, 0x83, &(0x7f0000000000), &(0x7f00000000c0)=0x4)
sendfile(r0, r1, 0x0, 0x1)

16:10:49 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:49 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, &(0x7f0000a07fff))

16:10:49 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:49 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x3000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:49 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000000))
r2 = fcntl$getown(r0, 0x9)
r3 = syz_open_procfs(r2, &(0x7f00000000c0)='|maps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)

[  638.349555][T24525] binder: 24511:24525 ioctl c018620b 0 returned -14
16:10:49 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, &(0x7f0000a07fff))

[  638.399839][T24515] binder_alloc: 24513: binder_alloc_buf, no vma
[  638.425312][T24515] binder: 24513:24515 transaction failed 29189/-3, size 24-8 line 3056
[  638.433832][T24530] binder: BINDER_SET_CONTEXT_MGR already set
16:10:49 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  638.448225][T24530] binder: 24511:24530 ioctl 40046207 0 returned -16
[  638.476201][T24533] binder: 24513:24533 Release 1 refcount change on invalid ref 1 ret -22
[  638.481552][T24517] binder_alloc: 24513: binder_alloc_buf, no vma
16:10:49 executing program 0:
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(0xffffffffffffffff, 0xc0045405, &(0x7f0000a07fff))

[  638.524137][T24515] binder: 24513:24515 BC_ACQUIRE_DONE u0000000000000000 no match
[  638.543257][T24530] binder: 24511:24530 BC_INCREFS_DONE u0000000000000000 no match
16:10:49 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  638.591712][T24517] binder: 24511:24517 transaction failed 29189/-3, size 24-8 line 3056
[  638.595698][T24540] binder: 24511:24540 Release 1 refcount change on invalid ref 1 ret -22
16:10:50 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:50 executing program 0:
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(0xffffffffffffffff, 0xc0045405, &(0x7f0000a07fff))

[  638.936996][T24560] binder_alloc: 24554: binder_alloc_buf, no vma
[  638.965872][T24560] binder: 24554:24560 transaction failed 29189/-3, size 24-8 line 3056
[  638.982729][T24555] binder: 24554:24555 Release 1 refcount change on invalid ref 1 ret -22
[  639.020363][T24555] binder: 24554:24555 BC_ACQUIRE_DONE u0000000000000000 no match
[  639.101003][T24544] binder_alloc: binder_alloc_mmap_handler: 24511 20001000-20004000 already mapped failed -16
[  639.128335][T24540] binder: 24511:24540 ioctl c018620b 0 returned -14
[  639.149534][T24544] binder: BINDER_SET_CONTEXT_MGR already set
[  639.172598][T24564] binder: 24511:24564 BC_INCREFS_DONE u0000000000000000 no match
[  639.205861][T24544] binder: 24511:24544 ioctl 40046207 0 returned -16
[  639.211847][T24540] binder_alloc: 24554: binder_alloc_buf, no vma
[  639.258046][T24540] binder: 24511:24540 transaction failed 29189/-3, size 24-8 line 3056
[  639.259107][T24544] binder: 24511:24544 Release 1 refcount change on invalid ref 1 ret -22
16:10:50 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
getresuid(&(0x7f0000000100), &(0x7f0000000140)=<r2=>0x0, &(0x7f0000000180))
lstat(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0})
getgroups(0x6, &(0x7f0000000280)=[0xee01, 0xffffffffffffffff, 0x0, <r4=>0x0, 0xee00, 0x0])
stat(&(0x7f00000002c0)='./file0\x00', &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, <r5=>0x0})
getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000300)={0x0, 0x0, <r6=>0x0}, &(0x7f0000000400)=0xc)
lsetxattr$system_posix_acl(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)='system.posix_acl_access\x00', &(0x7f00000004c0)=ANY=[@ANYBLOB="02000000010004000000000002000300", @ANYRES32=r2, @ANYBLOB="040000000000000008000100", @ANYRES32=r3, @ANYBLOB="08000300", @ANYRES32=r4, @ANYBLOB="08000400", @ANYRES32=r5, @ANYBLOB="bedba9b58d08000400", @ANYRES32=r6, @ANYBLOB="10000200000000002000020000000000"], 0x4c, 0x1)
sendfile(r0, r1, 0x0, 0x1)

16:10:50 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:50 executing program 0:
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(0xffffffffffffffff, 0xc0045405, &(0x7f0000a07fff))

16:10:50 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
sendfile(r0, 0xffffffffffffffff, 0x0, 0x2)

16:10:50 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:51 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  639.683419][T24584] binder: 24575:24584 ioctl c018620b 0 returned -14
16:10:51 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, 0x0)

16:10:51 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  639.799851][T24584] binder: 24575:24584 BC_INCREFS_DONE node 3937 has no pending increfs request
[  639.822385][T24587] binder: BINDER_SET_CONTEXT_MGR already set
[  639.844531][T24587] binder: 24586:24587 ioctl 40046207 0 returned -16
16:10:51 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  639.873287][T24587] binder: 24586:24587 Release 1 refcount change on invalid ref 1 ret -22
16:10:51 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, 0x0)

16:10:51 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:51 executing program 0:
r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0)
ioctl$KDGKBLED(r0, 0xc0045405, 0x0)

16:10:51 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x101400, 0x0)
ioctl$PPPIOCDISCONN(r1, 0x7439)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:10:51 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
r3 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r3, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r3, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)
ioctl$FS_IOC_SETVERSION(r1, 0x40087602, &(0x7f0000000040))

16:10:51 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:51 executing program 5:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext={0xf0, 0x7}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  640.427060][T24596] binder_alloc: binder_alloc_mmap_handler: 24575 20001000-20004000 already mapped failed -16
[  640.486173][T24596] binder: 24575:24596 ioctl c018620b 0 returned -14
[  640.516037][ T8164] binder: release 24586:24587 transaction 3939 out, still active
[  640.520796][T24635] binder_alloc: 24575: binder_alloc_buf, no vma
[  640.523946][T24632] binder: BINDER_SET_CONTEXT_MGR already set
[  640.601619][T24635] binder: 24575:24635 transaction failed 29189/-3, size 24-8 line 3056
[  640.667799][T24632] binder: 24575:24632 ioctl 40046207 0 returned -16
16:10:52 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x5000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:52 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:52 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
r3 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r3, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r3, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)
ioctl$FS_IOC_SETVERSION(r1, 0x40087602, &(0x7f0000000040))

[  640.753835][ T8164] binder: send failed reply for transaction 3936 to 24575:24577
[  640.768315][ T8164] binder: send failed reply for transaction 3939, target dead
[  640.812196][ T8164] binder: undelivered TRANSACTION_COMPLETE
[  640.844804][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
16:10:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:52 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
r3 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r3, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r3, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)
ioctl$FS_IOC_SETVERSION(r1, 0x40087602, &(0x7f0000000040))

[  640.921676][T24649] binder_alloc: 24644: binder_alloc_buf, no vma
[  640.931153][T24662] binder: 24654:24662 ioctl c018620b 0 returned -14
[  640.938125][T24649] binder: 24644:24649 transaction failed 29189/-3, size 24-8 line 3056
[  640.953229][T24649] binder: 24644:24649 Release 1 refcount change on invalid ref 1 ret -22
[  640.978591][T24658] binder: BINDER_SET_CONTEXT_MGR already set
[  640.992168][T24649] binder: 24644:24649 BC_ACQUIRE_DONE u0000000000000000 no match
[  641.013411][T24658] binder: 24654:24658 ioctl 40046207 0 returned -16
[  641.043926][T24662] binder_alloc: 24644: binder_alloc_buf, no vma
[  641.076443][T24662] binder: 24654:24662 transaction failed 29189/-3, size 24-8 line 3056
16:10:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:52 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
r3 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r3, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r3, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)
ioctl$FS_IOC_SETVERSION(r1, 0x40087602, &(0x7f0000000040))

[  641.090879][T24658] binder: 24654:24658 BC_INCREFS_DONE u0000000000000000 no match
[  641.106565][T24658] binder: 24654:24658 Release 1 refcount change on invalid ref 1 ret -22
16:10:52 executing program 1:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = socket$kcm(0xa, 0x3, 0x87)
ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200)
r3 = getgid()
stat(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0})
r5 = getgid()
fsetxattr$system_posix_acl(r1, &(0x7f0000000100)='system.posix_acl_default\x00', &(0x7f0000000240)={{}, {0x1, 0x1}, [], {0x4, 0x5}, [{0x8, 0x1, r3}, {0x8, 0x1, r4}, {0x8, 0x2, r5}], {0x10, 0x3}, {0x20, 0x1}}, 0x3c, 0x2)
r6 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup/syz1\x00', 0x200002, 0x0)
bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000140)={r6, 0x0, 0x0, 0x0, 0x0}, 0x20)
mlockall(0x3)
openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x200, 0x20)
r7 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r7, 0x0, 0x1)

16:10:52 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:52 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
r1 = semget$private(0x0, 0x0, 0x284)
semctl$SEM_INFO(r1, 0x7, 0x13, &(0x7f00000000c0)=""/118)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:10:52 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  641.682050][T24698] binder_alloc: binder_alloc_mmap_handler: 24654 20001000-20004000 already mapped failed -16
[  641.731499][T24696] binder: 24654:24696 ioctl c018620b 0 returned -14
[  641.761490][T24698] binder: 24654:24698 BC_INCREFS_DONE u0000000000000000 no match
[  641.790674][T24696] binder_alloc: 24654: binder_alloc_buf, no vma
[  641.812124][T24662] binder: 24654:24662 Release 1 refcount change on invalid ref 1 ret -22
[  641.841205][T24696] binder: 24654:24696 transaction failed 29189/-3, size 24-8 line 3056
16:10:53 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:53 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:53 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)

16:10:53 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:53 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  642.058103][T24718] binder_alloc: 24706: binder_alloc_buf, no vma
[  642.067353][T24718] binder: 24706:24718 transaction failed 29189/-3, size 24-8 line 3056
[  642.087307][T24719] binder: 24714:24719 ioctl c018620b 0 returned -14
16:10:53 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:53 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
ioctl$EVIOCGVERSION(r1, 0x80044501, &(0x7f00000000c0)=""/152)
r2 = perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x0, 0x4)
sendfile(r0, r3, 0x0, 0x1)
ioctl$int_in(r2, 0x5452, &(0x7f0000000000))

