:00007fbc1acf4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1330.953990][ T1775] RAX: ffffffffffffffda RBX: 00007fbc1acf4c90 RCX: 0000000000458da9 [ 1330.954006][ T1775] RDX: 0000000020000080 RSI: 0800000000008982 RDI: 0000000000000003 [ 1330.964526][ T1773] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1330.969929][ T1775] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 1330.969938][ T1775] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc1acf56d4 [ 1330.969947][ T1775] R13: 00000000004bffed R14: 00000000004d2330 R15: 0000000000000004 [ 1331.014298][ T1783] binder: 1779:1783 got transaction with invalid parent offset or type [ 1331.036987][ T1785] binder: BINDER_SET_CONTEXT_MGR already set [ 1331.165453][ T1773] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1331.200245][ T1773] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1331.221186][ T1773] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1331.257050][ T1785] binder: 1782:1785 ioctl 40046207 0 returned -16 [ 1331.264985][ T1786] binder: BINDER_SET_CONTEXT_MGR already set [ 1331.279396][ T1773] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1331.288233][ T1786] binder: 1784:1786 ioctl 40046207 20000780 returned -16 [ 1331.288282][ T1788] binder_alloc: 1784: binder_alloc_buf, no vma [ 1331.330927][ T1773] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1331.338818][ T1788] binder: 1782:1788 got transaction with invalid offset (0, min 24 max 24) or object. [ 1331.356689][ T1773] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1331.389759][ T1773] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1331.433786][ T1773] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1331.447501][ T1773] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1331.468840][ T1773] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1331.486849][ T1773] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1331.504036][ T1773] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1331.524028][ T1773] Interruptibility = 00000000 ActivityState = 00000000 [ 1331.544589][ T1773] *** Host State *** [ 1331.564222][ T1773] RIP = 0xffffffff811b4980 RSP = 0xffff888064ef78e0 [ 1331.572287][ T1773] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1331.604303][ T1773] FSBase=00007f101dc47700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1331.625064][ T1773] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1331.639323][ T1773] CR0=0000000080050033 CR3=0000000091876000 CR4=00000000001426f0 [ 1331.647060][ T1773] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1331.679237][ T1773] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1331.686022][ T1773] *** Control State *** [ 1331.709240][ T1773] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1331.716637][ T1773] EntryControls=0000d1ff ExitControls=002fefff [ 1331.739231][ T1773] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1331.746874][ T1773] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1331.759389][ T1773] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1331.781256][ T1773] reason=80000021 qualification=0000000000000000 [ 1331.788369][ T1773] IDTVectoring: info=00000000 errcode=00000000 01:56:24 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0xfdfdffff00000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:24 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0xe, 0x0, &(0x7f0000000080)) 01:56:24 executing program 2 (fault-call:2 fault-nth:5): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40046208, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6800000000000000}], &(0x7f00000005c0)=[0x0, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1331.815250][ T1773] TSC Offset = 0xfffffd34b05e7d30 [ 1331.834903][ T1773] TPR Threshold = 0x00 [ 1331.839064][ T1773] EPT pointer = 0x000000006146001e [ 1331.912259][ T1797] binder: 1789:1797 got transaction with invalid parent offset or type [ 1331.922444][ T1795] FAULT_INJECTION: forcing a failure. [ 1331.922444][ T1795] name failslab, interval 1, probability 0, space 0, times 0 [ 1331.940420][ T1798] binder: BINDER_SET_CONTEXT_MGR already set 01:56:24 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0xf, 0x0, &(0x7f0000000080)) [ 1331.957376][ T1798] binder: 1792:1798 ioctl 40046207 0 returned -16 [ 1331.980839][ T1795] CPU: 1 PID: 1795 Comm: syz-executor.2 Not tainted 5.1.0-rc6+ #85 [ 1331.988748][ T1795] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1331.998803][ T1795] Call Trace: [ 1332.002109][ T1795] dump_stack+0x172/0x1f0 [ 1332.006458][ T1795] should_fail.cold+0xa/0x15 [ 1332.011070][ T1795] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 1332.011096][ T1795] ? ___might_sleep+0x163/0x280 [ 1332.011124][ T1795] __should_failslab+0x121/0x190 [ 1332.011144][ T1795] should_failslab+0x9/0x14 [ 1332.011166][ T1795] kmem_cache_alloc_trace+0x2d1/0x760 [ 1332.011196][ T1795] vlan_vid_add+0x3d4/0x730 [ 1332.011220][ T1795] register_vlan_dev+0xc2/0x7a0 [ 1332.031258][ T1795] ? alloc_netdev_mqs+0x98f/0xd30 [ 1332.031282][ T1795] vlan_ioctl_handler+0xc3c/0xfff [ 1332.031302][ T1795] ? register_vlan_dev+0x7a0/0x7a0 [ 1332.031332][ T1795] ? tomoyo_init_request_info+0x105/0x1d0 [ 1332.031357][ T1795] ? register_vlan_dev+0x7a0/0x7a0 [ 1332.031374][ T1795] sock_ioctl+0x3d9/0x610 [ 1332.031394][ T1795] ? dlci_ioctl_set+0x40/0x40 [ 1332.080957][ T1795] ? __fget+0x35a/0x550 [ 1332.085126][ T1795] ? dlci_ioctl_set+0x40/0x40 [ 1332.089806][ T1795] do_vfs_ioctl+0xd6e/0x1390 [ 1332.094407][ T1795] ? ioctl_preallocate+0x210/0x210 [ 1332.099520][ T1795] ? __fget+0x381/0x550 [ 1332.103684][ T1795] ? ksys_dup3+0x3e0/0x3e0 [ 1332.108111][ T1795] ? tomoyo_file_ioctl+0x23/0x30 01:56:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0xffffffff00000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1332.113055][ T1795] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1332.119302][ T1795] ? security_file_ioctl+0x93/0xc0 [ 1332.124429][ T1795] ksys_ioctl+0xab/0xd0 [ 1332.128608][ T1795] __x64_sys_ioctl+0x73/0xb0 [ 1332.133205][ T1795] do_syscall_64+0x103/0x610 [ 1332.133237][ T1795] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1332.133257][ T1795] RIP: 0033:0x458da9 [ 1332.133272][ T1795] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1332.133281][ T1795] RSP: 002b:00007fbc1acf4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1332.133295][ T1795] RAX: ffffffffffffffda RBX: 00007fbc1acf4c90 RCX: 0000000000458da9 [ 1332.133304][ T1795] RDX: 0000000020000080 RSI: 0800000000008982 RDI: 0000000000000003 [ 1332.133313][ T1795] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 1332.133322][ T1795] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc1acf56d4 01:56:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x40049409, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:24 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x10, 0x0, &(0x7f0000000080)) 01:56:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x4018620d, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1332.133343][ T1795] R13: 00000000004bffed R14: 00000000004d2330 R15: 0000000000000004 [ 1332.219422][ T1804] binder: 1792:1804 got transaction with invalid offset (0, min 24 max 24) or object. 01:56:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6c00000000000000}], &(0x7f00000005c0)=[0x0, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1332.270419][ T1812] binder: BINDER_SET_CONTEXT_MGR already set [ 1332.278785][ T1813] *** Guest State *** [ 1332.286095][ T1813] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1332.295687][ T1812] binder: 1811:1812 ioctl 40046207 0 returned -16 [ 1332.296589][ T1812] binder_alloc: 1792: binder_alloc_buf, no vma [ 1332.316955][ T1816] binder: BINDER_SET_CONTEXT_MGR already set [ 1332.369321][ T1816] binder: 1814:1816 ioctl 4018620d 20000780 returned -16 [ 1332.377342][ T1813] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1332.387514][ T1821] binder: BINDER_SET_CONTEXT_MGR already set [ 1332.401210][ T1813] CR3 = 0x0000000000000000 [ 1332.409679][ T1821] binder: 1820:1821 ioctl 40046207 0 returned -16 [ 1332.425303][ T1813] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1332.435207][ T1813] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1332.447792][ T1813] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1332.459010][ T1823] binder: 1820:1823 got transaction with invalid offset (0, min 24 max 24) or object. [ 1332.475715][ T1813] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1332.516134][ T1813] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1332.528983][ T1813] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1332.543652][ T1813] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1332.553455][ T1813] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1332.567179][ T1813] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1332.577282][ T1813] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1332.592020][ T1813] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1332.602792][ T1813] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1332.615513][ T1813] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1332.626231][ T1813] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1332.637307][ T1813] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1332.647529][ T1813] Interruptibility = 00000000 ActivityState = 00000000 [ 1332.658562][ T1813] *** Host State *** [ 1332.664800][ T1813] RIP = 0xffffffff811b4980 RSP = 0xffff88805b2b78e0 [ 1332.675618][ T1813] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1332.684820][ T1813] FSBase=00007f101dc25700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1332.697624][ T1813] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1332.706321][ T1813] CR0=0000000080050033 CR3=0000000056b22000 CR4=00000000001426f0 [ 1332.718048][ T1813] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1332.727549][ T1813] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1332.738299][ T1813] *** Control State *** [ 1332.744606][ T1813] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1332.755711][ T1813] EntryControls=0000d1ff ExitControls=002fefff [ 1332.764002][ T1813] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1332.775647][ T1813] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1332.785042][ T1813] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1332.796921][ T1813] reason=80000021 qualification=0000000000000000 [ 1332.805995][ T1813] IDTVectoring: info=00000000 errcode=00000000 [ 1332.816171][ T1813] TSC Offset = 0xfffffd33e27c6a57 [ 1332.823278][ T1813] TPR Threshold = 0x00 [ 1332.827356][ T1813] EPT pointer = 0x000000008f8de01e 01:56:25 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x2}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:25 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x11, 0x0, &(0x7f0000000080)) 01:56:25 executing program 2 (fault-call:2 fault-nth:6): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x4020940d, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7400000000000000}], &(0x7f00000005c0)=[0x0, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0045878, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1332.949066][ T1829] FAULT_INJECTION: forcing a failure. [ 1332.949066][ T1829] name failslab, interval 1, probability 0, space 0, times 0 [ 1332.964682][ T1834] binder: BINDER_SET_CONTEXT_MGR already set 01:56:25 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x12, 0x0, &(0x7f0000000080)) [ 1333.000907][ T1834] binder: 1827:1834 ioctl 40046207 0 returned -16 [ 1333.031033][ T1829] CPU: 0 PID: 1829 Comm: syz-executor.2 Not tainted 5.1.0-rc6+ #85 [ 1333.038961][ T1829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1333.049017][ T1829] Call Trace: [ 1333.052322][ T1829] dump_stack+0x172/0x1f0 [ 1333.056668][ T1829] should_fail.cold+0xa/0x15 [ 1333.061291][ T1829] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 1333.067108][ T1829] ? ___might_sleep+0x163/0x280 [ 1333.071972][ T1829] __should_failslab+0x121/0x190 [ 1333.076917][ T1829] should_failslab+0x9/0x14 [ 1333.080911][ T1840] *** Guest State *** [ 1333.081700][ T1829] kmem_cache_alloc_trace+0x2d1/0x760 [ 1333.085670][ T1840] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1333.091122][ T1829] garp_init_applicant+0x33a/0x4d0 [ 1333.091145][ T1829] vlan_gvrp_init_applicant+0x1d/0x30 [ 1333.111154][ T1829] register_vlan_dev+0x1aa/0x7a0 [ 1333.116092][ T1829] ? alloc_netdev_mqs+0x98f/0xd30 [ 1333.121127][ T1829] vlan_ioctl_handler+0xc3c/0xfff [ 1333.126157][ T1829] ? register_vlan_dev+0x7a0/0x7a0 [ 1333.129290][ T1840] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1333.131273][ T1829] ? tomoyo_init_request_info+0x105/0x1d0 [ 1333.131297][ T1829] ? register_vlan_dev+0x7a0/0x7a0 [ 1333.131318][ T1829] sock_ioctl+0x3d9/0x610 [ 1333.155979][ T1829] ? dlci_ioctl_set+0x40/0x40 [ 1333.160665][ T1829] ? __fget+0x35a/0x550 [ 1333.164837][ T1829] ? dlci_ioctl_set+0x40/0x40 [ 1333.169532][ T1829] do_vfs_ioctl+0xd6e/0x1390 [ 1333.174147][ T1829] ? ioctl_preallocate+0x210/0x210 [ 1333.179261][ T1829] ? __fget+0x381/0x550 [ 1333.179281][ T1840] CR3 = 0x0000000000000000 [ 1333.183420][ T1829] ? ksys_dup3+0x3e0/0x3e0 [ 1333.183443][ T1829] ? tomoyo_file_ioctl+0x23/0x30 [ 1333.183474][ T1829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1333.189742][ T1840] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1333.192287][ T1829] ? security_file_ioctl+0x93/0xc0 [ 1333.192307][ T1829] ksys_ioctl+0xab/0xd0 [ 1333.192328][ T1829] __x64_sys_ioctl+0x73/0xb0 [ 1333.219298][ T1840] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1333.220855][