[  642.164387][T24719] binder: BINDER_SET_CONTEXT_MGR already set
[  642.189492][T24719] binder: 24714:24719 ioctl 40046207 0 returned -16
[  642.200660][T24719] binder: 24714:24719 transaction failed 29189/-22, size 24-8 line 2903
[  642.246221][T24715] binder: 24714:24715 BC_INCREFS_DONE u0000000000000000 no match
[  642.298416][T24715] binder: 24714:24715 Release 1 refcount change on invalid ref 1 ret -22
16:10:53 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  642.379209][T24737] binder: 24728:24737 transaction failed 29189/-3, size 24-8 line 3056
[  642.393097][T24730] binder: 24728:24730 Release 1 refcount change on invalid ref 1 ret -22
[  642.414654][T24730] binder: 24728:24730 BC_ACQUIRE_DONE u0000000000000000 no match
[  642.829081][T24723] binder_alloc: binder_alloc_mmap_handler: 24714 20001000-20004000 already mapped failed -16
[  642.893028][T24723] binder: 24714:24723 ioctl c018620b 0 returned -14
[  642.893861][T24746] binder: BINDER_SET_CONTEXT_MGR already set
[  642.959582][T24746] binder: 24714:24746 ioctl 40046207 0 returned -16
[  642.981284][T24747] binder: 24714:24747 BC_INCREFS_DONE u0000000000000000 no match
[  643.018245][T24723] binder_alloc_new_buf_locked: 1 callbacks suppressed
[  643.018253][T24723] binder_alloc: 24728: binder_alloc_buf, no vma
[  643.054463][T24723] binder: 24714:24723 transaction failed 29189/-3, size 24-8 line 3056
16:10:54 executing program 1:
r0 = dup2(0xffffffffffffff9c, 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFADDR(r0, 0x8916, &(0x7f0000000000)={'syzkaller0\x00', {0x2, 0x4e24, @rand_addr=0x100000000}})
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000028c0)={<r2=>0x0, @in={{0x2, 0x4e20, @broadcast}}}, &(0x7f0000002980)=0x84)
sendmmsg$inet_sctp(r0, &(0x7f0000002ac0)=[{&(0x7f00000000c0)=@in={0x2, 0x4e24, @empty}, 0x10, &(0x7f0000000140)=[{&(0x7f0000000100)="7e82974c33fe28767c1ed8862432af65e913d68db0e4542d20ef", 0x1a}, {&(0x7f0000000380)="9992a5440a5ab97190f794fc4695bd1a23d2188bf54bae7493d0ed44ed29d1e54b7f0c20d437b90d76cab13990231a3de0cb9de9030f8e31698974a428aeb566eb64deb65d29efec4172699198f1b2c3355e6ab207244a6916683f5d375d2a9bfdfcc929eb28f626d1c9c1d43dd95c2e4bb39744b2b159134f00c1008c33db6ddddfe76f94d0a4104be37f71e733759f3623022679fecc232abf0c0e8a4d9077d0db084958ac13b19fbfa2e3c659f3b3d5712bf9ad86a6949d21b402e1376eeacb32a4f7a2ee2accb213b2d39bfd162cd5c06c47b91d81af0641ac0afd387060189dc3b78c629bc937a5e2c5cc499c33a3d579a71c863fdf0d66e27c7f12aa1aaef27e63426fd7bc216f962128a7d416d48833fa9ba0f8efadd9ed29a046e68799bb52b87f08ae9918ca527c2211373e946e15d05a92aa1ee89b341d16eae4acd1df52b3c078c017139841b18027273b9e976433dcc2bae08b7907a1de2e6e2834912b8bc42a305d205bc8c45a6d7c1d9a3189fe6eaa03a0dc5f38e1a7b59524f23433395cad4a9a51f82d8bf2d7263b9acea444cdafbf1a6704aca1022afba993da9b7be033a406e7b5804042f004c897d218c492b20ee0593ba40e75b5a472e10c86f96391c7a37fe4abb39c62a42239858e9c0d4ad475181846ba159c0696a13e33c0a49e2def0ea6e6a45c20c13e10f99ab262bf26d8d03b7cb544ade90997d5c489d87d1e9b02e86fc4d5c98eb735bd64d93e3caa9ae455174e625de0c4de4da7e9a6c6d5c708b1c000f7e020d433a8883821d7f80cabdbea69a700b8eff6afec9768a7c5a9475f1852f69c0e165c37c865894e28a56c40b83132d797c1ce44db6f8d96334ad81f764e369b4992fb4d1d20d7739fc42d0d9fb6ed2b52c79ca7525d3528b77a6a8d99c904c1f376f08f1e3749ebdfb423c59d563aa73e119f7884016dbd9c018dd0954493b4ed3107fd8ca2a02a9dbb6f2613b79d6c8c01c561fc03ed89d9e0a91a0fe2e8d2e4f025795039abbda517a340e437e677cf810120f4236cb15a1f5898892eed8b3c3cb9a365acbf71c257af1bb470f2ed97921a1843f25e7570c598721e430f3760be7bc3cf72107f11bbbdb7ea50fb43b35aead9b406c769085dae9628b34c7989b6854b9460062776db08b4bbbd3868413871f75f159bbca030b28ea0b7b343335cc46f57081ea787d21029dc9764a0b7bd08da9a0ad5610b4a140262e1d906ee6c4a023f770f8685e124c64916941d22e24d4d069c29860db78e808ac2c7246ae735b177acf0e046a0169eabb0b4e86ec5554242dfaf0903f24c65761d7d62e3dda804ac60c3279d277a9472747202dd22c3328850cdd087bd1637eb6d25198926334e5f6aadf129b53fe2fcb7987df6d62559b3ace6f557f60fd1ccd70f0db36a4fa564c2d32bccc22404398b58e934cf16551f45e06378a90d305bf661f6b52f6532ddd6a56d55ca013c8194f9b3aa42cb01bc3203d72290a0686a86b29f65ece07876c1519cde2075f5513e50520f2af4b80c39ff33178481ee5917defaa751320ba9c1d4c295706b2e44e5649c4dcb3188f930853c4389ba7feeb161f357ec7a6db3d9467ffcef9f2c51c53eb9cbccb9f1ebe53ee44d8e92e5c641f7b4f1568ad68627742292b89378e932c2801460972249e053b5898eff2ef1a14cc3fecafc1ea8cc2dd8ae6f330597a8f51524b22184733af6f7727647f0e2a90fbb94d870e05360c46c94b5cbb5eed89978e126cd85ac9592646c9443d9ac00788bf4e6664391fc98c6a97bbbac27077e4d1e53e2d4a6d17f6f2d5993ba48cd40461a3bcda2f7bf707d1fe7d020e8f963edf87a916136ca5f7f4dffe5111e6966dea4d0bc1c3a67f0a9eec6d1849f51fe8221670cd49ce273acbb37b8fe233fc98c8fc9ce5a65cbaac28bc79f365f4b04768cc16a76fe073745882de38a72531dc55bc88f01fa0aaf97f70041a4d0eaf5144e42c62f737b434eddab86c8df9d3ec86f51184e52f10db4c056424ea2ffa938ec634de9ec22e41552444734309d75f6dcd8cfef2b6787db879ab8dbc65642038107a597287e2e3823c37296e670afe3816eb461fc82c07cd9963c900776c6329de225767d7ce6d12423355577b5fd036017d845329c76d9048233ee8960e8e7504929a92241069bb9f6e132caa56a622ac7588e346af81d97a7ee052ebbcf1d69dd6e56f3c48ff83a351fbb8e0d13ed132cc9f0cbe4bb89348de2e1c8b6e75cb4c92a6fc9215d479ffe979d5bae5eb1ec710c70976f0e406edf3bf28a7c29fe5ca61eeda0452f236b98f7fb2dc042baa5f1f4474ca3758d108969641e6c07c70827c94b33fee1d2279868ac2b83895b012eba3cf0c417216f52a0d7062ff04df2640924875225253942459b6681f9518a1f6ff6abc0e47986be738b19943ac2c10e60c91fb1a3cb64421aa68d274a9af0fb7559706ffe2a27c2f0c35b252a7bb03a609f463a670d0a6b7c03d1fe2ab88828b9ab9df29e788ab89b1f873a361163f83921258651006704b12490d623e7b24c68d2765019b50aecfc78dbc0ba8e144c4ccbc82b626b93de98d1ae3d7764f5d9bec1b6b83123ad05eb0d942786f514e1b175865e49271d78678ee14141db431b0dbb6b61e707c35babbfa5dafc7d05cf45b34217df3b9a019984c0cac34339294815ac10c24e0a3cb8dff590ad3a3536522b11ac22c28cf59a87cd844aab98c44304b323a7d099f81c08fd2905abc20d03571e6370d3582851c417d0bc7f16c1bf6eef3214b1edd878a4e66bf78512f4956dfde3066ca66948e6de365a958b500f5bd3cf489bcba6e6ea90823c98dcb62be8d5b3bddbd6ad8bd06199ed9accc888b39154ef27644dba1f027b37171cd512a5cd8207f1bdd1ecccbcfd3012e933e76489ad61d99a1fe0787bd2daa4ef58e39050a4883d787d83e3e88ba33bfcc8ad484e88a83b01d06f9f47756f15461b4f3c3e9c895646e35a63c3912be60cec26e411fc374eaa5066f0efca2992256dc42ffd72fca0fea48e76640f3d27455d5d7a1d3b3476e38807c7408fe72c21a87f3cda3b09fc842af847ed087ec166fe271e0fcd3557506ed7633eb5e0ff74c2330c25116b47cf319678b75cdaf21dce7e9ac62da4dfb3941adb4140ce182534ae5fb41f558049e4d4a56528269d77073be211737016f60fce6652e5fe62bc549c4359b5a26f333452126d1add3dc797f21badecd52d2d7785920051e6e0fed6ed1005b77a2869a9e820a0fbccc1378bcbbe65b2fb8daf305d0660f6c0f1214afc07152d78c61bb4c66da0c56ccaa064b154004ecfb0ff6941de08130654755d68f483b596b3a77ed3419e722ef73d00c6ed2edd15140fe202e29df9a38fde460e4b6a63fc9f525b75f6c712b1dbdf8d3f3a801627078dfa1c69361e9d5174912826a680a6c8557c59b605b7f4dd05e06a35f40c5fb6016f388c6e73fe92a21874ad7d58f452cfb7fdb9a48090241a827e9f6d0c182ea37af03c53b3dae0c16382c1b2a6693ee04d19daa5048408416e4a5b70766d60bd02c4c93612635bd4ca324d8e3435fd0c91979cea9d919626ff58506701853b68503d503b73c69f4bcaee117f1dc02e557e3b9c62bcd1fda1be45dd421a686701e24ecf8b9781dfb5cdf8c9a16c1ea1f7f7163c3dbb8c4b4230a5d0d75ec9446c029e56f0dc5e4881cc4c8607be2aa55d8b39a277f6add21dfe10f94972ddfb00619dd5bcd58a4bcc50a5946f36ced2e6fcaebfe0ce0c8dc3c6aa97f8cb3c96bf33d4f0c8a1b7a033c31e90df08549f8410dd05f4da599a1a21da77af4fbba898c41ba12c74cd3bf8551ca8d27e63a69a5cd3fb1e9a5a0a7fc8fc85aab5a69fa336a8ec83ce12b591dfb27b1169ad16d331f0544b90db1f3d1fde9ffce61c4cc6e814596a8d31a5b0c0ab24977972f18bb549b1d2b4d4ca5afbe8421ac48c866ce3f4d651cb9c06585a0c7e61d249546dffc9f4ac1665e36eca65b43e23fd73c270597ddc31d5f631501df9fc989bb14cd588b3f8b134f8e7f1af0a3c128215b1c55d68213b1d49a0de73ff8579cdfc78bf140c71cd1a25df73e7f973ddeb571ce31d39f45ed6aca90a0e16b1c49b47a5e9813dd18996c2d6980e0b466bc37d0243030fb6a0bf2dd7c0cec0c47192584a85a074b5356c5804e5171edfafb85308c5eee518fa2fcff882165d2c460262266b05b9145b6c0a3bbf424b86e79372899d3f71f5c12939508d1467e8a654f9fa182d6fff34a9f142d11a329238713a11ef9a2773e9e14fb16645851fa2af71c8209e1a105f6a36861af69f31f7307461c341b825d04777e2cea9669a0f165b3e6a9c9956e1f0b788d7f9798b7a01eccf5d3b1ca887f62647f08b175aa761dec0dc4bff82613916657cab8e6f69f858b4109ebec65c0d09c21a3e3e3e72108ea649614806b3d24448f92fdb010ab5364db60f507f376d65efce856717330b40d5588080f5c55c786aeee75131192b9c29f3b80dd552694b8fcf61af77650cba75197f40ca42eb025d7d90a51e8db5ff5be9db9050137eed24516b1fdc095416df426866dcc5cd4ccd087c60d0094102c4c341c28e9fa6385ae154b28154b9796f385c1f3f024eed00fb250c33253d132cce08f610b7d5ddb46161f93ae6d8f54beef58f02cc84fc718bddf5d4db4a4736e4c1ca8ede9a638ca2c3c81e949dcad135bf605280dbc63fdf54531b41aeba92e6562067689781963a520ae33891d41dc0b286ac83a63346259087fe77f428c6d535b68db306ead710a04208e25b830efdc270739b266704ab5c5902caf97d719b20b214a2b92b9e557791ad4a5f223516aabc66e41adc2f5582c48b15a7ceb02fd55cb1cabb8ec888e7e3e9cdcb7771b1a7b1bf0a4b503d3ed99ec2f97abe80d382a17ce88b8ce1d17d151fec8a2ebe6ff54d5e6a385e610c4bdffcc76071fafc7b5cc5b3717657dc1f2d246b50e6eb4601124c25617cd168ec9a1d45d2bcbd724812c0ff2f26adcebcea7dc57e8898cc43be2b7d0fdac2cc7f41a8f33ae1bb39d40d8a319c7c7f88e90a3bd63e71b33c9dd625fae8d523cfee4aafb107276811a6b4217cba2c5454473dfa6f3aa9d2bf565655115ad952b06de4435473a2c4b8e725708ed358998baab029ade9bd4864ef4615f8ea8c05ceb0d2393957bd4750b5e841ba120936ae11f768192637e70e3476930459420297ce020baf362e80713353435c0b61cdba6cdd6cedf367aafb2f57bdebe1200a7316564de22680880f706d0ecd130d6a7c7c1811d2882108e11b88544e2cd48510ac7e20d523d8e4cdbf7584ccd0282ce6746312080836c97a7c7121212bdc653e2d50474f077adaa453d665b571f04c331864002a0048d53cb21354ac018da43d73db7833c4d971745d93d2a96a342b2eec5b4afd0a192323a0b0d3577d6a85fbe8b9137dd90234f5fe2c75cb3343b677826f9f692b7660c431e6b67069ba277a607a6237836678dbb5670d2aee0f3bb4aaa8ca1b4abe90b947eaf2f48a44e477817e8c74f51fa10a2f7e24af5b762fc896ce66d70429f306b008681c8152e98a022c3816d3b81e3d2f9cdf2a85ef7c54a2b13b9d8454ef32f8dfd6ea9051875d416b556015b93de0b1bc0bc4d5b931abb61f39a966347d4b80e308343518b9c6d57fe30a4ffabc2893302a0e79ca29fca15ac880f859ef8f8a265a9fa8ff7dafabff78bad7b8669fd72d3bddb0f3644c22161e13c7782c815613e0b005ae2e25d1da5e7be9801b57de2ffbe038e35f21", 0x1000}], 0x2, 0x0, 0x0, 0x800}, {&(0x7f0000000180)=@in6={0xa, 0x4e20, 0x4, @remote, 0x100000001}, 0x1c, &(0x7f00000002c0)=[{&(0x7f00000001c0)="d546a4290c256463c54835084a51d64805aca3129fb57126e8e9a8d7f1e5e6971788e464de3fe1bf1c33bb99e0e41c04b1dcbaf5529b04fc05f865c7d21b8e7009cdcd81bc55cae5a95b3fe054780d857e461d1246806eff6c3a99bad1852248d5a630c7fc9c72c0a577759484ad3a04d8a0e938e506af3f480dd657686eaa4329dd310e6b193e1d5e1e2d26c7b4f551da87e17def589066ad843333c19e1b3e6bc6cabd3d9809413609f19e273484507c62f8ffad0affae78ca22e2ce82650176b9ea8c17ed6c2282b495f79519", 0xce}], 0x1, 0x0, 0x0, 0x40000}, {&(0x7f0000000300)=@in6={0xa, 0x4e20, 0xf1f6, @ipv4={[], [], @local}, 0x100000001}, 0x1c, &(0x7f0000002800)=[{&(0x7f0000001380)="9f7468ecdb455108dc4689ce", 0xc}, {&(0x7f00000013c0)="b4db20f12be2387f910fa0888e21331373f5715c2cdf3e6a9c0c6e00c3c69438c50812cab5bafb259bbc2c9de7733b54fcc0dd1104ba3191914f6b8a4e5130dfc8164050a61d1f2898159a2999f8f505b58795392ecc1a9f5a6b5620ac513cf5c88db1aface45f306b7f7142efdc705007aa2a331fd838802cdca1af9c493f8d4a910300506dd00255c1495cf8ef27a15fb09ae00f5dbe694dab4b76106c81a31db0e4c75cb959b3343c9bde1f6d28f6c8f7", 0xb2}, {&(0x7f0000001480)="c26074388d7e52b974cdd004a93b4a8e539dabc201b9b912b788d4fb56e27702255f6266520259eed72f651d9adc195f78119b097ff899150c7736ff2a21edfce0591af6670a41f8f3deb9956668f46045cad4db2e37e532ceb1e35db453dac9e449d856bf4b7d3882868036", 0x6c}, {&(0x7f0000001500)="24a50bc0c0afec1e0571f5ba0a9f668eb336d65303cbb80cd5cad35ca88f88e072870298524d4e76921a91a7ecb13aecbeab33bda7ff79e0f86e3e9a2fc2acf99df41450a7a5bd2c69b1fde007674323d594cd08085c6557d9066555b4e5ea0bf23b0cf31a0dc0beb34e25fa839d2d08fc556535c927dcd8cd02bcf4221b0564c6b8b9fd", 0x84}, {&(0x7f00000015c0)="58fb8eb29fb6643152c6c8f4f36e06c1be26f51358bdc49368141239d508bc3bb8579214", 0x24}, {&(0x7f0000001600)="b0ea8ad76074022a6f63fc3c95bae2676f209561448c892d06f8abc95e10e30cf36d800cfc44cecb1d13d881d242f43dc32a2f33e94ab91d9c8e927455d6b9427167a3d910ecb6a9b19ce6a8889c7074a1c0fc4b99dfcfebd9697bf2e80123a6835718742ea7b02590e0dd759ba1f9ed4c4d2ba5980e333749e0c192bddffc1cf775bcb8d80b7598d71caac7cc46820ca265cef72ac5cc488708012c82b28fa01ed9d9db5eb15c15a580f3feeac3e81a32f9ded1ba69c534fa4ccb155b611591f7efc524cc9d4285980f0fe42ded11c4edd4261c7efe4b645075d0c207717cb7543431e0581469a0c2d0", 0xea}, {&(0x7f0000001700)="7a2d6813dd3726f95f73df48b09b96451a03e8f8b2414c9366b2aa6bd80297205f490deb01575ad9b5354c87685223ddf46a7d487f7e53ca9137d5a416642c6c7cc0c7d44f27dac031806aa93d8100779a39ea9230ec8fa722d8376f550260445a80f48c00ba4184d2ee7062c4546f7c84f252eca4e65bad0031d245c740ab58059c00bf", 0x84}, {&(0x7f00000017c0)="103727a8bea6ec54ab9bcc1ada492d84bf8e753d7841d39f4c5246641058ba868db43aac7e09eb5baa", 0x29}, {&(0x7f0000001800)="e76b4a17cf818518c6c08a87acb83da325427ee49c1f604934aaf2e9b8f4634ea9e62fb425bd357d41cf179f7203f19e726a76c8bc1feb90fc2a29a18c1a9e4bb0ac8059d925fdc44549e40f5c363328b1f2284631ffb927cd2b81a8188ce2708ce972052f01bcd83722b601ebfa00eef3ebee4e40ad7472681f262791a3fc7715e857bd90a3dc1225546b0e17001070e20e37385114335b2ea0a516cb22e1f11a9a181bcd2e374229cf329459355fcc53a6422665b0df14efc7e817174e4530df16d71bb687fd5ed35e01ea295eeb627381052ae8372e38cbf1909fbb3c128f6e3ff0cc6ede0345bc9627bf96a0d98f450a7c17cf79ac12cc0bb629750695b7ccb331ca73435deb4964b173f81b9e9c96e3b7e3f69f6c5e8141b37389d05fc1fa3db7ad8c4c44f12a11208e8ab2e2b09bd48cc8c258f47f5d0262d47e6e1fe9132e224fd432b8c2ada6f1f6e70f2741b07ea3aa1ea66e85cd477566c2ecd752018acd87f78e155ea8c1296b6b00a614696abb2c6ff436b62503371162018cf7ddb90fbbeb83330c8278045415a267ea4b3b04d5bcdb082d88f616728093b765a413ef904cbbb5f62cd8d82a91f98af4ce51c1127b410e80f2c56677af5c1d577f95f3d58d175a4becf15e0876605b30313771b1d0ebd385c72682dedf93dc34e1f1d4d0bb200cd24f2f1dfd1c7b03e6de951ab0fdee49ac823e969e5acf8b6bc0329a2439a7b01c67cf6bfb84f5fa21b786f5b69d62b3c0af9ed32df7eb6e8a407c3f65e32872b225c1ec0b7825d11fa4ca66c7e4b3f503971766cb2a56ccbcf9c9594c5738966dc131a1af27c5d33041cdb5af030edf36cb99029c20e2e60eadfb96732ca3bf344557cf221fff8ffc94806e69a758d749099aaae260ce4f50fb991ee1eaa47177863ca2a914549ffe615482ccdbd6142f36ab19906eb4ee1796cb95defbbaa04d776c0573a9b3bc6857cd5a218f05e38222ae80f0b6736917de4156f014381946a2a8c65271b04b11436de33483018ac36a1319efac73d8711888f40154adfef9d9323499dfef03be42192a26e4ef7c3a73f546e91ffd6d1d81f7b1e7df3530737cb4d3efd4b99cdf120258ffd518bca0e350e68349c925da388fa2ab3d9bc1871fb089fd8ce34ee10b46a7279c12603da3b661a8488bb4405f9597d4a6e8f8b299bed6fd6c03e611c776e128c5034a6279775b16b5bd7c9fe4739828f361fa299b7d0cfab8bf7e7cf164de8d1299024076f8ca58f37ec089394c2dfbb6eb49025b29293595427eeb248761e139df23cf79e9112118343db22c84a356fe9499c2d628a2019f95f59e963a76b385693f6d94edd3c85f8105bef2255551afa5648b434c1aebf05d88d2819a6dc6e44aef3f4adaba2953fda728cb5229cfb7b70d0c3c6e672e92135e23ac1c5eb0dd5cda86eff0a5b42d9654a8d232a976e299e6a8124b1fd7e2aaf23c6f43092d28eeb52338e32c824cf1111b7406d8e6173064a89241595de3a5f95711a9407297112088ada18f689069172fd3e0166248a9e4af6cc1b37d244b7293d6794595c3f0957bf0305d30cdf76fa643619a1bd0751fb232e472df0cb0de3426d92a368ba722a9c76fab04e52649bff930c9c2b5844b27026304437dc59e6554a01312aeabefe019c2f5538c61ff78b47dd3b81ad04de5001b9839e6ec657f80e234a765decb655bd9c5c2e385a4a3992dada257449d84c4630ff2c7ef7d9a3e618ffcaa87ef6d26ee2f7aba40ad836ba07b576a55c2767bec84cf7df3fc097d4d1e04a6cbe744b855ffd6e3802bf4ef42fa596a7da952f3f5634f68eafeab752c53397bc51c0856933cd64b4cc2d07dc6331d66423458ccfe369e3297035489583a5ce8a2f3cebcab3105d1bb1612e005ab9420950af9bae23b6e5794275a49fd07fb52c4e358a4b3abd37a9169f48b876025caf463122fc32031ea69d781a99c616f348c1503031968bca9328a17c3c88467d14c2e415a506c37e833085506a05866d415c1efde630b4cce3205fdfaeb75bafaa75d889ff0bf61567373c6ee96a699bb6433c65c5b324df6638b49f3190b27085f0766e268d37d816202950778bac03b5984147d8fbb03718779b7e66c5c45e8f3894a974f24c4bd392bd20bcd81b5368e253c5f8d0e9d04baa5298e20a41d983f8dbd6d5a569f6cd81fc22f65f680c3aaeb3d3fc6bdc3d06ea8f1d1cb7d02dedf516054717f2c33d31f436bea8c186855827e328627899cdac0cea7b227f113f5af2f3d24dac3192fdfc32e3eb688f1fb1bfaea60976905ac3cf98df374ea95386cf6a3c38b8e7e6ccdd83794b5891380189bf55b456d22fc844b88828379a09835a7445c774b62a3899bc0043b1c79f2d5dce3eab9fda10063dc361c03a00fb9c42eb192e12f9841c6db763f8038aa90224db9fc218c59c51ab72789b1770edb1765abcf3b3efed598b2231d4f96cf2a09cfd68d6cb9a4cb22fcc6d13a6f458781877781d239c90feccd57fa7e0bf0d7d4a30c8ca3b025bcb1df50de859b8584732557f7c6f489693a260bc2c809fb64a5e996331d3a24107cb9efdc084dc4612fb0a14fb984b34d09e75260c72789cd4d784e83eb396de1578be3e642f66e2acbfe6bb656a57c98e43d1cc5b7cdbdfa3a67853dfabd444424cf05299821069a4d0eef4eaf00530458b226e02defafb240c38adf99d6da403d4b9e6bb21bcc47d8e49a2bfa780526500da4c2de6b1b9367f2537561480779b56aa16c985bb184eb8fbe1f591191c85badda3e185665f31169e15c655bc101365163d7654b2d0da25211da2d0bf53047c45489f9e50324de1a7e138ce47188ec5b7aa88421e3fd6c642043c555edad21289d1f370f84067660eb83cea16cce0de6b9cdb479b34e607394cceef9239983a075f6774100b94ad0818a45bc5815b32d4016ead06803ca87516ab09f9d27a68331aa9d44a74975ac3f5d522a0c2c05ef53afa6af1b1318e4c87248a87298b46258659c798593662b8b79545a6022c1725ec0e3500d4bb8a8c2dcdc669663075334fcaa5bcbf1d88cd5ac127f6efcf5297da3e30ccf01129534090ccdaaf983a9352a831a714ec60a6bc1b59653c5f4f8c0cbb4f161cac3a4162e397a78e73de4a957f48a56cd7ed6ef55885ebdcec2e8a14e28ae8fd2eab52d6deae4c88fda6de5186178cb45a998ae574750087a7ccf46d702997d39cc2376f65fee87fb23ad60b5c4fe13b8da504ed940665551895845a1c047c8493527f2ccb366e232aa83263a065f09d69c1970b55848bf3e50aa29276e861d181ef69fbcc94391f0c7d74a90adb9fb72d3a115be23556bc0246c556c19e2cb29d0ec2e11961c3af9f95dead1ba9686f0b725716b236d6524780441de0121fdf9b8be23516eddc39a49cd3526cadfb4b2344edbe0170176121cf6303d496ebcfaa17adb8e31c5cd77e3488a44cb6dd91d7a6019204379af0185678f7821f1443d4c31c1c167322e380310bd789972ec9c3249e210eb7dbf9cb6430e4179fa24a3dc6d249f55dc621680e8c8ce3ed860cf957495c743c52406da79d998342dc0a32a43c3a8d04c765888219224421d2de42b1f99d83e67673d65c519f8117682ff47996fa8ebd12fb1fe64965ef7253bdab317845828746819830d5b8c85336cab28adf39ec14e780702a434220c72aafc329d092ba03acb7d4c417fcfb190b767d6f3e4db1411028de8c18c8c7c9ee94289bb70fcb303ea47e0b32a9f4b6ee5e6644bf15f654607e8c4edfbb92001db48c93948680ec6f277c789e41ff733e37f3a86b98c80b5281c964ea0cd81f1b832a7e1d72eb93df1d26736f730f4e780f20142d361c9b6126364ddcc2bf1a784ab68d8ab151cc754f0ab62d1a1c9a7bda444f525be7782e1c6f0eb3fb89c44ecfd30b11a361ec4d85840fe8cabdb0ed97265ca7ea194eebfa8af10a45cb2a57c86ae9505793e23126b5048ec4616a4e8f089424dd253b74ea4210e1d0d83674300d537eff707a8a0f199a0b2be0c87f7268fe0846f3cf00442876926bc0451791543d7043befc9c8f5d7487c36bc89ab771fa993691a2835ef2bacf744cdc54891b724cd244269628ce52e634cd445e81e6a7b882363963595cb07ed30fe54448100d40149a725855793ee14693f3d19fa3e69f611aca0b7b94e121991d8f2a5b6204f44dce1eb754d89ebbbbab04d1a881fd5f36e4af336eb2f5208b2c77ad7381773aef6cf2eda8a67a5bbcd4defa03d698b2a19f3e0629ebde0889b807e59f2f21fd53dbfee95febd21298827593f8e780c3f4bfbeb3cbba0ca435818b52b53d37eebc11b44f044103f89c64ef7e2c9b870576cab6c5b157c0ec186b802401a3a6b523950125405e730509608a80b1f6df9d745d46abf21da616ff0966d568d9a25a7c83461f7debc60025beac5f5a358077fd48866225016696dbf53e96ed797b882d2d082659bb544a508ba4fc4902a27cdb8f6711b61f07b8c5b71101f9b36eed3b097cbafb9a3269373646b006d2ff472c397202c87fcc71121dbea394c974895974c781e03fbcee1cb228f597ba9052a58eee4795e0f167837599990a4448fd2a671353b179e5af15320ac613b8408d2133dd6179f77635edccf28376a77b2f338e0e5572a28a1ff7fce63fd9478acac56f2e80a2b4c5eefaa7adf8ce66f4f3af989edbea3f198fb373f99a72d96a7e0b5772da75422dd6b7a6dd2a34ba163867334005d06784db08a2e76a78410602acabc31d944f026e8ecdbf5a53cd18830f509acc2001f660d4aff70dfbc5819c73cb7f40aa6ef60bcb400674ba4385d81bef89ad1739903b083633cdaf719e58bd5891f2687aad2522870fe5099c8191fd4619763b401a33a99e26836af7cba5d10a19c0e3623cae398c5dd814344342f618d601604cf78fdcdaa876159f62bb1afbf826849aff312ae906a2111a0762a6cc250715e8c72624d7c41b8fa20cdb2353ca6ca061e8c8af0a7652e611085527938c22eaa8d8ccc9e19e92276d36dc4a0d8979fa53c4232d872731a1ee3bd898e416736941608199ff89568abbc62bd85ecc0d8eef5fa4ac2b217d1bfa0449dafe451b70ffadeaab96a0e100dd6cc7d7a53969e1ae700e93108876899a4e59deab8512f97661aaf10461b841d4811d32be1456762ca62be26ff2ac4b33b43dae280a7391ae678270aace330041490ca2c2b54b04e825a8a6986a35614636c1edbe7dd240eb7fa695bd07c1dbe939f5ef33e20b83d167194d00639f6d1d423839271987aca962525cd5dba80da4bc409b8c8afb02c6d3c3851b7185ff91178fe8231251d1d8d55fccdfe54fb4b386d2f20deddb262da18cdd45d9cddeee8f47d4a01eb606e2db100ee5ca7d25e558249ea9a65492a729fada8885336babe69041018f79b9b731d0d5568cbefc3230e167772bac545aa8f3f72398839ad3b8f082eba27d77748e74d6b6f135355c77258db86fbf12f7258ba7ae1a17987bfca045d5faac0c6bbe780b795061be146503c8fd3c37c7cf555c52aefd301f36d830a5d19a0e959fbc69afebfa7575a5a1cf8511028fc5bf751f394dd4f2ed2679b03fe2c885a289c32e5b8e02d2866748d36da0cc1221535a0e7445076b8ef46c395689f0020d7a423bc9340e5f54eea9b603a877b3f6a2b53da2634a95fb938cc82015299234a301ec09b8e911079de9c4d88a158adc7f0e07d6ccb4feec465574190b74192b40514b1b03c934b59a846041ee6102183381049c5cbdeeb179385e4d64ab06a19a370", 0x1000}], 0x9, &(0x7f00000029c0)=[@prinfo={0x18, 0x84, 0x5, {0x0, 0x8}}, @sndrcv={0x30, 0x84, 0x1, {0x0, 0x20, 0x800a, 0x5d76, 0x0, 0x2, 0xcb, 0x4, r2}}, @dstaddrv4={0x18, 0x84, 0x7, @remote}, @authinfo={0x18, 0x84, 0x6, {0x800}}, @dstaddrv4={0x18, 0x84, 0x7, @initdev={0xac, 0x1e, 0x0, 0x0}}, @dstaddrv6={0x20, 0x84, 0x8, @rand_addr="df5345894c169166f89ff8cbdca3c837"}, @prinfo={0x18, 0x84, 0x5, {0x20, 0x2}}, @dstaddrv4={0x18, 0x84, 0x7, @rand_addr=0x1}], 0xe0, 0xc0}], 0x3, 0xc000)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r3, 0x0, 0x1)

16:10:54 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)

16:10:54 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:54 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
ioctl$EVIOCSKEYCODE_V2(r1, 0x40284504, &(0x7f0000000000)={0xffffffff, 0x9, 0x5, 0x1, "969d05de186bebc03f434f949d25a19f744a35968c9a5148f001b5b48fe81c43"})
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
ioctl$VIDIOC_TRY_FMT(r2, 0xc0d05640, &(0x7f0000000240)={0x8, @win={{0x4, 0x0, 0x400, 0x1}, 0x0, 0x1ff, &(0x7f0000000100)={{0x10001, 0xe0000, 0x9, 0x6}, &(0x7f00000000c0)={{0x385, 0x7fffffff, 0x9, 0x7ff}}}, 0xe5be, &(0x7f0000000140)="dbd7989ab18cedf42f429d81bf94f925da8cbb48476c7b6295a0f6743213da777eb762626b5398442cd3fd7f41dff0784a381b0cfeb16a9f87d31f1aaa9b7bf02e1b59842709a21250ea59a3885bea92ce675630febcea8ea8efdcfb6ca06c1d3c82b53800a58de02e9f4ce60ae61956ad64ccf22379ee055be0edd3dfa228f62c30d71cd60e410fd6c443a60e0e97fa9f83b0c73740cca7367c82b87aa0cd973fbbc78ed745c31b34ac5dc45b9a417416313f7cc6760435c0fe0e3fe114b588d0d85fe3afed3ceaf6a89ba36639", 0x1}})

16:10:54 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:54 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x7000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:54 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  643.445109][T24773] binder: 24758:24773 ioctl c018620b 0 returned -14
[  643.510879][T24777] binder: BINDER_SET_CONTEXT_MGR already set
[  643.512336][T24773] binder: 24758:24773 BC_INCREFS_DONE node 3956 has no pending increfs request
[  643.529734][T24777] binder: 24761:24777 ioctl 40046207 0 returned -16
16:10:55 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:55 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:55 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  643.829409][T24786] binder: BINDER_SET_CONTEXT_MGR already set
[  643.847667][T24786] binder: 24785:24786 ioctl 40046207 0 returned -16
[  643.901452][T24786] binder_thread_write: 1 callbacks suppressed
[  643.901466][T24786] binder: 24785:24786 Release 1 refcount change on invalid ref 1 ret -22
16:10:55 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:55 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  644.166030][T24805] binder_alloc: binder_alloc_mmap_handler: 24758 20001000-20004000 already mapped failed -16
[  644.252857][T24804] binder: BINDER_SET_CONTEXT_MGR already set
[  644.254467][T24809] binder: 24758:24809 ioctl c018620b 0 returned -14
[  644.307259][T24782] binder_alloc: 24758: binder_alloc_buf, no vma
[  644.313559][T24782] binder: 24758:24782 transaction failed 29189/-3, size 24-8 line 3056
[  644.406632][T24805] binder: 24758:24805 BC_INCREFS_DONE u0000000000000000 no match
[  644.416514][   T22] binder: release 24785:24786 transaction 3958 out, still active
[  644.424327][   T22] binder: release 24758:24759 transaction 3955 out, still active
[  644.481713][   T22] binder: undelivered TRANSACTION_COMPLETE
[  644.489981][T24804] binder: 24758:24804 ioctl 40046207 0 returned -16
[  644.543704][ T8164] binder: send failed reply for transaction 3955, target dead
[  644.593334][ T8164] binder: send failed reply for transaction 3958, target dead
16:10:56 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x800, 0x0)
getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r1, 0x6, 0x23, &(0x7f00000000c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000}, &(0x7f0000000100)=0x10)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x7)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
ioctl$SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE(r1, 0xc0045540, &(0x7f0000000180)=0xffffffff)
sendfile(r0, r2, 0x0, 0x1)
ioctl$VIDIOC_G_SELECTION(r1, 0xc040565e, &(0x7f0000000140)={0xd, 0x0, 0x7, {0x0, 0x401, 0xffffffff, 0xb3}})

16:10:56 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)

16:10:56 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:56 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
bind$netrom(r2, &(0x7f00000000c0)={{0x3, @default, 0x6}, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast]}, 0x48)
mlockall(0x3)
syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r0, 0x0, 0x1)

16:10:56 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x10000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  644.892079][T24836] binder: 24824:24836 ioctl c018620b 0 returned -14
16:10:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  644.979142][T24830] binder: BINDER_SET_CONTEXT_MGR already set
[  644.994362][T24830] binder: 24828:24830 ioctl 40046207 0 returned -16
[  645.022132][T24830] binder: 24828:24830 Release 1 refcount change on invalid ref 1 ret -22
16:10:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:56 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r0, 0x0, 0x1)

16:10:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:56 executing program 5:
socketpair$unix(0x1, 0x400002, 0x0, &(0x7f0000000000))
socket$inet(0x2, 0x6, 0x1)
r0 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
ioctl$PIO_UNISCRNMAP(r0, 0x4b6a, &(0x7f00000000c0)="7a5e8180986d6e6ef90fa42e374c317c7a9865acbc98d127d112455d5ba614a49acd374fbc051323e2b7638bd667d23c782c1d7d133d03be58cc3ea2894a06b0a202a895ef5dc1dea271b52c5f6ae33082053d3e51ce19c655a073f56505fa69b5d6bfbfba8a0c6e8acca429c461c45d541b2bb7e6b56e8125f7bcf41438744a6e747e2c364fa7418a515885c265b4d4c532305692d5d670256e1c35c011be5550ddf44c5d5a0f264acc8eb005e227feb55a")
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$PPPIOCGIDLE(r0, 0x8010743f, &(0x7f0000000180))
mlockall(0x3)
syz_open_procfs(0x0, &(0x7f0000000200)='sm\x00')

16:10:56 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  645.645340][T24879] binder_alloc: binder_alloc_mmap_handler: 24824 20001000-20004000 already mapped failed -16
[  645.666031][   T22] binder: release 24828:24830 transaction 3966 out, still active
[  645.684480][T24878] binder: 24824:24878 ioctl c018620b 0 returned -14
16:10:57 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
semop(0x0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(0x0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:10:57 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  645.706234][T24879] binder: BINDER_SET_CONTEXT_MGR already set
[  645.724734][T24882] binder: 24824:24882 BC_INCREFS_DONE u0000000000000000 no match
[  645.802730][T24881] binder_alloc: 24824: binder_alloc_buf, no vma
[  645.803398][ T8164] binder: release 24824:24826 transaction 3963 out, still active
[  645.826231][T24879] binder: 24824:24879 ioctl 40046207 0 returned -16
16:10:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  645.846062][T24881] binder: 24824:24881 transaction failed 29189/-3, size 24-8 line 3056
[  645.856130][ T8164] binder: send failed reply for transaction 3963, target dead
[  645.888085][ T8164] binder: send failed reply for transaction 3966, target dead
16:10:57 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x20000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:57 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
semop(0x0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(0x0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  645.933035][T24899] binder_alloc: 24888: binder_alloc_buf, no vma
[  645.962641][T24899] binder: 24888:24899 transaction failed 29189/-3, size 24-8 line 3056
[  645.978385][T24892] binder: 24888:24892 Release 1 refcount change on invalid ref 1 ret -22
16:10:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:10:57 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  646.117291][T24916] binder: 24909:24916 ioctl c018620b 0 returned -14
[  646.131952][T24912] binder: BINDER_SET_CONTEXT_MGR already set
[  646.139625][T24912] binder: 24909:24912 ioctl 40046207 0 returned -16
[  646.161242][T24912] binder: 24909:24912 transaction failed 29189/-22, size 24-8 line 2903
[  646.208324][T24916] binder: 24909:24916 BC_INCREFS_DONE u0000000000000000 no match
16:10:57 executing program 1:
r0 = socket$isdn(0x22, 0x3, 0x10000023)
fcntl$getflags(r0, 0x408)
r1 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x3, 0x200040)
setsockopt$inet_sctp_SCTP_HMAC_IDENT(r1, 0x84, 0x16, &(0x7f00000000c0)={0x1, [0x1ff]}, 0x6)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r2, r3, 0x0, 0x1)

16:10:57 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
semop(0x0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(0x0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  646.261303][T24925] binder: 24909:24925 Release 1 refcount change on invalid ref 1 ret -22
[  646.362231][T24923] binder_alloc: 24922: binder_alloc_buf, no vma
[  646.373016][T24923] binder: 24922:24923 transaction failed 29189/-3, size 24-8 line 3056
[  646.389993][T24923] binder: 24922:24923 Release 1 refcount change on invalid ref 1 ret -22
[  646.407768][T24923] binder: 24922:24923 BC_ACQUIRE_DONE u0000000000000000 no match
16:10:57 executing program 5:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:10:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:57 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
dup(r0)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:10:57 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:58 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
dup(r0)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:10:58 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  646.869195][T24954] binder_alloc: binder_alloc_mmap_handler: 24909 20001000-20004000 already mapped failed -16
[  646.911846][T24925] binder: 24909:24925 ioctl c018620b 0 returned -14
[  646.956470][T24954] binder: BINDER_SET_CONTEXT_MGR already set
[  646.993473][T24954] binder: 24909:24954 ioctl 40046207 0 returned -16
[  646.993585][T24925] binder_alloc: 24922: binder_alloc_buf, no vma
16:10:58 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x3f000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:58 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
dup(r0)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:10:58 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:10:58 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  647.136077][T24916] binder: 24909:24916 Release 1 refcount change on invalid ref 1 ret -22
[  647.151120][T24960] binder: 24909:24960 BC_INCREFS_DONE u0000000000000000 no match
[  647.161107][T24925] binder: 24909:24925 transaction failed 29189/-3, size 24-8 line 3056
[  647.340635][T24980] binder: 24970:24980 ioctl c018620b 0 returned -14
[  647.372211][T24984] binder_alloc: 24971: binder_alloc_buf, no vma
[  647.398604][T24984] binder: 24971:24984 transaction failed 29189/-3, size 24-8 line 3056
[  647.437324][T24976] binder: BINDER_SET_CONTEXT_MGR already set
[  647.443351][T24976] binder: 24970:24976 ioctl 40046207 0 returned -16
[  647.542310][T24976] binder: 24970:24976 transaction failed 29189/-22, size 24-8 line 2903
[  647.582949][T24976] binder: 24970:24976 BC_INCREFS_DONE u0000000000000000 no match
[  647.624766][T24976] binder: 24970:24976 Release 1 refcount change on invalid ref 1 ret -22
16:10:59 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f00000000c0)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fffffff, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x3)
r1 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x3, 0x2)
utimensat(r1, &(0x7f0000000040)='./file0\x00', &(0x7f0000000140)={{0x0, 0x2710}, {0x77359400}}, 0x0)
mlockall(0x3)
ioctl$VIDIOC_SUBDEV_S_EDID(r1, 0xc0285629, &(0x7f0000000240)={0x0, 0x6, 0x7, [], &(0x7f0000000280)=0x2})
ioctl$VIDIOC_RESERVED(r1, 0x5601, 0x0)
ioctl$TIOCGSID(r1, 0x5429, &(0x7f0000000180))
r2 = getpgid(0x0)
r3 = syz_open_procfs(r2, &(0x7f00000001c0)='smaps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)

16:10:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:10:59 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:59 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140))
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
r0 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:10:59 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
dup2(r0, r0)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
lremovexattr(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)=@random={'user.', 'smaps_rollup\x00'})
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7, &(0x7f0000000100), &(0x7f0000000140)=0x4)
sendfile(r0, r1, 0x0, 0x1)

16:10:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  647.939504][T25007] binder_alloc: 24994: binder_alloc_buf, no vma
[  647.960831][T25007] binder: 24994:25007 transaction failed 29189/-3, size 24-8 line 3056
16:10:59 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140))
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
r0 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  648.021606][T24995] binder: 24994:24995 Release 1 refcount change on invalid ref 1 ret -22
[  648.066140][T25007] binder: 24994:25007 BC_ACQUIRE_DONE u0000000000000000 no match
[  648.093814][T25015] binder_alloc: binder_alloc_mmap_handler: 24970 20001000-20004000 already mapped failed -16
16:10:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  648.135943][T25014] binder: 24970:25014 ioctl c018620b 0 returned -14
[  648.167694][T25015] binder: BINDER_SET_CONTEXT_MGR already set
[  648.196236][T25015] binder: 24970:25015 ioctl 40046207 0 returned -16
[  648.208674][T25014] binder_alloc: 24994: binder_alloc_buf, no vma
[  648.266648][T25020] binder: 24970:25020 BC_INCREFS_DONE u0000000000000000 no match
[  648.276180][T25015] binder: 24970:25015 Release 1 refcount change on invalid ref 1 ret -22
[  648.283997][T25014] binder: 24970:25014 transaction failed 29189/-3, size 24-8 line 3056
16:10:59 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x48000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:10:59 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:10:59 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140))
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
r0 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:10:59 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  648.570281][T25044] binder_alloc: 25033: binder_alloc_buf, no vma
[  648.609487][T25044] binder: 25033:25044 transaction failed 29189/-3, size 24-8 line 3056
[  648.644673][T25050] binder: 25043:25050 ioctl c018620b 0 returned -14
[  648.657195][T25034] binder: 25033:25034 Release 1 refcount change on invalid ref 1 ret -22
[  648.704244][T25044] binder: 25033:25044 BC_ACQUIRE_DONE u0000000000000000 no match
[  648.710800][T25050] binder: BINDER_SET_CONTEXT_MGR already set
[  648.739777][T25050] binder: 25043:25050 ioctl 40046207 0 returned -16
[  648.764964][T25047] binder_alloc: 25033: binder_alloc_buf, no vma
[  648.774454][T25047] binder: 25043:25047 transaction failed 29189/-3, size 24-8 line 3056
[  648.793043][T25047] binder: 25043:25047 BC_INCREFS_DONE u0000000000000000 no match
16:11:00 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
openat$snapshot(0xffffffffffffff9c, &(0x7f0000000100)='/dev/snapshot\x00', 0x2a400, 0x0)
sendfile(r0, r1, 0x0, 0x1)

16:11:00 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:00 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:00 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
getsockopt$rose(r1, 0x104, 0x7, &(0x7f0000000000), &(0x7f00000000c0)=0x4)

16:11:00 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:00 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:00 executing program 0:
getrandom(&(0x7f0000000180)=""/120, 0x78, 0x0)
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:00 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  649.391851][T25053] binder_alloc: binder_alloc_mmap_handler: 25043 20001000-20004000 already mapped failed -16
[  649.444273][T25053] binder: 25043:25053 ioctl c018620b 0 returned -14
[  649.444472][T25080] binder_alloc: 25043: binder_alloc_buf, no vma
[  649.516304][T25084] binder: 25043:25084 BC_INCREFS_DONE u0000000000000000 no match
[  649.563236][T25080] binder: 25043:25080 transaction failed 29189/-3, size 24-8 line 3056
[  649.572458][T25085] binder_alloc: 25081: binder_alloc_buf, no vma
[  649.588982][T25085] binder_thread_write: 1 callbacks suppressed
[  649.588996][T25085] binder: 25081:25085 Release 1 refcount change on invalid ref 1 ret -22
16:11:01 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4c000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:01 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:01 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  649.677889][T25085] binder: 25081:25085 BC_ACQUIRE_DONE u0000000000000000 no match
16:11:01 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  649.801384][T25106] binder: 25100:25106 ioctl c018620b 0 returned -14
[  649.897210][T25103] binder: BINDER_SET_CONTEXT_MGR already set
[  649.968701][T25103] binder: 25100:25103 ioctl 40046207 0 returned -16
[  650.001644][T25103] binder_alloc: 25081: binder_alloc_buf, no vma
[  650.023112][T25103] binder: 25100:25103 Release 1 refcount change on invalid ref 1 ret -22
16:11:01 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000000)=<r1=>0x0)
sched_getparam(r1, &(0x7f0000000140))
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r2, r2, 0x0, 0x8001ff)

16:11:01 executing program 0:
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:01 executing program 5:
r0 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2)
ioctl$DRM_IOCTL_SET_UNIQUE(r0, 0x40106410, &(0x7f0000000140)={0x7a, &(0x7f00000000c0)="fabf834988cdff676b1610893dca6bb8c5244a44363135fd1c6e0931bb48ada78edb3bfa655961a560d0a379dfbc897c1b8102b33437435638d53a3139b24e40f8bf8822b83640c53181413b4c483f3ef22a2f32ed8ef337ddd2795cbe168c9a9e5234dbcd8b8d6abbee2c179250722a8f63b670ad4c606b0902"})
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)

16:11:01 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:01 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  650.551949][T25128] binder_alloc: binder_alloc_mmap_handler: 25100 20001000-20004000 already mapped failed -16
[  650.596054][T25127] binder: 25100:25127 ioctl c018620b 0 returned -14
[  650.628012][T25128] binder_alloc: 25100: binder_alloc_buf, no vma
[  650.636041][T25138] binder: BINDER_SET_CONTEXT_MGR already set
16:11:02 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:02 executing program 0:
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  650.644820][T25127] binder: 25100:25127 Release 1 refcount change on invalid ref 1 ret -22
[  650.660334][T25138] binder: 25121:25138 ioctl 40046207 0 returned -16
[  650.682354][T25123] binder_alloc: 25100: binder_alloc_buf, no vma
16:11:02 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x60000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  650.764955][T25123] binder: 25121:25123 Release 1 refcount change on invalid ref 1 ret -22
16:11:02 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:02 executing program 0:
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  650.871349][T25153] binder: 25148:25153 ioctl c018620b 0 returned -14
[  650.977124][T25149] binder: 25148:25149 BC_INCREFS_DONE node 3995 has no pending increfs request
16:11:02 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:02 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:03 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup3(r0, r0, 0x80000)
ioctl$PPPIOCSMRRU(r2, 0x4004743b, &(0x7f0000000000)=0x8)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$EVIOCGMTSLOTS(r2, 0x8040450a, &(0x7f0000000180)=""/150)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
setsockopt$inet6_MRT6_ADD_MFC(r3, 0x29, 0xcc, &(0x7f00000000c0)={{0xa, 0x4e21, 0x4, @dev={0xfe, 0x80, [], 0x1a}, 0xff}, {0xa, 0x4e21, 0x40, @mcast2, 0x3ff}, 0x7, [0x7, 0x8983, 0x80, 0x5cd, 0x6, 0x3, 0xffd, 0x7]}, 0x5c)
ioctl$TUNSETOFFLOAD(r3, 0x400454d0, 0x18)
sendfile(r1, r3, 0x0, 0x1)

16:11:03 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:03 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:03 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:03 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r0, 0x0, 0x1)
syz_open_dev$admmidi(&(0x7f00000001c0)='/dev/admmidi#\x00', 0xfffffffffffffff9, 0x40000)
r1 = add_key$keyring(&(0x7f0000000140)='keyring\x00', &(0x7f0000000180)={'syz', 0x1}, 0x0, 0x0, 0xffffffffffffffff)
add_key$user(&(0x7f0000000000)='user\x00', &(0x7f00000000c0)={'syz', 0x2}, &(0x7f0000000100)="43d62371963331242942e796ff026ed190cc575004264d7ecd040480dfff2f0be7b7448ccdde0aeaffd27327976645fd", 0x30, r1)
socket$alg(0x26, 0x5, 0x0)

[  651.627070][T25179] binder_alloc: binder_alloc_mmap_handler: 25148 20001000-20004000 already mapped failed -16
[  651.644122][T25178] binder: 25148:25178 ioctl c018620b 0 returned -14
[  651.657385][T25179] binder: BINDER_SET_CONTEXT_MGR already set
16:11:03 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  651.714092][T25195] binder_thread_write: 3 callbacks suppressed
[  651.714106][T25195] binder: 25148:25195 BC_INCREFS_DONE u0000000000000000 no match
[  651.716165][T25149] binder_alloc: 25148: binder_alloc_buf, no vma
[  651.752873][T25179] binder: 25148:25179 ioctl 40046207 0 returned -16
[  651.769923][T25182] binder: 25148:25182 Release 1 refcount change on invalid ref 1 ret -22
[  651.794064][T25149] binder_transaction: 4 callbacks suppressed
[  651.794079][T25149] binder: 25148:25149 transaction failed 29189/-3, size 24-8 line 3056
[  651.804332][T25185] binder: BINDER_SET_CONTEXT_MGR already set
16:11:03 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  651.815981][T25185] binder: 25184:25185 ioctl 40046207 0 returned -16
[  651.857144][T25185] binder_alloc: 25148: binder_alloc_buf, no vma
[  651.863449][T25185] binder: 25184:25185 transaction failed 29189/-3, size 24-8 line 3056
16:11:03 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x68000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:03 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  651.934184][ T8164] binder: send failed reply for transaction 3994 to 25148:25153
[  651.953850][ T8164] binder: undelivered TRANSACTION_COMPLETE
[  651.957803][T25185] binder: 25184:25185 Release 1 refcount change on invalid ref 1 ret -22
[  652.005836][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  652.042756][T25185] binder: 25184:25185 BC_ACQUIRE_DONE u0000000000000000 no match
16:11:03 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140))
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  652.111354][T25219] binder: 25212:25219 ioctl c018620b 0 returned -14
16:11:03 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  652.221853][T25227] binder_alloc: binder_alloc_mmap_handler: 25212 20001000-20004000 already mapped failed -16
16:11:03 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140))
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  652.263641][T25219] binder: 25212:25219 ioctl c018620b 0 returned -14
[  652.298296][T25224] binder: BINDER_SET_CONTEXT_MGR already set
[  652.335381][T25227] binder: 25212:25227 BC_INCREFS_DONE u0000000000000000 no match
[  652.378013][T25213] binder: 25212:25213 transaction failed 29189/-3, size 24-8 line 3056
[  652.403910][T25219] binder: 25212:25219 Release 1 refcount change on invalid ref 1 ret -22
[  652.435153][T25224] binder: 25212:25224 ioctl 40046207 0 returned -16
[  652.496944][   T22] binder: release 25212:25224 transaction 4000 out, still active
[  652.509002][   T22] binder: send failed reply for transaction 4000, target dead
16:11:04 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffff9c, 0x89e2, &(0x7f0000000000)={<r2=>r0})
ioctl$sock_bt_hidp_HIDPCONNDEL(r2, 0x400448c9, &(0x7f00000000c0)={{0x1000, 0x7, 0x101, 0xc701, 0x8}, 0x6})
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r3, 0x0, 0x1)

16:11:04 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:04 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140))
r0 = dup(0xffffffffffffffff)
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:04 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6c000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:04 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:04 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
socketpair(0x3, 0x5, 0xfff, &(0x7f0000000000)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
getsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(r1, 0x84, 0x8, &(0x7f00000000c0), &(0x7f0000000100)=0x4)
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x6)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
r3 = add_key$user(&(0x7f0000000140)='user\x00', &(0x7f0000000180)={'syz', 0x2}, &(0x7f00000001c0)="ca105eba63d3ed451e2ae75e9ee4b29fbc40355dfc728187fc1ce90e0316f35f479fc37ef26abc214c7f0d526b7c1836afbd7240fc320662a47c5c0372631321219d4968e42060b7e8af92bebec14ec30287b7be8f5f507475c5fe2a55b7665d8180b0748e49ac5d8f69f081d496c5810fccb5e8d9b08fe0910f26a6586575d443165263bdbacbc34acece6541fe5d1e6e7541461082dfe6a8cf5de06aa818bd38154d24db150e4c12147336581eabd06e4a8d57f6c17052b57d884aac2930c7cd591ade21f95fa2f6d00108", 0xcc, 0xfffffffffffffff9)
r4 = request_key(&(0x7f0000000380)='cifs.idmap\x00', &(0x7f00000003c0)={'syz', 0x2}, &(0x7f0000000400)='user^\x00', 0xfffffffffffffffc)
keyctl$instantiate_iov(0x14, r3, &(0x7f0000000300)=[{&(0x7f00000002c0)}], 0x1, r4)

16:11:04 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  653.091997][T25268] binder: 25256:25268 ioctl c018620b 0 returned -14
[  653.102128][T25269] binder: 25251:25269 transaction failed 29189/-3, size 24-8 line 3056
[  653.128344][T25260] binder: BINDER_SET_CONTEXT_MGR already set
[  653.134354][T25260] binder: 25256:25260 ioctl 40046207 0 returned -16
16:11:04 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:04 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0xe, 0x0, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xab, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)
io_setup(0x0, &(0x7f0000000000)=<r2=>0x0)
ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(r1, 0x40106614, &(0x7f0000000200)={0x0, @speck128})
io_cancel(r2, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x7, 0xff, r0, &(0x7f00000000c0)="3e79b2ed06a9197f74be828da27379282b06207d4b99d6b25a20e06d45dd694bf0f6bf5b5a1d4211381e8f64c7a3bf1034da116103a8ac0955622af2979633cff16d4ed1cf16c5a9b5b255d701ce580bf4da04e0c1ce20025e842bded2925aa2ed0210efa690d65c39202f2b74b1bee86bd673394f93f530c8e96d1a7323e015e5cb567d7988382c0c", 0x89, 0x2, 0x0, 0x3}, &(0x7f00000001c0))

[  653.138271][T25254] binder: 25251:25254 Release 1 refcount change on invalid ref 1 ret -22
[  653.191525][T25268] binder: 25256:25268 transaction failed 29189/-3, size 24-8 line 3056
16:11:04 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  653.250427][T25269] binder: 25251:25269 BC_ACQUIRE_DONE u0000000000000000 no match
[  653.271651][T25281] binder: 25256:25281 BC_INCREFS_DONE u0000000000000000 no match
[  653.302471][T25260] binder: 25256:25260 Release 1 refcount change on invalid ref 1 ret -22
16:11:04 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:04 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  653.837239][T25301] binder_alloc: binder_alloc_mmap_handler: 25256 20001000-20004000 already mapped failed -16
[  653.884795][T25281] binder_alloc_new_buf_locked: 3 callbacks suppressed
[  653.884802][T25281] binder_alloc: 25256: binder_alloc_buf, no vma
[  653.948121][T25301] binder: 25256:25301 BC_INCREFS_DONE u0000000000000000 no match
[  653.972911][T25304] binder: 25256:25304 Release 1 refcount change on invalid ref 1 ret -22
[  653.996174][T25303] binder: 25256:25303 ioctl c018620b 0 returned -14
[  654.012386][T25281] binder: 25256:25281 transaction failed 29189/-3, size 24-8 line 3056
16:11:05 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x100, 0x0)
ioctl$VHOST_SET_LOG_BASE(r1, 0x4008af04, &(0x7f0000000100)=&(0x7f00000000c0))
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:11:05 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:05 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200)
r1 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r1, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r1, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:05 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:05 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x74000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:05 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
setsockopt$SO_RDS_TRANSPORT(r1, 0x114, 0x8, &(0x7f0000000000)=0xffffffffffffffff, 0x4)

16:11:05 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  654.325311][T25331] binder: 25320:25331 ioctl c018620b 0 returned -14
[  654.343936][T25333] binder_alloc: 25312: binder_alloc_buf, no vma
[  654.362627][T25333] binder: 25312:25333 transaction failed 29189/-3, size 24-8 line 3056
16:11:05 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x0)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  654.377954][T25314] binder: 25312:25314 BC_ACQUIRE_DONE u0000000000000000 no match
[  654.406234][T25322] binder: BINDER_SET_CONTEXT_MGR already set
[  654.421350][T25322] binder: 25320:25322 ioctl 40046207 0 returned -16
[  654.447355][T25322] binder_alloc: 25312: binder_alloc_buf, no vma
[  654.475679][T25322] binder: 25320:25322 transaction failed 29189/-3, size 24-8 line 3056
16:11:05 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x0)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:05 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  654.493572][T25342] binder: 25320:25342 BC_INCREFS_DONE u0000000000000000 no match
16:11:06 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:06 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x0)
r2 = semget$private(0x0, 0x20000000103, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:06 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:06 executing program 1:
socketpair$unix(0x1, 0x1f, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$adsp(&(0x7f00000000c0)='/dev/adsp#\x00', 0x4, 0x40000)
ioctl$sock_TIOCINQ(r1, 0x541b, &(0x7f0000000180))
write$P9_RWSTAT(r1, &(0x7f0000000140)={0x7, 0x7f, 0x2}, 0x7)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:11:06 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x0, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:06 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  655.063586][T25376] binder_alloc: binder_alloc_mmap_handler: 25320 20001000-20004000 already mapped failed -16
[  655.101224][T25375] binder: 25320:25375 ioctl c018620b 0 returned -14
[  655.154919][T25376] binder_alloc: 25320: binder_alloc_buf, no vma
[  655.227439][T25342] binder_thread_write: 2 callbacks suppressed
[  655.227458][T25342] binder: 25320:25342 Release 1 refcount change on invalid ref 1 ret -22
[  655.279581][T25384] binder: BINDER_SET_CONTEXT_MGR already set
[  655.291675][T25382] binder: 25320:25382 BC_INCREFS_DONE u0000000000000000 no match
[  655.302540][T25384] binder: 25380:25384 ioctl 40046207 0 returned -16
[  655.314259][T25376] binder: 25320:25376 transaction failed 29189/-3, size 24-8 line 3056
[  655.330069][T25384] binder: 25380:25384 transaction failed 29189/-22, size 24-8 line 2903
[  655.359407][T25384] binder: 25380:25384 Release 1 refcount change on invalid ref 1 ret -22
16:11:06 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x7a000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:06 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x0, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:06 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:06 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x5, 0x80000)
dup2(r2, r0)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r3, 0x0, 0x1)

[  655.384161][T25384] binder: 25380:25384 BC_ACQUIRE_DONE u0000000000000000 no match
16:11:06 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x0, 0xffffffffffffffff)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:06 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  655.564852][T25400] binder: 25397:25400 ioctl c018620b 0 returned -14
16:11:07 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:07 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:07 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  656.271769][T25430] binder_alloc: binder_alloc_mmap_handler: 25397 20001000-20004000 already mapped failed -16
[  656.282332][T25429] binder: 25397:25429 ioctl c018620b 0 returned -14
[  656.289847][T25430] binder: BINDER_SET_CONTEXT_MGR already set
[  656.296330][T25429] binder: 25397:25429 Release 1 refcount change on invalid ref 1 ret -22
[  656.306166][T25431] binder_alloc: 25397: binder_alloc_buf, no vma
[  656.307640][   T22] binder: release 25397:25403 transaction 4016 out, still active
[  656.313096][T25430] binder: 25397:25430 ioctl 40046207 0 returned -16
[  656.341894][   T22] binder: send failed reply for transaction 4016, target dead
16:11:07 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, @perf_bp={0x0}, 0x0, 0x1, 0x0, 0x0, 0x0, 0x9, 0x6}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00000000c0)=""/249, &(0x7f00000001c0)=0xf9)
r1 = syz_open_procfs(0x0, &(0x7f0000000000)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:11:07 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(0x0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:07 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:07 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:07 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, r0)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$VIDIOC_S_FMT(r1, 0xc0d05605, &(0x7f00000000c0)={0x2, @vbi={0x100, 0x0, 0x4, 0x32314752, [0x3], [0x2, 0x40], 0x1}})
syz_open_dev$media(&(0x7f00000001c0)='/dev/media#\x00', 0xff, 0x20000)
openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x80000, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
ioctl$EXT4_IOC_PRECACHE_EXTENTS(r2, 0x6612)
sendfile(r1, r2, 0x0, 0x401)

16:11:07 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x100000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:07 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(0x0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:07 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  656.511183][T25455] binder: 25443:25455 ioctl c018620b 0 returned -14
[  656.571967][T25447] binder_alloc: 25446: binder_alloc_buf, no vma
[  656.585394][T25444] binder: BINDER_SET_CONTEXT_MGR already set
[  656.590683][T25447] binder: 25446:25447 Release 1 refcount change on invalid ref 1 ret -22
[  656.599696][T25444] binder: 25443:25444 ioctl 40046207 0 returned -16
16:11:08 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:08 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(0x0, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  656.649771][T25444] binder_alloc: 25446: binder_alloc_buf, no vma
[  656.681790][T25444] binder: 25443:25444 Release 1 refcount change on invalid ref 1 ret -22
16:11:08 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, 0x0, 0x0)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:08 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  657.254365][T25486] binder_alloc: binder_alloc_mmap_handler: 25443 20001000-20004000 already mapped failed -16
[  657.296413][T25485] binder: 25443:25485 ioctl c018620b 0 returned -14
[  657.314035][T25486] binder_transaction: 3 callbacks suppressed
[  657.314051][T25486] binder: 25443:25486 transaction failed 29189/-22, size 24-8 line 2903
[  657.400219][T25465] binder: 25443:25465 Release 1 refcount change on invalid ref 1 ret -22
[  657.421975][T25489] binder_thread_write: 3 callbacks suppressed
[  657.421987][T25489] binder: 25443:25489 BC_INCREFS_DONE u0000000000000000 no match
16:11:09 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000000)=<r2=>0x0)
r3 = syz_open_procfs(r2, &(0x7f00000000c0)='ns\x00')
ioctl$TIOCGPGRP(r3, 0x540f, &(0x7f0000000100))
ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000140))
fcntl$getownex(r0, 0x10, &(0x7f0000000200)={0x0, <r4=>0x0})
r5 = syz_open_procfs(r4, &(0x7f00000001c0)='smaps_rollup\x00')
sendfile(r1, r5, 0x0, 0x1)
write$capi20_data(r5, &(0x7f0000000180)=ANY=[@ANYBLOB="1000752b00803100030000000000000012000a0c47fb760ff93f1f83039cb1dd876ba626"], 0x24)

16:11:09 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, 0x0, 0x0)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:09 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:09 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
ioctl$VIDIOC_G_FMT(r1, 0xc0d05604, &(0x7f00000000c0)={0x9, @sdr={0x34565559, 0x1}})
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:11:09 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x200000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:09 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, 0x0, 0x0)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  657.733997][T25513] binder: 25499:25513 ioctl c018620b 0 returned -14
16:11:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  657.810327][T25505] binder: BINDER_SET_CONTEXT_MGR already set
[  657.823855][T25505] binder: 25496:25505 ioctl 40046207 0 returned -16
[  657.838217][T25513] binder: 25499:25513 BC_INCREFS_DONE node 4026 has no pending increfs request
16:11:09 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100), 0x0)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  657.876127][T25505] binder: 25496:25505 Release 1 refcount change on invalid ref 1 ret -22
16:11:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:09 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100), 0x0)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:09 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0xffffffffffff8c61}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
r3 = getpgrp(0xffffffffffffffff)
migrate_pages(r3, 0x1f, &(0x7f0000000000)=0x9, &(0x7f00000000c0)=0x7)
sendfile(r1, r2, 0x0, 0x1)
fcntl$getownex(r0, 0x10, &(0x7f0000000100))
getsockopt$packet_int(r2, 0x107, 0x10, &(0x7f0000000140), &(0x7f0000000180)=0x4)

16:11:09 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100), 0x0)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:09 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  658.481947][T25554] binder_alloc: binder_alloc_mmap_handler: 25499 20001000-20004000 already mapped failed -16
[  658.513485][T25553] binder: 25499:25553 ioctl c018620b 0 returned -14
[  658.522267][T25554] binder: BINDER_SET_CONTEXT_MGR already set
16:11:09 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:09 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$FIBMAP(r0, 0x1, &(0x7f0000000000)=0x6)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  658.542572][T25557] binder: 25499:25557 BC_INCREFS_DONE u0000000000000000 no match
[  658.603479][T25554] binder: 25499:25554 ioctl 40046207 0 returned -16
[  658.605817][   T22] binder: release 25496:25505 transaction 4028 out, still active
[  658.635639][T25553] binder_alloc: 25499: binder_alloc_buf, no vma
[  658.643517][T25553] binder: 25499:25553 transaction failed 29189/-3, size 24-8 line 3056
16:11:10 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x300000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:10 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  658.645731][   T22] binder: release 25499:25502 transaction 4025 out, still active
[  658.678913][   T22] binder: undelivered TRANSACTION_COMPLETE
[  658.695761][   T22] binder: send failed reply for transaction 4025, target dead
[  658.750478][   T22] binder: send failed reply for transaction 4028, target dead
[  658.769992][T25575] binder_alloc: 25565: binder_alloc_buf, no vma
[  658.786687][T25575] binder: 25565:25575 transaction failed 29189/-3, size 24-8 line 3056
16:11:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:10 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  658.817619][T25566] binder: 25565:25566 Release 1 refcount change on invalid ref 1 ret -22
[  658.845506][T25581] binder: 25576:25581 ioctl c018620b 0 returned -14
[  658.886280][T25566] binder: 25565:25566 BC_ACQUIRE_DONE u0000000000000000 no match
[  658.922840][T25578] binder: BINDER_SET_CONTEXT_MGR already set
16:11:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  658.946329][T25578] binder: 25576:25578 ioctl 40046207 0 returned -16
[  658.971379][T25578] binder_alloc: 25565: binder_alloc_buf, no vma
16:11:10 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{}], 0x1)
semop(r2, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  659.007927][T25578] binder: 25576:25578 transaction failed 29189/-3, size 24-8 line 3056
[  659.064492][T25581] binder: 25576:25581 BC_INCREFS_DONE u0000000000000000 no match
[  659.087094][T25578] binder: 25576:25578 Release 1 refcount change on invalid ref 1 ret -22
16:11:10 executing program 1:
socketpair$unix(0x1, 0x100000001, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
openat$ppp(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ppp\x00', 0x101003, 0x0)
ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c)

16:11:10 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(0x0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:10 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:10 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  659.595663][T25624] binder_alloc: binder_alloc_mmap_handler: 25576 20001000-20004000 already mapped failed -16
[  659.615917][T25621] binder: 25576:25621 ioctl c018620b 0 returned -14
[  659.646197][T25622] binder_alloc: 25576: binder_alloc_buf, no vma
[  659.646514][T25624] binder: 25576:25624 BC_INCREFS_DONE u0000000000000000 no match
[  659.673996][T25622] binder: 25576:25622 transaction failed 29189/-3, size 24-8 line 3056
[  659.685912][T25619] binder: BINDER_SET_CONTEXT_MGR already set
[  659.688922][T25621] binder: 25576:25621 Release 1 refcount change on invalid ref 1 ret -22
[  659.695700][T25619] binder: 25617:25619 ioctl 40046207 0 returned -16
[  659.729932][T25619] binder: 25617:25619 transaction failed 29189/-22, size 24-8 line 2903
16:11:11 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='sched\x00')
sendfile(r0, r1, 0x0, 0x1)

16:11:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:11 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x400000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  659.739662][T25619] binder: 25617:25619 BC_ACQUIRE_DONE u0000000000000000 no match
16:11:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  659.901324][T25637] binder: 25636:25637 ioctl c018620b 0 returned -14
16:11:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:11 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(0x0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

16:11:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:11 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r3, 0x0, 0x1)
write$UHID_CREATE2(r3, &(0x7f0000000980)=ANY=[@ANYRES32=r3, @ANYRES16=r2, @ANYPTR64=&(0x7f0000000840)=ANY=[@ANYRESHEX=0x0, @ANYRESDEC=r0, @ANYRESDEC, @ANYRESOCT=r2, @ANYPTR64=&(0x7f00000006c0)=ANY=[@ANYRESDEC=r3, @ANYRESOCT=0x0, @ANYPTR64, @ANYRES16, @ANYRESOCT, @ANYBLOB="da070ca7ac0136eb513fe893313db8c3cced896dcc80aafc15ae265aeadc7af01b0ae4ab6568bf90a19b5133b0067542b9c7ba67671848c5e00e8c6feec70134a0f5be667b8c91a0df7847656df3cfd61cce6a9a9a2ca3a5ec6f1dd994ca0812bfdd68487a66521f0e247fba83950b2e8e376f0c2921e0746aa46c140e86876df21fd0e7c374e458af8cda954d4023a7b30acc91bcf989a3d70e5a18eb7cbe04da02434faba0ca75bd3bc598ab3148b844fa6e6d978c9f6512b56d9c9193fcb5364f5f8a61b7d1072f4aa8c9d66260021aa3f8ceb95a78bdc890efebe89223da5a3dfd83744cb33fc3256c33bd570bd384", @ANYRESHEX=r3], @ANYRES64=r0, @ANYRES64=r0, @ANYRESOCT=0x0], @ANYRESHEX=r0, @ANYRESHEX=r1, @ANYPTR=&(0x7f0000000940)=ANY=[@ANYPTR64=&(0x7f00000008c0)=ANY=[@ANYBLOB="c2d131a34045a194386e9a1b27d8bbf129f1ae40cb16efc547a6c908daa13d14e8f3d971028ec2368ad890a30078e19bb9016854e787f4708f282194e90b0e7a381bdd42f7aeecc1a01004fbd573ca25973b0ae38ffadee9d8"], @ANYPTR64, @ANYRES64=r2, @ANYRESDEC=r0, @ANYRES32=r2], @ANYRES64=r1], 0x7)
syz_mount_image$minix(&(0x7f0000000000)='minix\x00', &(0x7f00000000c0)='./file0\x00', 0xfffffffffffffff7, 0x1, &(0x7f0000000180)=[{&(0x7f0000000100)="c2d0687022927ec2bce459720136a9d6f063c3e2c7357b24fb2163f2a440e9ef6c45c67271edbe9b6f756fd0044713ab50f47f0658020e5502967acb88ec68e23e87784f56fcc032e3b9b7d2b6b2b875e469197ef563db499e2c4b0526", 0x5d, 0x1}], 0x20, 0x0)
r4 = gettid()
perf_event_open(&(0x7f0000000200)={0x5, 0x70, 0xbe6, 0x3, 0xb8ca4bc, 0xffffffff, 0x0, 0x5, 0x1000, 0x4, 0x7f, 0x8417, 0x7f, 0x9fc, 0x71, 0x1, 0x9, 0x3, 0x9, 0xffff, 0xdf64, 0x3, 0x80, 0x1, 0x0, 0x6, 0x5, 0x7f, 0x2, 0x5, 0x7, 0x4, 0x3, 0x81, 0x8, 0x0, 0x5, 0x4, 0x0, 0x80000000, 0x1, @perf_bp={&(0x7f00000001c0), 0x1}, 0x3, 0x5, 0x80000000, 0x3, 0x401, 0x200, 0x2}, r4, 0xf, r3, 0x0)

16:11:11 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:11 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:11 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
syz_kvm_setup_cpu$x86(r1, r1, &(0x7f0000fe6000/0x18000)=nil, &(0x7f0000000000)=[@text32={0x20, &(0x7f00000000c0)="b86d4cfb980f23c00f21f835010006000f23f8660f06640f6b54524d0f228666ba410066b8b50066ef66ba6100b0adeeb930090000b800000000ba000000000f30c4e231390266baf80cb8ae310f87ef66bafc0c66ed2636670fc75918", 0x5d}], 0x1, 0x2a, &(0x7f0000000140), 0x0)
sendfile(r0, r2, 0x0, 0x1)

16:11:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  660.657980][T25677] binder_alloc: binder_alloc_mmap_handler: 25636 20001000-20004000 already mapped failed -16
[  660.695027][T25676] binder: 25636:25676 ioctl c018620b 0 returned -14
[  660.726168][T25677] binder: BINDER_SET_CONTEXT_MGR already set
[  660.754526][T25683] binder: 25636:25683 BC_INCREFS_DONE u0000000000000000 no match
[  660.764687][T25677] binder: 25636:25677 ioctl 40046207 0 returned -16
[  660.764973][T25685] binder: BINDER_SET_CONTEXT_MGR already set
[  660.778629][T25642] binder_thread_write: 1 callbacks suppressed
[  660.778662][T25642] binder: 25636:25642 Release 1 refcount change on invalid ref 1 ret -22
16:11:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  660.822674][T25685] binder: 25669:25685 ioctl 40046207 0 returned -16
[  660.829648][T25676] binder_alloc: 25636: binder_alloc_buf, no vma
[  660.846139][   T22] binder: release 25636:25642 transaction 4039 out, still active
[  660.861621][   T22] binder: send failed reply for transaction 4039, target dead
[  660.885714][T25676] binder: 25636:25676 transaction failed 29189/-3, size 24-8 line 3056
[  660.894044][T25687] binder_alloc: 25636: binder_alloc_buf, no vma
[  660.912527][T25687] binder: 25669:25687 transaction failed 29189/-3, size 24-8 line 3056
16:11:12 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x500000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:12 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:12 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(0x0, &(0x7f0000000000)=[{0x0, 0x7}], 0x1)

[  661.195419][T25708] binder_alloc: 25698: binder_alloc_buf, no vma
[  661.199307][T25710] binder: 25703:25710 ioctl c018620b 0 returned -14
[  661.216006][T25708] binder: 25698:25708 transaction failed 29189/-3, size 24-8 line 3056
[  661.233816][T25700] binder: 25698:25700 Release 1 refcount change on invalid ref 1 ret -22
[  661.295387][T25708] binder: 25698:25708 BC_ACQUIRE_DONE u0000000000000000 no match
[  661.333733][T25710] binder: BINDER_SET_CONTEXT_MGR already set
16:11:12 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  661.382401][T25710] binder: 25703:25710 ioctl 40046207 0 returned -16
[  661.382492][T25718] binder_alloc: 25698: binder_alloc_buf, no vma
[  661.441209][T25718] binder: 25703:25718 transaction failed 29189/-3, size 24-8 line 3056
[  661.448221][T25705] binder: 25703:25705 BC_INCREFS_DONE u0000000000000000 no match
[  661.516759][T25726] binder: 25703:25726 Release 1 refcount change on invalid ref 1 ret -22
[  661.927600][T25718] binder_alloc: binder_alloc_mmap_handler: 25703 20001000-20004000 already mapped failed -16
[  661.949833][T25718] binder: 25703:25718 ioctl c018620b 0 returned -14
[  661.970679][T25726] binder_alloc: 25703: binder_alloc_buf, no vma
[  661.987900][T25731] binder: 25703:25731 BC_INCREFS_DONE u0000000000000000 no match
[  662.010154][T25710] binder: 25703:25710 Release 1 refcount change on invalid ref 1 ret -22
16:11:13 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$PERF_EVENT_IOC_QUERY_BPF(r1, 0xc008240a, &(0x7f0000000000)={0x2, 0x0, [0x0, 0x0]})
mlockall(0x5)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:11:13 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:13 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:13 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x600000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:13 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:11:13 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, 0x0, 0x0)

16:11:13 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  662.488039][T25758] binder: 25750:25758 ioctl c018620b 0 returned -14
[  662.554675][T25767] binder: BINDER_SET_CONTEXT_MGR already set
[  662.573393][T25767] binder: 25751:25767 ioctl 40046207 0 returned -16
[  662.580340][T25758] binder: 25750:25758 BC_INCREFS_DONE node 4051 has no pending increfs request
16:11:13 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  662.600927][T25754] binder: 25751:25754 Release 1 refcount change on invalid ref 1 ret -22
16:11:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:14 executing program 1:
r0 = syz_open_dev$sndctrl(&(0x7f00000000c0)='/dev/snd/controlC#\x00', 0x0, 0x0)
ioctl$SNDRV_CTL_IOCTL_ELEM_WRITE(r0, 0xc4c85512, &(0x7f00000001c0)={{0x8}})
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
write$FUSE_STATFS(r0, &(0x7f0000000100)={0x60, 0x0, 0x6, {{0x3, 0x48000, 0x7, 0x5, 0x60000000000000, 0x3ff, 0x3, 0x7f}}}, 0x60)
sysinfo(&(0x7f0000000000)=""/50)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x0)

16:11:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  663.228373][T25800] binder_alloc: binder_alloc_mmap_handler: 25750 20001000-20004000 already mapped failed -16
[  663.255882][   T22] binder: release 25751:25754 transaction 4053 out, still active
[  663.267237][T25798] binder: 25750:25798 ioctl c018620b 0 returned -14
16:11:14 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:14 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x5)

[  663.306358][T25798] binder: BINDER_SET_CONTEXT_MGR already set
[  663.312370][T25798] binder: 25750:25798 ioctl 40046207 0 returned -16
[  663.371748][T25800] binder: 25750:25800 BC_INCREFS_DONE u0000000000000000 no match
[  663.371782][T25772] binder_alloc: 25750: binder_alloc_buf, no vma
[  663.406682][T25800] binder: 25750:25800 Release 1 refcount change on invalid ref 1 ret -22
[  663.431323][T25772] binder_transaction: 1 callbacks suppressed
[  663.431338][T25772] binder: 25750:25772 transaction failed 29189/-3, size 24-8 line 3056
[  663.471101][ T8164] binder: release 25750:25752 transaction 4050 out, still active
[  663.484974][ T8164] binder: send failed reply for transaction 4050, target dead
[  663.500883][T25808] binder_alloc: 25807: binder_alloc_buf, no vma
[  663.515512][T25808] binder: 25807:25808 transaction failed 29189/-3, size 24-8 line 3056
[  663.528027][ T8164] binder: send failed reply for transaction 4053, target dead
16:11:14 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x700000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:14 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:14 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, 0x0, 0x0)

[  663.582969][T25817] binder: 25807:25817 Release 1 refcount change on invalid ref 1 ret -22
16:11:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  663.658612][T25808] binder: 25807:25808 BC_ACQUIRE_DONE u0000000000000000 no match
[  663.719757][T25829] binder: 25819:25829 ioctl c018620b 0 returned -14
16:11:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  663.779291][T25822] binder: BINDER_SET_CONTEXT_MGR already set
[  663.804845][T25822] binder: 25819:25822 ioctl 40046207 0 returned -16
[  663.826103][T25834] binder_alloc: 25807: binder_alloc_buf, no vma
[  663.841391][T25834] binder: 25819:25834 transaction failed 29189/-3, size 24-8 line 3056
16:11:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  663.874345][T25822] binder: 25819:25822 BC_INCREFS_DONE u0000000000000000 no match
[  663.889473][T25822] binder: 25819:25822 Release 1 refcount change on invalid ref 1 ret -22
16:11:15 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwrng\x00', 0x200000, 0x0)
getsockopt$inet_sctp6_SCTP_CONTEXT(0xffffffffffffff9c, 0x84, 0x11, &(0x7f0000000100)={<r2=>0x0}, &(0x7f0000000140)=0x8)
setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r1, 0x84, 0x7b, &(0x7f0000000180)={r2, 0xb6}, 0x8)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)
r4 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2)
getsockopt$inet_pktinfo(r3, 0x0, 0x8, &(0x7f00000020c0)={<r5=>0x0, @empty, @initdev}, &(0x7f0000002100)=0x2bf)
r6 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000200)='TIPCv2\x00')
setsockopt$inet_sctp_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f0000000300)={r2, 0x3, 0x2, [0x7, 0x46a0]}, 0xc)
splice(r4, &(0x7f0000000380), r0, &(0x7f00000003c0)=0x12, 0x70d, 0x2)
sendmsg$TIPC_NL_NET_GET(r4, &(0x7f00000002c0)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x10080}, 0xc, &(0x7f0000000280)={&(0x7f0000000240)={0x20, r6, 0x0, 0x70bd29, 0x25dfdbff, {}, [@TIPC_NLA_SOCK={0xc, 0x2, [@TIPC_NLA_SOCK_REF={0x8, 0x2, 0x6}]}]}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0)
syz_open_dev$radio(&(0x7f0000000400)='/dev/radio#\x00', 0x2, 0x2)
bind$xdp(r4, &(0x7f0000002140)={0x2c, 0x2, r5, 0x32, r3}, 0x10)

16:11:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:15 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x100, 0x0)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x6)
sendfile(r2, r0, &(0x7f00000000c0), 0x0)
r3 = syz_open_procfs(0x0, &(0x7f0000000100)='personality\x00\xd6\x98\xbfn~\x00\xe7l\x9e(\xa5,\x00[\xf0\x84DV/\xdd*i\xbc\xcc\xb8Gi\xbd\xe5\x1af\\\xb4\xab^6\x97\xee\xe7a\xd0\xc2\xc5\xc3\xf2\x00G\xca\xd2\x8d/lU\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
sendfile(r1, r3, 0x0, 0x1)

16:11:15 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:15 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x0, 0x6, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:15 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = openat$vcs(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcs\x00', 0x800, 0x0)
bind$inet6(r2, &(0x7f0000000100)={0xa, 0x4e21, 0x101, @mcast2, 0x4}, 0x1c)
r3 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000180)={<r4=>0x0, r3, 0x0, 0xd, &(0x7f0000000140)='smaps_rollup\x00', 0xffffffffffffffff}, 0x30)
ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f00000001c0)=<r5=>0x0)
rt_tgsigqueueinfo(r4, r5, 0xc, &(0x7f0000000200)={0x38, 0x80000000, 0x5})
mlockall(0x3)
ioctl$sock_proto_private(r0, 0x89e7, &(0x7f0000000000)="7ef1143246bf5085d8")
r6 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r6, 0x0, 0x1)

[  664.427927][T25860] binder_alloc: 25858: binder_alloc_buf, no vma
[  664.436822][T25860] binder: 25858:25860 transaction failed 29189/-3, size 24-8 line 3056
[  664.459009][T25870] binder_alloc: binder_alloc_mmap_handler: 25819 20001000-20004000 already mapped failed -16
[  664.482265][T25872] binder: 25858:25872 Release 1 refcount change on invalid ref 1 ret -22
[  664.485428][T25868] binder: 25819:25868 ioctl c018620b 0 returned -14
[  664.527794][T25860] binder: 25858:25860 BC_ACQUIRE_DONE u0000000000000000 no match
[  664.539221][T25834] binder: BINDER_SET_CONTEXT_MGR already set
[  664.545361][T25834] binder: 25819:25834 ioctl 40046207 0 returned -16
[  664.546107][T25870] binder_alloc: 25858: binder_alloc_buf, no vma
[  664.566167][T25874] binder: 25819:25874 BC_INCREFS_DONE u0000000000000000 no match
[  664.574270][T25870] binder: 25819:25870 transaction failed 29189/-3, size 24-8 line 3056
[  664.586158][T25834] binder: 25819:25834 Release 1 refcount change on invalid ref 1 ret -22
16:11:16 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x1000000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:16 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, 0x0, 0x0)

16:11:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  664.820401][T25892] binder: 25885:25892 ioctl c018620b 0 returned -14
16:11:16 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000100)='net/packet\x00')
sendfile(r0, r1, 0x0, 0x1)

16:11:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  664.888133][T25886] binder: BINDER_SET_CONTEXT_MGR already set
[  664.906226][T25886] binder: 25885:25886 ioctl 40046207 0 returned -16
16:11:16 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x7)
r1 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x0)
write$cgroup_type(r1, &(0x7f00000000c0)='threaded\x00', 0x9)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

[  664.937880][T25886] binder_alloc: 25858: binder_alloc_buf, no vma
[  664.961022][T25886] binder: 25885:25886 transaction failed 29189/-3, size 24-8 line 3056
[  664.982271][T25886] binder: 25885:25886 BC_INCREFS_DONE u0000000000000000 no match
16:11:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:16 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x0, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:16 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  665.344865][T25912] binder_alloc: 25911: binder_alloc_buf, no vma
[  665.369284][T25912] binder: 25911:25912 transaction failed 29189/-3, size 24-8 line 3056
[  665.447021][T25912] binder: 25911:25912 BC_ACQUIRE_DONE u0000000000000000 no match
16:11:16 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000), 0x0)

[  665.565706][T25927] binder_alloc: binder_alloc_mmap_handler: 25885 20001000-20004000 already mapped failed -16
[  665.639765][T25927] binder: BINDER_SET_CONTEXT_MGR already set
[  665.640000][T25925] binder: 25885:25925 ioctl c018620b 0 returned -14
[  665.712780][T25927] binder: 25885:25927 ioctl 40046207 0 returned -16
[  665.730523][T25896] binder_alloc: 25911: binder_alloc_buf, no vma
[  665.743707][T25925] binder: 25885:25925 BC_INCREFS_DONE u0000000000000000 no match
[  665.786989][T25896] binder: 25885:25896 transaction failed 29189/-3, size 24-8 line 3056
16:11:17 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x2000000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:17 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:17 executing program 5:
r0 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x40, 0x200)
ioctl$KVM_SMI(r0, 0xaeb7)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)

16:11:17 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:17 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x0, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  666.047592][T25947] binder: 25946:25947 ioctl c018620b 0 returned -14
16:11:17 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:18 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:18 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f00000001c0)=@assoc_value={<r2=>0x0}, &(0x7f0000000200)=0x8)
getsockopt$inet_sctp_SCTP_ASSOCINFO(r1, 0x84, 0x1, &(0x7f0000000240)={r2, 0x2, 0x1, 0x0, 0x400, 0x3}, &(0x7f0000000280)=0x14)
getpgid(0x0)
ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000180))
r3 = getpid()
r4 = syz_open_procfs(r3, &(0x7f00000000c0)='sma^s_r/l\xb1\xa0z\xbfk\xde\x10\x83.\x13\xca7lupFcv\xacFn\xea\x19YNSH\x8d\xb03\x06\x00\x89\xe2\xd5\xc1\xaa\xa2\xaex\xfe\xb1n,\xc0~\xb1\xc5\x8d\xa8\xfc\x8a\x8a\x04`&\xd3\x86r]\xbf\x92\xfcbq\t1\x1d\xe5n\xc1\xcdPB\xb6I!B]\x83\x14$\xf7\xd0\xb4$\xfe\xee\x8a\'T\xe5S\xce#\x8c\x80\x1e\x84\x162\xfd\x02\x7f\x9a\xe8\xad\xd5\x9a-\x972\xef\xe8\x84\xb3\x86\x95 \x97-P')
setsockopt$RXRPC_SECURITY_KEY(r4, 0x110, 0x1, &(0x7f0000000000)='wlan0\x81eth0GPL\x83\x00', 0xf)

16:11:18 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000), 0x0)

16:11:18 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/sequencer\x00', 0x80000000000046, 0x0)
r3 = syz_open_procfs(0x0, &(0x7f0000000080)='/exe\x00\x00\x00\x00\x00\x04\t\x00K\xdd\xd9\xde\x91\xbe\x10\xee\xbf\x00\x0e\xe9\xa9\x0fy\x80XT\xfa\aBJ\xde\xe9\x01\xd2\xdau\xaf\x1f\x02\x00\xf5\xab&\xd7\xa0q\xfb53\x1c\xe3\x9cZ')
sendfile(r2, r3, 0x0, 0x2b428a52)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(0xffffffffffffffff, 0x4010ae67, &(0x7f0000000240))
ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, 0x0)
fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff)
ioctl$TUNGETIFF(0xffffffffffffffff, 0x800454d2, 0x0)
openat$misdntimer(0xffffffffffffff9c, 0x0, 0x2200002, 0x0)
setsockopt$inet_sctp6_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f0000000140)=0x10001, 0x4)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r4 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r4, 0x0, 0x1)

16:11:18 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  666.804274][T25979] binder_alloc: binder_alloc_mmap_handler: 25946 20001000-20004000 already mapped failed -16
[  666.850157][T25978] binder: 25946:25978 ioctl c018620b 0 returned -14
[  666.888940][T25978] binder: BINDER_SET_CONTEXT_MGR already set
16:11:18 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  666.918041][T25979] binder: 25946:25979 BC_INCREFS_DONE u0000000000000000 no match
[  666.976185][T25984] binder_thread_write: 2 callbacks suppressed
[  666.976200][T25984] binder: 25946:25984 Release 1 refcount change on invalid ref 1 ret -22
[  667.065645][T25956] binder_alloc: 25946: binder_alloc_buf, no vma
[  667.071938][T25956] binder: 25946:25956 transaction failed 29189/-3, size 24-8 line 3056
[  667.080706][   T22] binder: release 25946:25956 transaction 4068 out, still active
[  667.129490][T25978] binder: 25946:25978 ioctl 40046207 0 returned -16
[  667.142616][ T8164] binder: send failed reply for transaction 4068, target dead
16:11:18 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x3f00000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:18 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  667.322391][T26004] binder: 25999:26004 ioctl c018620b 0 returned -14
[  667.390261][T26004] binder: 25999:26004 BC_INCREFS_DONE node 4074 has no pending increfs request
16:11:18 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000), 0x0)

16:11:19 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup3(r0, r0, 0x80000)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x141cd0a7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, r2, 0x0)
mlockall(0x3)
ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f00000000c0)=<r3=>0x0)
r4 = syz_open_procfs(r3, &(0x7f0000000000)='smaps_rollup\x00')
sendfile(r1, r4, 0x0, 0x1)

[  668.075151][T26021] binder_alloc: binder_alloc_mmap_handler: 25999 20001000-20004000 already mapped failed -16
[  668.130890][T26020] binder: BINDER_SET_CONTEXT_MGR already set
[  668.159443][T26007] binder: 25999:26007 ioctl c018620b 0 returned -14
[  668.162488][T26020] binder: 25999:26020 ioctl 40046207 0 returned -16
[  668.186289][T26021] binder_alloc: 25999: binder_alloc_buf, no vma
[  668.208874][T26023] binder: 25999:26023 BC_INCREFS_DONE u0000000000000000 no match
[  668.264506][T26007] binder: 25999:26007 Release 1 refcount change on invalid ref 1 ret -22
[  668.296664][T26021] binder: 25999:26021 transaction failed 29189/-3, size 24-8 line 3056
[  668.304977][ T8164] binder: release 25999:26000 transaction 4073 out, still active
16:11:19 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x0, 0x209e1e, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:19 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = getpgid(0xffffffffffffffff)
r3 = syz_open_procfs(r2, &(0x7f0000000180)='smaps_rollup\x00')
setsockopt$RXRPC_MIN_SECURITY_LEVEL(r1, 0x110, 0x4, &(0x7f00000000c0)=0x2, 0x4)
sendfile(r0, r3, 0x0, 0x1)
ioctl$IOC_PR_CLEAR(r1, 0x401070cd, &(0x7f0000000000)={0x6})

16:11:19 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  668.342283][ T8164] binder: send failed reply for transaction 4073, target dead
16:11:19 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = accept$inet(0xffffffffffffff9c, &(0x7f0000000280)={0x2, 0x0, @local}, &(0x7f00000002c0)=0x10)
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(r2, 0x84, 0x1e, &(0x7f0000000300)=0xfffffffffffff52e, 0x4)
mlockall(0x2)
r3 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x2, 0x10100)
write$capi20(r3, &(0x7f00000000c0)={0x10, 0x92c0, 0x85, 0x82, 0x4, 0xfffffffffffffffe}, 0x10)
ioctl$VIDIOC_S_FBUF(r3, 0x4030560b, &(0x7f0000000240)={0x4, 0x8, &(0x7f0000000180)="14b02f9edea298075a85ede0cbc0cfcbc5149b7812f3fcc6f2d1c964ce1b1755156b8f14fc5a4fa6d05f465c57e1835b15b59e8d36a1e02d1a73b387f3f69aef1acc602d7f8441c42ba7aabfa79b02a19bb65bfb5533a33258fa355d972c6fb73349e625fb07ce7e4ec579b5990d04d2c75502598edccc07d3b859b8d2ffcc6194a332529fcc533e43e1baa3cace8b6833373e0ca389afeddc3c851054eac76f1b7999592e87dab93e9e478a3f9cca8b41", {0x5, 0x9, 0x32377759, 0x8, 0x6, 0xa8, 0x0, 0x80}})
r4 = fcntl$getown(r1, 0x9)
r5 = syz_open_procfs(r4, &(0x7f0000000100)='net/nfsfs\x00')
setsockopt$TIPC_IMPORTANCE(r3, 0x10f, 0x7f, &(0x7f0000000140)=0x1, 0x4)
sendfile(r0, r5, 0x0, 0x1)
prctl$PR_GET_CHILD_SUBREAPER(0x25)

16:11:19 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4800000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:19 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{}], 0x1)

16:11:19 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
lsetxattr$trusted_overlay_origin(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)='trusted.overlay.origin\x00', &(0x7f0000000200)='y\x00', 0x2, 0x0)
r2 = syz_open_dev$sndpcmc(&(0x7f0000000240)='/dev/snd/pcmC#D#c\x00', 0x7, 0x0)
ioctl$RTC_VL_READ(r2, 0x80047013, &(0x7f0000000280))
mlockall(0x3)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
mkdir(&(0x7f0000000000)='./file0\x00', 0x0)
mount$bpf(0x20000000, &(0x7f00000000c0)='./file0\x00', 0x0, 0x2001001, 0x0)
syz_mount_image$ext4(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0, 0x100020, &(0x7f0000000380)=ANY=[@ANYBLOB="696e6f64655f7265616461686561645f626c6b733d3078666666666666666666666666666666662c00f9caf234d76be1db947b8a821502276544a1ffe4085468a89d8e5de4fb4e2795d723f8e7e7eac33523a99524685d4a28e8ba79757b0867ca3a5f5135648fca765e33d5bcc23ba1df09ba3cd0867cfe16906cec3192f10b6a24b7c7e52e37dbe6acaafc69fef28ec6f0a7457be206a569e29a"])
sendfile(r0, r3, 0x0, 0x1)
getsockopt$inet_sctp6_SCTP_MAX_BURST(r3, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={<r4=>0x0}, &(0x7f00000000c0)=0x8)
getsockopt$inet_sctp6_SCTP_CONTEXT(r1, 0x84, 0x11, &(0x7f0000000100)={r4, 0x80000001}, &(0x7f0000000140)=0x8)

[  668.587501][T26044] binder: 26038:26044 ioctl c018620b 0 returned -14
[  669.327294][T26057] binder_alloc: binder_alloc_mmap_handler: 26038 20001000-20004000 already mapped failed -16
[  669.361160][T26055] binder: 26038:26055 ioctl c018620b 0 returned -14
[  669.397076][T26057] binder: BINDER_SET_CONTEXT_MGR already set
[  669.419251][T26060] binder: 26038:26060 BC_INCREFS_DONE u0000000000000000 no match
[  669.467099][T26044] binder: 26038:26044 Release 1 refcount change on invalid ref 1 ret -22
[  669.486113][T26057] binder: 26038:26057 ioctl 40046207 0 returned -16
16:11:20 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
ioctl$sock_FIOGETOWN(r1, 0x8903, &(0x7f0000000000)=<r3=>0x0)
setsockopt$inet_dccp_buf(r1, 0x21, 0xf, &(0x7f0000000100)="e8a519126571795e85e348d9c2b171fa08211abd06ae3b3c1c6dc36a877417e95d92694587cf486c68e4c21c0d04527ce828aafdcc3dbbf84d016786f7dcb4834b6696ad46245d03326a4705cdc23d387d0b0c3e521a5bebb8306fb4ba9dec76b6dab8553d4c71d16e0444915bf53dcfb4f658d4df56adf9691d7b546487c13b20a6df01d29994d7b9d4c42ffb7e1f355f547aa4914d0f0fcf58fa048bc168568301cc77ee77b59583e35cba2653e2903ec8698ab4af03f3015395b9512ed2ffc10559fd75c6aa1dee2ff6cbc562ebaec718402766db", 0xd6)
r4 = getuid()
r5 = getegid()
setsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f00000000c0)={r3, r4, r5}, 0xc)
sendfile(r0, r2, 0x0, 0x1)

[  669.527288][T26059] binder_alloc: 26038: binder_alloc_buf, no vma
[  669.578822][T26059] binder: 26038:26059 transaction failed 29189/-3, size 24-8 line 3056
16:11:21 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x4c00000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  669.659686][   T22] binder: send failed reply for transaction 4078 to 26038:26039
[  669.676350][   T22] binder: undelivered TRANSACTION_ERROR: 29189
16:11:21 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{}], 0x1)

[  669.759465][T26050] IPVS: ftp: loaded support on port[0] = 21
16:11:21 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  669.806528][T26070] binder: 26067:26070 ioctl c018620b 0 returned -14
[  669.937566][T26070] binder: 26067:26070 BC_INCREFS_DONE node 4084 has no pending increfs request
16:11:21 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  670.534492][T26090] binder_alloc: binder_alloc_mmap_handler: 26067 20001000-20004000 already mapped failed -16
[  670.587024][T26088] binder: 26067:26088 ioctl c018620b 0 returned -14
[  670.616061][T26088] binder: BINDER_SET_CONTEXT_MGR already set
[  670.623933][T26088] binder: 26067:26088 ioctl 40046207 0 returned -16
[  670.662275][T26090] binder_alloc: 26067: binder_alloc_buf, no vma
[  670.679186][T26094] binder: 26067:26094 BC_INCREFS_DONE u0000000000000000 no match
[  670.705135][T26090] binder: 26067:26090 transaction failed 29189/-3, size 24-8 line 3056
[  670.727374][T26081] binder: 26067:26081 Release 1 refcount change on invalid ref 1 ret -22
[  671.083514][ T8164] binder: send failed reply for transaction 4083 to 26067:26068
[  671.102390][ T8164] binder: undelivered TRANSACTION_COMPLETE
[  671.154131][ T8164] binder: undelivered TRANSACTION_ERROR: 29189
[  671.475385][T26050] chnl_net:caif_netlink_parms(): no params data found
[  671.651801][T26050] bridge0: port 1(bridge_slave_0) entered blocking state
[  671.659091][T26050] bridge0: port 1(bridge_slave_0) entered disabled state
[  671.667463][T26050] device bridge_slave_0 entered promiscuous mode
[  671.674959][T26050] bridge0: port 2(bridge_slave_1) entered blocking state
[  671.682508][T26050] bridge0: port 2(bridge_slave_1) entered disabled state
[  671.690316][T26050] device bridge_slave_1 entered promiscuous mode
[  671.841937][T26050] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  671.852386][T26050] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  672.004138][T26050] team0: Port device team_slave_0 added
[  672.012254][T26050] team0: Port device team_slave_1 added
[  672.068891][T26050] device hsr_slave_0 entered promiscuous mode
[  672.115837][T26050] device hsr_slave_1 entered promiscuous mode
[  672.294309][T26050] bridge0: port 2(bridge_slave_1) entered blocking state
[  672.301364][T26050] bridge0: port 2(bridge_slave_1) entered forwarding state
[  672.308766][T26050] bridge0: port 1(bridge_slave_0) entered blocking state
[  672.315832][T26050] bridge0: port 1(bridge_slave_0) entered forwarding state
[  672.346800][ T8164] bridge0: port 1(bridge_slave_0) entered disabled state
[  672.354550][ T8164] bridge0: port 2(bridge_slave_1) entered disabled state
[  672.368751][ T8423] device bridge_slave_1 left promiscuous mode
[  672.374941][ T8423] bridge0: port 2(bridge_slave_1) entered disabled state
[  672.436980][ T8423] device bridge_slave_0 left promiscuous mode
[  672.443107][ T8423] bridge0: port 1(bridge_slave_0) entered disabled state
[  676.148735][ T8423] device hsr_slave_1 left promiscuous mode
[  676.211453][ T8423] device hsr_slave_0 left promiscuous mode
[  676.279238][ T8423] team0 (unregistering): Port device team_slave_1 removed
[  676.291913][ T8423] team0 (unregistering): Port device team_slave_0 removed
[  676.305397][ T8423] bond0 (unregistering): Releasing backup interface bond_slave_1
[  676.370955][ T8423] bond0 (unregistering): Releasing backup interface bond_slave_0
[  676.473913][ T8423] bond0 (unregistering): Released all slaves
[  676.595991][T26050] 8021q: adding VLAN 0 to HW filter on device bond0
[  676.607886][ T8164] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  676.616743][ T8164] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  676.626928][T26050] 8021q: adding VLAN 0 to HW filter on device team0
[  676.635771][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  676.644278][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  676.652692][T24074] bridge0: port 1(bridge_slave_0) entered blocking state
[  676.659824][T24074] bridge0: port 1(bridge_slave_0) entered forwarding state
[  676.682377][ T8164] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  676.691524][ T8164] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  676.700054][ T8164] bridge0: port 2(bridge_slave_1) entered blocking state
[  676.707115][ T8164] bridge0: port 2(bridge_slave_1) entered forwarding state
[  676.727222][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  676.736042][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  676.744735][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  676.753303][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  676.762276][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  676.771118][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  676.779604][T24074] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  676.848084][T26050] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  676.858635][T26050] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  676.870409][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  676.880116][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  676.888761][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  676.897296][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  676.906060][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  676.927496][T26050] 8021q: adding VLAN 0 to HW filter on device batadv0
[  677.058019][T26120] binder_alloc: 26116: binder_alloc_buf, no vma
[  677.064432][T26120] binder: 26116:26120 transaction failed 29189/-3, size 24-8 line 3056
[  677.080178][T26120] binder: 26116:26120 Release 1 refcount change on invalid ref 1 ret -22
[  677.093738][T26120] binder: 26116:26120 BC_ACQUIRE_DONE u0000000000000000 no match
16:11:29 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x0, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:29 executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
r2 = semget$private(0x0, 0x20000000103, 0x0)
semop(r2, &(0x7f0000000100)=[{0x0, 0xfffffffffffefffc}], 0x1)
semop(r2, &(0x7f0000000000)=[{}], 0x1)

16:11:29 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
write$FUSE_NOTIFY_INVAL_INODE(r1, &(0x7f0000000000)={0x28, 0x2, 0x0, {0x5, 0xff, 0x5}}, 0x28)
sendfile(r0, r2, 0x0, 0x1)
r3 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000200)='/dev/autofs\x00', 0x10100, 0x0)
write$ppp(r3, &(0x7f0000000180)="ced649484417602389c1b98e80df5e165c41af9635fee2fbec4c13a47d097bdc2b0091ee9f2bcd5868a901712f6fbed21be3638d90cba3985e9ada5e77944db424317cd41f6144eee6ca6d0b1614bc058587a8482ef6e3bd47764c70bd8706bf73dba8a1923f3dfe6ac459b6d4b573ff6fc6a4d05685e329fd7511cda2e7", 0x2f3)
ioctl$TCGETS(r1, 0x5401, &(0x7f0000000140))

16:11:29 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x240000, 0x0)
ioctl$KVM_PPC_ALLOCATE_HTAB(r1, 0xc004aea7, &(0x7f00000000c0)=0x8)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:11:29 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6000000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:29 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  677.881608][T26135] binder: 26125:26135 ioctl c018620b 0 returned -14
16:11:29 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:29 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  678.070425][T26140] binder: BINDER_SET_CONTEXT_MGR already set
[  678.095860][T26140] binder: 26136:26140 ioctl 40046207 0 returned -16
[  678.121601][T26140] binder: 26136:26140 Release 1 refcount change on invalid ref 1 ret -22
16:11:29 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:29 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  678.628904][T26160] binder_alloc: binder_alloc_mmap_handler: 26125 20001000-20004000 already mapped failed -16
16:11:30 executing program 0:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000580)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.cpu\x00', 0x200002, 0x0)
r3 = openat$cgroup_procs(r2, &(0x7f00000003c0)='tasks\x00', 0x2, 0x0)
sendfile(r1, r3, 0x0, 0x10001)

[  678.693904][T26159] binder: 26125:26159 ioctl c018620b 0 returned -14
[  678.765940][T24074] binder: release 26136:26140 transaction 4093 out, still active
[  678.777308][T26168] binder: BINDER_SET_CONTEXT_MGR already set
[  678.836065][T26160] binder: 26125:26160 BC_INCREFS_DONE u0000000000000000 no match
16:11:30 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x0, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:30 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  678.904471][T26168] binder: 26125:26168 ioctl 40046207 0 returned -16
[  678.904503][T26135] binder_alloc: 26125: binder_alloc_buf, no vma
16:11:30 executing program 0:
syz_emit_ethernet(0x1, &(0x7f00000000c0)=ANY=[@ANYBLOB="aaaaaaaaaaaab9b28b5f8fe986dd605b397500300000101a51e9b5f624d6b99cb4a318a54549802808570e953b06848a1c0000000000aa000001030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], 0x0)

[  679.092313][T26135] binder: 26125:26135 transaction failed 29189/-3, size 24-8 line 3056
[  679.135160][T26186] binder: BINDER_SET_CONTEXT_MGR already set
[  679.190090][T26186] binder: 26177:26186 ioctl 40046207 0 returned -16
[  679.190131][T26179] binder_alloc: 26125: binder_alloc_buf, no vma
[  679.248152][T24074] binder: send failed reply for transaction 4090 to 26125:26126
[  679.256352][T24074] binder: send failed reply for transaction 4093, target dead
[  679.271285][T26179] binder: 26177:26179 transaction failed 29189/-3, size 24-8 line 3056
[  679.279450][T26189] binder: 26177:26189 Release 1 refcount change on invalid ref 1 ret -22
[  679.309143][T24074] binder: undelivered TRANSACTION_ERROR: 29189
[  679.349825][T26186] binder: 26177:26186 BC_ACQUIRE_DONE u0000000000000000 no match
16:11:30 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:31 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_dev$radio(&(0x7f0000000000)='/dev/radio#\x00', 0x3, 0x2)
getsockopt$inet_sctp6_SCTP_EVENTS(r1, 0x84, 0xb, &(0x7f00000000c0), &(0x7f0000000100)=0xb)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)

16:11:31 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6800000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:31 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1f4780000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

16:11:31 executing program 0:
accept4$inet(0xffffffffffffffff, 0x0, 0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0)
clock_gettime(0x0, &(0x7f0000000000))
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000040)={0x5, 0x0, 0xf000, 0x2000, &(0x7f0000ff7000/0x2000)=nil})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000240)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_NMI(r2, 0xae9a)
ioctl$KVM_RUN(r2, 0xae80, 0x0)

16:11:31 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

16:11:31 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x0, 0x3, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  680.033548][T26219] binder: 26201:26219 ioctl c018620b 0 returned -14
16:11:31 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  680.115033][T26220] binder: BINDER_SET_CONTEXT_MGR already set
[  680.131717][T26220] binder: 26205:26220 ioctl 40046207 0 returned -16
[  680.153258][T26219] binder: 26201:26219 BC_INCREFS_DONE node 4100 has no pending increfs request
[  680.197334][T26220] binder: 26205:26220 Release 1 refcount change on invalid ref 1 ret -22
16:11:31 executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000001a00)='/dev/net/tun\x00', 0x1, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'nr0\x01\x00\x00\xdf\xcf\x00', 0x3001})
openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='cpuac\b\x00\xc0F\xfb\xebge_percpu_sys\x00', 0x0, 0x0)
ioctl$TUNSETSNDBUF(0xffffffffffffffff, 0x400454d4, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[], 0x27)
close(0xffffffffffffffff)

16:11:31 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:31 executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$vbi(0x0, 0x3, 0x2)
ioctl$VIDIOC_ENUMAUDOUT(r1, 0xc0345642, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0)
syz_emit_ethernet(0x0, 0x0, 0x0)
bind$alg(r0, &(0x7f00000000c0)={0x26, 'hash\x00', 0x0, 0x0, 'vmac64(aes-generic)\x00'}, 0x58)
r2 = accept4(r0, 0x0, 0x0, 0x0)
ioctl$VHOST_VSOCK_SET_RUNNING(r1, 0x4004af61, &(0x7f0000000140)=0x1)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000000)="285474dae6badf3ab85f04000000d2eb", 0x10)
sendmsg$TEAM_CMD_NOOP(r2, &(0x7f000000e380)={0x0, 0x0, &(0x7f000000e340)={&(0x7f000000da80)={0x14, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0xffffff8d}}, 0x2000da94}, 0x8}, 0x0)

16:11:31 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:32 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  680.775001][T26259] binder_alloc: binder_alloc_mmap_handler: 26201 20001000-20004000 already mapped failed -16
[  680.790638][   T12] binder: release 26205:26220 transaction 4102 out, still active
[  680.836401][T26256] binder: 26201:26256 ioctl c018620b 0 returned -14
[  680.856442][T26256] binder: BINDER_SET_CONTEXT_MGR already set
[  680.862441][T26256] binder: 26201:26256 ioctl 40046207 0 returned -16
[  680.923888][T26227] binder_alloc: 26201: binder_alloc_buf, no vma
[  680.948249][T26259] binder: 26201:26259 BC_INCREFS_DONE u0000000000000000 no match
[  680.955290][T26227] binder: 26201:26227 transaction failed 29189/-3, size 24-8 line 3056
[  680.962371][T26256] binder: 26201:26256 Release 1 refcount change on invalid ref 1 ret -22
[  680.973912][   T12] binder: release 26201:26202 transaction 4099 out, still active
[  680.999807][   T12] binder: send failed reply for transaction 4099, target dead
[  681.010347][   T12] binder: send failed reply for transaction 4102, target dead
16:11:32 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080))
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r0 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r0, 0x0, 0x1)

16:11:32 executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$vbi(0x0, 0x3, 0x2)
ioctl$VIDIOC_ENUMAUDOUT(r1, 0xc0345642, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, 0xffffffffffffffff, 0x0)
syz_emit_ethernet(0x0, 0x0, 0x0)
bind$alg(r0, &(0x7f00000000c0)={0x26, 'hash\x00', 0x0, 0x0, 'vmac64(aes-generic)\x00'}, 0x58)
r2 = accept4(r0, 0x0, 0x0, 0x0)
ioctl$VHOST_VSOCK_SET_RUNNING(r1, 0x4004af61, &(0x7f0000000140)=0x1)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000000)="285474dae6badf3ab85f04000000d2eb", 0x10)
sendmsg$TEAM_CMD_NOOP(r2, &(0x7f000000e380)={0x0, 0x0, &(0x7f000000e340)={&(0x7f000000da80)={0x14, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0xffffff8d}}, 0x2000da94}, 0x8}, 0x0)

16:11:32 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:32 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x0, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

16:11:32 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
accept$packet(r1, &(0x7f00000000c0)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000100)=0x14)
sendmsg$nl_route(r1, &(0x7f00000002c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x20080400}, 0xc, &(0x7f0000000280)={&(0x7f0000000140)=@getlink={0x120, 0x12, 0x222, 0x70bd28, 0x25dfdbfb, {0x0, 0x0, 0x0, r2, 0x1000, 0x10000}, [@IFLA_EVENT={0x8, 0x2c, 0x3a}, @IFLA_PORT_SELF={0x18, 0x19, [@IFLA_PORT_INSTANCE_UUID={0x14, 0x4, "b5371684d885e0a50597719f4912294b"}]}, @IFLA_BROADCAST={0xc, 0x2, @random="879413914828"}, @IFLA_MTU={0x8, 0xe, 0x8}, @IFLA_PHYS_SWITCH_ID={0x1c, 0x24, "e478cd4b88192f48949bf87e32e85fedabd2d5ac68b96c"}, @IFLA_LINKMODE={0x8, 0x11, 0x21d}, @IFLA_LINKMODE={0x8, 0x11, 0x8001}, @IFLA_LINKINFO={0x64, 0x12, @erspan={{0xc, 0x1, 'erspan\x00'}, {0x54, 0x2, [@IFLA_GRE_LOCAL={0x8, 0x6, @multicast2}, @IFLA_GRE_LOCAL={0x8, 0x6, @local}, @IFLA_GRE_LOCAL={0x8, 0x6, @broadcast}, @IFLA_GRE_REMOTE={0x8, 0x7, @multicast2}, @IFLA_GRE_REMOTE={0x8, 0x7, @broadcast}, @IFLA_GRE_LOCAL={0x8, 0x6, @multicast2}, @IFLA_GRE_REMOTE={0x8, 0x7, @initdev={0xac, 0x1e, 0x0, 0x0}}, @gre_common_policy=[@IFLA_GRE_ERSPAN_INDEX={0x8, 0x15, 0xb7cd2}, @IFLA_GRE_ENCAP_DPORT={0x8, 0x11, 0x4e20}, @IFLA_GRE_ERSPAN_VER={0x8, 0x16, 0x2}]]}}}, @IFLA_CARRIER={0x8, 0x21, 0x119}, @IFLA_LINKINFO={0x34, 0x12, @ipip={{0xc, 0x1, 'ipip\x00'}, {0x24, 0x2, [@IFLA_IPTUN_REMOTE={0x8, 0x3, @loopback}, @IFLA_IPTUN_LOCAL={0x8, 0x2, @multicast1}, @IFLA_IPTUN_PROTO={0x8}, @IFLA_IPTUN_LOCAL={0x8, 0x2, @remote}]}}}]}, 0x120}, 0x1, 0x0, 0x0, 0x8800}, 0x10)
r3 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r3, 0x0, 0x1)

16:11:32 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x6c00000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

[  681.266088][T26286] binder: 26271:26286 ioctl c018620b 0 returned -14
16:11:32 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  681.311734][T26274] binder_alloc: 26269: binder_alloc_buf, no vma
[  681.326320][T26274] binder: 26269:26274 transaction failed 29189/-3, size 24-8 line 3056
[  681.335840][T26288] binder: BINDER_SET_CONTEXT_MGR already set
[  681.341844][T26288] binder: 26271:26288 ioctl 40046207 0 returned -16
[  681.386462][T26291] binder: 26269:26291 Release 1 refcount change on invalid ref 1 ret -22
[  681.395217][T26276] binder_alloc: 26269: binder_alloc_buf, no vma
[  681.435720][T26276] binder: 26271:26276 transaction failed 29189/-3, size 24-8 line 3056
[  681.461531][T26274] binder: 26269:26274 BC_ACQUIRE_DONE u0000000000000000 no match
[  681.477319][T26276] binder: 26271:26276 BC_INCREFS_DONE u0000000000000000 no match
16:11:32 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  681.513671][T26276] binder: 26271:26276 Release 1 refcount change on invalid ref 1 ret -22
16:11:33 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

16:11:33 executing program 0:
r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000080)=@nat={'nat\x00', 0x19, 0x3, 0x318, [0x20000540, 0x0, 0x0, 0x20000640, 0x20000780], 0x0, 0x0, &(0x7f0000000540)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0xb, 0x0, 0x0, 'bridge_slave_0\x00', 'sit0\x00', 'ip6gretap0\x00', 'ipddp0\x00', @broadcast, [], @dev, [], 0xa0, 0xa0, 0xd0, [@connlabel={'connlabel\x00', 0x8, {{0x0, 0xc882e99a8a6c1b2e}}}]}}, @common=@AUDIT={'AUDIT\x00', 0x8}}]}, {0x0, '\x00', 0x1, 0xffffffffffffffff, 0x1, [{{{0x3, 0x0, 0x0, 'vlan0\x00', 'bpq0\x00', 'ip_vti0\x00', 'veth1\x00\x00\x00\x00\x00\x1c\x00', @link_local, [], @dev, [], 0x70, 0xd8, 0x110}, [@common=@STANDARD={'\x00', 0x8}, @common=@mark={'mark\x00', 0x10}]}, @snat={'snat\x00', 0x10, {{@dev}}}}]}, {0x0, '\x00', 0x2, 0xfffffffffffffffe, 0x1, [{{{0x5, 0x0, 0x0, 'rose0\x00', 'ip6gre0\x00', 'veth0_to_bridge\x00', 'vlan0\x00', @broadcast, [], @link_local, [], 0x70, 0x70, 0xa8}}, @arpreply={'arpreply\x00', 0x10}}]}]}, 0x390)

16:11:33 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

[  682.001060][T26306] Unknown options in mask 1b2e
[  682.017685][T26288] binder_alloc: binder_alloc_mmap_handler: 26271 20001000-20004000 already mapped failed -16
16:11:33 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x0, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  682.055917][T26288] binder: 26271:26288 ioctl c018620b 0 returned -14
[  682.083235][T26276] binder_alloc: 26271: binder_alloc_buf, no vma
[  682.089849][T26288] binder: 26271:26288 BC_INCREFS_DONE u0000000000000000 no match
[  682.128187][T26276] binder: 26271:26276 transaction failed 29189/-3, size 24-8 line 3056
[  682.170307][T26288] binder: 26271:26288 Release 1 refcount change on invalid ref 1 ret -22
[  682.301662][T26320] binder_alloc: 26316: binder_alloc_buf, no vma
[  682.311543][T26320] binder: 26316:26320 transaction failed 29189/-3, size 24-8 line 3056
[  682.327422][T26320] binder: 26316:26320 Release 1 refcount change on invalid ref 1 ret -22
[  682.346945][T26320] binder: 26316:26320 BC_ACQUIRE_DONE u0000000000000000 no match
16:11:33 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_dev$cec(&(0x7f0000000140)='/dev/cec#\x00', 0x0, 0x2)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000100)='smaps_rollup\x00', r1}, 0x10)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r2, 0x0, 0x1)
sendto$x25(r2, &(0x7f0000000000)="e7dcec263e95e7cbe8018b9db2adb22afeb1b9616e0df20f18e35887fbe5b31f3d964e13e024e67b4dd8da31ec386dca1490b3ae932169abf31c7ecbf767", 0x3e, 0x4000, &(0x7f00000000c0)={0x9, @null='               \x00'}, 0x12)

16:11:33 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00'})

16:11:33 executing program 0:
socketpair$unix(0x1, 0x0, 0x0, 0x0)
syz_open_dev$vcsa(0x0, 0x0, 0x0)
getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, 0x0, 0x0)
mmap(&(0x7f0000000000/0xc1f000)=nil, 0xc1f000, 0x2, 0x71, 0xffffffffffffffff, 0x0)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil)
mprotect(&(0x7f00006bc000/0x4000)=nil, 0x4000, 0x0)
clone(0x0, 0x0, 0x0, 0x0, 0x0)

16:11:33 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x7400000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:33 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = dup2(r0, r1)
finit_module(r2, &(0x7f00000001c0)='\x00', 0x2)
r3 = perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
ioctl$VHOST_SET_MEM_TABLE(r2, 0x4008af03, &(0x7f00000003c0)=ANY=[@ANYBLOB="050000000000000000000000000000005d00000000000000", @ANYPTR=&(0x7f00000000c0)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00c\x00\x00\x00\x00\x00\x00\x00', @ANYPTR=&(0x7f0000000140)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB="000000000000000003300000000000005000000000000000", @ANYPTR=&(0x7f0000000580)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB="00000000000000000070000000000000f200000000000000", @ANYPTR=&(0x7f0000000840)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0572372779d1876a08d2f5d4125c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000032a958d175333f5ea090621d77711cbda203fe47065e172bb1020000006f1380fd1411dc4ea9cccafd5a213e2f49e644556db87edde4ef432a1db60c5856509953bc143bb0121565ec9c3ce0ad0999f1b22eb6d314621678ba5c0c70e5821081429b738b88de9890ca12d009437e3166c9f4f4804ac9aaf4484a13730f44ace15c5e6ece8d58f11ff8c35b85450c3fb1dd792fe710121d843bd932b1a8d650ad108bc168de89b25f5513b83f5ad77cec3899c3b5875f3d69a23884f316e55a2afa27bf14ef2e981c00c0d44b25d1bfc64ca564f97c7a07a03f7517e2f10e70f5bec52105a298d38534b1ff646583c55a695b7fd58386e30686e119c92fc93352611aa16a9b6aeae480fcc82ef29824e27b60e37430df583eabcff19344a84f415a3d1d08a27f8dacd9800c97a7841e9d7b46c1"], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00`\x00\x00\x00\x00\x00\x00\n\x00\x00\x00\x00\x00\x00\x00', @ANYPTR=&(0x7f0000000380)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'])
ioctl$TIOCGSID(r2, 0x5429, &(0x7f0000000200))
getpgrp(0x0)
ioctl$sock_FIOGETOWN(r2, 0x8903, &(0x7f00000004c0))
fcntl$getownex(r3, 0x10, &(0x7f0000000500)={0x0, <r4=>0x0})
r5 = syz_open_procfs(r4, &(0x7f0000000540)='attr\x00')
mmap$perf(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x10010, r2, 0x0)
sendfile(r1, r5, 0x0, 0x1)
set_mempolicy(0x2, &(0x7f0000000340)=0x2291, 0xffffffffffffffff)
ioctl$KVM_ASSIGN_DEV_IRQ(r5, 0x4040ae70, &(0x7f0000000000)={0x5, 0x7fffffff, 0x80000000, 0x400})
ioctl$ASHMEM_PURGE_ALL_CACHES(r5, 0x770a, 0x0)
pwritev(r3, &(0x7f0000000480)=[{&(0x7f0000000240)="5826a514b0340328abb92c666f497718", 0x10}, {&(0x7f0000000280)="46e16d0262f377d95d68cef059bc1a5665658315642b0b080b575a6a21db709fd9355468235e9d643cb922d1e77513a18bf2ff5a76d84888df3751f136dba612966c89e59344956aedcaa86a38a43b1ef5676ec6427311f7a707b072b353a99304e74effe6fed34ec33bf12465c8e35201204e52750779da2889d53c34df78d25da087eb96671045556395a1d31fad1d4d5bb92db60ea8ade14f8bd8311c7d89de92c7a1b53bf13a906a3276f8ce708eb50eaec8ca", 0xb5}], 0x2, 0x0)

[  682.557878][T26341] binder: 26332:26341 ioctl c018620b 0 returned -14
16:11:33 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd\x00'})

[  682.610600][T26346] binder: BINDER_SET_CONTEXT_MGR already set
16:11:34 executing program 0:

[  682.654043][T26346] binder: 26332:26346 ioctl 40046207 0 returned -16
16:11:34 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\xfd\xff\xff\x00'})

[  682.700545][T26333] binder_alloc: 26316: binder_alloc_buf, no vma
[  682.719691][T26333] binder: 26332:26333 transaction failed 29189/-3, size 24-8 line 3056
16:11:34 executing program 0:

[  682.774316][T26346] binder: 26332:26346 BC_INCREFS_DONE u0000000000000000 no match
[  682.813782][T26333] binder: 26332:26333 Release 1 refcount change on invalid ref 1 ret -22
16:11:34 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f'})

16:11:34 executing program 0:
ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0)
r0 = syz_open_dev$adsp(&(0x7f0000000040)='/dev/adsp#\x00', 0x0, 0x0)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
write$RDMA_USER_CM_CMD_RESOLVE_ADDR(0xffffffffffffffff, &(0x7f00000009c0)={0x15, 0x110, 0xfa00, {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @ib={0x1b, 0x0, 0x9, {"8aa70fe0aa0ede7c09c210101caa3dec"}, 0x1, 0x1af88dd4}, @ib={0x1b, 0xee, 0xfffffffffffffc00, {"85fd0808d02c405658db20b07f8916da"}, 0xfff, 0x3}}}, 0x118)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt(r1, 0x0, 0x0, &(0x7f00000003c0)="3b58a920bf133167868ac62068fc4e462d4a07411fd71b0caed0cd834ee0dda2d8c7f84350d0f0417e40a74997367f288a17271e00d8d4b8dda68c21108edb6952", 0x41)
ioctl$sock_inet6_SIOCSIFADDR(r1, 0x89a1, &(0x7f00000000c0)={@local={0xfe, 0x80, [0x0, 0x3ef, 0x0, 0x3f00000000000000, 0x0, 0x0, 0x1103, 0x0, 0x0, 0x0, 0x0, 0x6]}})
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f00000002c0)={<r2=>0x0, @in, [0x5, 0x3, 0x10000, 0x1ff, 0x4, 0x0, 0x2, 0x0, 0x4, 0x0, 0x555, 0x100, 0x9, 0x8]}, 0x0)
ioctl$sock_inet6_SIOCADDRT(r1, 0x89a0, &(0x7f0000000100)={@local, @empty, @loopback, 0x3})
setsockopt$inet_sctp6_SCTP_AUTH_DELETE_KEY(0xffffffffffffffff, 0x84, 0x19, &(0x7f0000000740)={r2, 0xfffffffffffffff7}, 0x8)
syz_mount_image$nfs4(&(0x7f0000000080)='nfs4\x00', &(0x7f0000000280)='./file0\x00', 0x8, 0x1, &(0x7f0000000640)=[{&(0x7f0000000540)="8e1b4e95bea98e0e31e88086f0b82743abd344287ce08eaa6b3a909213ed57a988ddba42840e5506cf7ef96829d03e1a1b0980db3ca353239affc89f24ca1fa4f5b3488f1945d8e3c386a2439079b422f812b79238ac73b3e46bf13e27362a718d04bca7244921d703ff2baf0dc08da0620a76ba8f709ec62e13a1ed837a3c79fccc28642fe774fc1a202dcdb70fe4aedc0fe668a9c1f12dde98a47e0b02bccdc53cf215372b02182087c06b3233ec80aa22626e14b5fc4aa7887494b3a04fc3cbc4b71e70c92bb591930feb19daa6f41495015951", 0xd5, 0x7fff}], 0x102010, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$ndb(&(0x7f00000000c0)='/dev/nbd#\x00', 0xffffffffffffffff, 0x0)
ioctl$BLKTRACESETUP(r3, 0xc0481273, &(0x7f0000000340)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000], 0x0, 0xfff, 0x5, 0x3, 0xffffffffffffffff})
openat$uinput(0xffffffffffffff9c, &(0x7f0000000180)='/dev/uinput\x00', 0x802, 0x0)
ioctl$SCSI_IOCTL_BENCHMARK_COMMAND(r0, 0x3)

16:11:34 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x0, 0x1}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  683.205967][T26372] binder_alloc: 26371: binder_alloc_buf, no vma
[  683.212302][T26372] binder: 26371:26372 transaction failed 29189/-3, size 24-8 line 3056
[  683.258820][T26372] binder: 26371:26372 Release 1 refcount change on invalid ref 1 ret -22
[  683.304281][T26383] binder_alloc: binder_alloc_mmap_handler: 26332 20001000-20004000 already mapped failed -16
[  683.317153][T26372] binder: 26371:26372 BC_ACQUIRE_DONE u0000000000000000 no match
[  683.328724][T26382] binder: 26332:26382 ioctl c018620b 0 returned -14
[  683.363070][T26383] binder: BINDER_SET_CONTEXT_MGR already set
[  683.407252][T26383] binder: 26332:26383 ioctl 40046207 0 returned -16
[  683.412415][T26346] binder_alloc: 26371: binder_alloc_buf, no vma
[  683.442928][T26382] binder: 26332:26382 BC_INCREFS_DONE u0000000000000000 no match
16:11:34 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x0)
r1 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x5f2, 0x0)
setsockopt$inet6_tcp_TCP_REPAIR(r1, 0x6, 0x13, &(0x7f00000000c0)=0xffffffffffffffff, 0x4)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
accept4$netrom(r2, &(0x7f0000000100)={{}, [@null, @bcast, @null, @rose, @bcast, @default, @default]}, &(0x7f0000000180)=0x48, 0x80800)
sendfile(r0, r2, 0x0, 0x1)

16:11:34 executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndseq(&(0x7f00000004c0)='/dev/snd/seq\x00', 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f0000000000)={0x0, 0x200000000080, 0x0, 'queue0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfd\xfd'})

[  683.443127][T26346] binder: 26332:26346 transaction failed 29189/-3, size 24-8 line 3056
16:11:34 executing program 5:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)

[  683.638897][T26374] kasan: CONFIG_KASAN_INLINE enabled
16:11:35 executing program 4:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r1 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x18, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d"})
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
dup(r2)
shutdown(0xffffffffffffffff, 0x1)
prctl$PR_SET_NAME(0xf, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0xe, 0x7a00000000000000, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0x0, 0x0, 0x0)

16:11:35 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r1 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r0, r1, 0x0, 0x1)
accept$packet(r1, &(0x7f00000000c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @link_local}, &(0x7f0000000100)=0x14)
ioctl$KVM_SET_VCPU_EVENTS(r1, 0x4040aea0, &(0x7f0000000000)={0x0, 0xffffffff, 0xa9, 0x0, 0xffffffff80000000, 0x7fffffff, 0xfffffffffffffbff, 0x8, 0x5, 0x5, 0x7, 0x10000, 0x0, 0x0, 0xd4d5, 0xbe8, 0x1, 0xe84, 0x8})

[  683.661923][T26374] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  683.700990][T26374] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[  683.707958][T26374] CPU: 1 PID: 26374 Comm: syz-executor0 Not tainted 5.0.0-rc4-next-20190130 #22
[  683.716968][T26374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  683.727058][T26374] RIP: 0010:relay_open_buf.part.0+0x7cb/0xb40
[  683.733169][T26374] Code: c1 ea 03 80 3c 02 00 0f 85 4c 03 00 00 49 8d 7d 58 4d 89 ac 24 90 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1b 03 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
[  683.752790][T26374] RSP: 0018:ffff888052d07670 EFLAGS: 00010203
[  683.758639][T26407] binder: 26406:26407 ioctl c018620b 0 returned -14
[  683.758856][T26374] RAX: dffffc0000000000 RBX: ffff88805d75d580 RCX: ffffc90005e03000
[  683.773414][T26374] RDX: 0000000000000008 RSI: ffffffff81833b80 RDI: 0000000000000047
[  683.781400][T26374] RBP: ffff888052d076e8 R08: 0000000000000006 R09: ffff88804b952ec8
[  683.789367][T26374] R10: ffff88804b952600 R11: 0000000000000000 R12: ffff888087307a80
[  683.797338][T26374] R13: ffffffffffffffef R14: 0000000000000000 R15: 0000000000000004
[  683.805309][T26374] FS:  00007f1992ac4700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
[  683.814247][T26374] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  683.818628][T26410] binder: BINDER_SET_CONTEXT_MGR already set
[  683.820821][T26374] CR2: 00000000004cdef0 CR3: 000000008e4cf000 CR4: 00000000001406e0
[  683.820835][T26374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  683.820844][T26374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  683.820848][T26374] Call Trace:
[  683.820877][T26374]  ? kmem_cache_alloc_trace+0x354/0x760
[  683.832614][T26410] binder: 26406:26410 ioctl 40046207 0 returned -16
[  683.834803][T26374]  relay_open+0x5f3/0xaf0
[  683.834822][T26374]  ? relay_open_buf.part.0+0xb40/0xb40
[  683.834910][T26374]  ? __debugfs_create_file+0x301/0x400
[  683.861644][T26410] binder_alloc: 26371: binder_alloc_buf, no vma
[  683.866204][T26374]  ? debugfs_create_file+0x5a/0x70
[  683.866315][T26374]  do_blk_trace_setup+0x50d/0xdb0
[  683.866336][T26374]  ? blk_tracer_print_line+0x60/0x60
[  683.878538][T26410] binder: 26406:26410 transaction failed 29189/-3, size 24-8 line 3056
[  683.881552][T26374]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  683.881615][T26374]  ? _copy_from_user+0xdd/0x150
[  683.881634][T26374]  __blk_trace_setup+0xe3/0x190
[  683.903099][T26410] binder: 26406:26410 BC_INCREFS_DONE u0000000000000000 no match
[  683.903212][T26374]  ? do_blk_trace_setup+0xdb0/0xdb0
[  683.924889][T26410] binder: 26406:26410 Release 1 refcount change on invalid ref 1 ret -22
[  683.927362][T26374]  ? disk_name+0xae/0x110
[  683.927399][T26374]  blk_trace_ioctl+0x170/0x300
[  683.957736][T26374]  ? blk_add_trace_rq_remap+0x6b0/0x6b0
[  683.963284][T26374]  ? lock_downgrade+0xc40/0xc40
[  683.968139][T26374]  ? __fget+0x473/0x710
[  683.972329][T26374]  blkdev_ioctl+0x141/0x2120
[  683.976925][T26374]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  683.983162][T26374]  ? blkpg_ioctl+0xc10/0xc10
[  683.987754][T26374]  ? lock_downgrade+0xc40/0xc40
[  683.992610][T26374]  ? kasan_check_read+0x11/0x20
[  683.997464][T26374]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[  684.003443][T26374]  ? rcu_read_unlock_special+0x380/0x380
[  684.009087][T26374]  ? __fget+0x49a/0x710
[  684.013303][T26374]  block_ioctl+0xee/0x130
[  684.017644][T26374]  ? blkdev_fallocate+0x410/0x410
[  684.022690][T26374]  do_vfs_ioctl+0x107b/0x17d0
[  684.027371][T26374]  ? ioctl_preallocate+0x2f0/0x2f0
[  684.032477][T26374]  ? __fget_light+0x2db/0x420
[  684.037153][T26374]  ? fget_raw+0x20/0x20
[  684.041352][T26374]  ? put_timespec64+0x115/0x1b0
[  684.046207][T26374]  ? nsecs_to_jiffies+0x30/0x30
[  684.051097][T26374]  ? do_syscall_64+0x8c/0x800
[  684.055777][T26374]  ? do_syscall_64+0x8c/0x800
[  684.060449][T26374]  ? lockdep_hardirqs_on+0x418/0x5d0
[  684.065749][T26374]  ? security_file_ioctl+0x93/0xc0
[  684.070865][T26374]  ksys_ioctl+0xab/0xd0
[  684.075021][T26374]  __x64_sys_ioctl+0x73/0xb0
[  684.079614][T26374]  do_syscall_64+0x1a3/0x800
[  684.084220][T26374]  ? syscall_return_slowpath+0x5f0/0x5f0
[  684.089851][T26374]  ? prepare_exit_to_usermode+0x232/0x3b0
[  684.095599][T26374]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  684.101168][T26374]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  684.107054][T26374] RIP: 0033:0x458089
[  684.110956][T26374] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  684.131072][T26374] RSP: 002b:00007f1992ac3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  684.139483][T26374] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458089
[  684.147446][T26374] RDX: 0000000020000340 RSI: 00000000c0481273 RDI: 000000000000000b
[  684.155409][T26374] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
16:11:35 executing program 5:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)
mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2, 0x4c113, r0, 0x23)

[  684.163374][T26374] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1992ac46d4
[  684.171341][T26374] R13: 00000000004bf54d R14: 00000000004d0e38 R15: 00000000ffffffff
[  684.179312][T26374] Modules linked in:
[  684.192656][ T3865] kobject: 'loop5' (00000000f6a85cc9): kobject_uevent_env
16:11:35 executing program 2:
syz_open_dev$audion(0x0, 0x0, 0x0)
r0 = socket$inet(0x2, 0x806, 0x2)
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x2, 0x9, 0x0, 0x0, 0x0, 0x7, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x10b, 0x6, 0x209e1e, 0x3}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000b40)={r1, &(0x7f0000000040), 0x0, 0x1}, 0x20)
unlink(&(0x7f0000000900)='./file0/file0\x00')
r2 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000000080))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x48, 0x0, &(0x7f0000000700)="2ba063fb309ec7fdbfb08e6e91baee7d7d4599fe14129a4d426834556ae420e087d59c0c7be7fcad1abb7e1f8f446f373f611ca1ee9c2231708e18a47bc68a2a79a0b48931f6ff6d"})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
r4 = dup(r3)
shutdown(r4, 0x1)
prctl$PR_SET_NAME(0xf, &(0x7f0000000380)='/group.stat\x00')
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x8, 0x0, &(0x7f0000000500)=[@release={0x40046306, 0x1}], 0x0, 0x0, &(0x7f0000000680)})
creat(&(0x7f00000000c0)='./file0\x00', 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0xe, 0x0, &(0x7f0000000680)=[@acquire_done], 0xfffffffffffffeb3, 0x0, &(0x7f00000007c0)})
setsockopt$inet_int(r0, 0x0, 0xcf, &(0x7f0000000080), 0xfffffffffffffedf)

[  684.217944][ T3865] kobject: 'loop5' (00000000f6a85cc9): fill_kobj_path: path = '/devices/virtual/block/loop5'
[  684.264263][ T3865] kobject: 'loop2' (00000000ddb81cd2): kobject_uevent_env
[  684.288794][ T3865] kobject: 'loop2' (00000000ddb81cd2): fill_kobj_path: path = '/devices/virtual/block/loop2'
[  684.315704][T26374] ---[ end trace c6841de95e7e6f23 ]---
[  684.321363][T26374] RIP: 0010:relay_open_buf.part.0+0x7cb/0xb40
[  684.343098][T26374] Code: c1 ea 03 80 3c 02 00 0f 85 4c 03 00 00 49 8d 7d 58 4d 89 ac 24 90 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1b 03 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
[  684.363364][T26417] binder_alloc: 26416: binder_alloc_buf, no vma
[  684.379066][T26417] binder: 26416:26417 transaction failed 29189/-3, size 24-8 line 3056
[  684.405414][T26417] binder: 26416:26417 Release 1 refcount change on invalid ref 1 ret -22
[  684.416198][T26381] kobject: 'rx-0' (00000000cf6eca19): kobject_cleanup, parent 00000000730bfd8f
[  684.433379][T26417] binder: 26416:26417 BC_ACQUIRE_DONE u0000000000000000 no match
[  684.451885][T26381] kobject: 'rx-0' (00000000cf6eca19): auto cleanup 'remove' event
[  684.499874][T26381] kobject: 'rx-0' (00000000cf6eca19): kobject_uevent_env
[  684.507134][T26381] kobject: 'rx-0' (00000000cf6eca19): fill_kobj_path: path = '/devices/virtual/net/þ€/queues/rx-0'
[  684.518074][T26381] kobject: 'rx-0' (00000000cf6eca19): auto cleanup kobject_del
[  684.527163][T26374] RSP: 0018:ffff888052d07670 EFLAGS: 00010203
[  684.527373][T26429] binder_alloc: binder_alloc_mmap_handler: 26406 20001000-20004000 already mapped failed -16
[  684.533522][T26381] kobject: 'rx-0' (00000000cf6eca19): calling ktype release
[  684.553636][T26374] RAX: dffffc0000000000 RBX: ffff88805d75d580 RCX: ffffc90005e03000
[  684.561812][T26374] RDX: 0000000000000008 RSI: ffffffff81833b80 RDI: 0000000000000047
[  684.570293][T26381] kobject: 'rx-0': free name
[  684.575052][T26381] kobject: 'tx-0' (00000000e06adb04): kobject_cleanup, parent 00000000730bfd8f
[  684.584253][T26374] RBP: ffff888052d076e8 R08: 0000000000000006 R09: ffff88804b952ec8
[  684.592413][T26374] R10: ffff88804b952600 R11: 0000000000000000 R12: ffff888087307a80
[  684.600781][T26381] kobject: 'tx-0' (00000000e06adb04): auto cleanup 'remove' event
[  684.606488][T26428] binder: BINDER_SET_CONTEXT_MGR already set
[  684.611325][T26413] binder: 26406:26413 ioctl c018620b 0 returned -14
[  684.621335][T26374] R13: ffffffffffffffef R14: 0000000000000000 R15: 0000000000000004
[  684.624767][T26428] binder: 26406:26428 ioctl 40046207 0 returned -16
[  684.632924][T26429] binder_alloc: 26416: binder_alloc_buf, no vma
[  684.642407][T26432] binder: 26406:26432 BC_INCREFS_DONE u0000000000000000 no match
[  684.652971][T26381] kobject: 'tx-0' (00000000e06adb04): kobject_uevent_env
[  684.661438][T26381] kobject: 'tx-0' (00000000e06adb04): fill_kobj_path: path = '/devices/virtual/net/þ€/queues/tx-0'
[  684.676036][T26429] binder: 26406:26429 transaction failed 29189/-3, size 24-8 line 3056
[  684.684399][T26374] FS:  00007f1992ac4700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
16:11:36 executing program 5:
r0 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000140)='/dev/urandom\x00', 0x400, 0x0)
fcntl$addseals(r0, 0x409, 0xb)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x20000, 0x0)
dup2(0xffffffffffffffff, 0xffffffffffffffff)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
mlockall(0x3)
r2 = syz_open_procfs(0x0, &(0x7f0000000340)='smaps_rollup\x00')
sendfile(r1, r2, 0x0, 0x1)

[  684.697261][T26374] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  684.703815][T26434] binder: 26406:26434 Release 1 refcount change on invalid ref 1 ret -22
[  684.704056][T26381] kobject: 'tx-0' (00000000e06adb04): auto cleanup kobject_del
[  684.721186][ T3865] kobject: 'loop5' (00000000f6a85cc9): kobject_uevent_env
[  684.722872][T26374] CR2: 0000000000000000 CR3: 000000008e4cf000 CR4: 00000000001406f0
[  684.731656][ T3865] kobject: 'loop5' (00000000f6a85cc9): fill_kobj_path: path = '/devices/virtual/block/loop5'
[  684.736550][T26381] kobject: 'tx-0' (00000000e06adb04): calling ktype release
[  684.757132][T26374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  684.768847][T26381] kobject: 'tx-0': free name
[  684.774510][T26374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  684.790891][T26381] kobject: 'queues' (00000000730bfd8f): kobject_cleanup, parent           (null)
[  684.808951][T26374] Kernel panic - not syncing: Fatal exception
[  684.816029][T26374] Kernel Offset: disabled
[  684.820348][T26374] Rebooting in 86400 seconds..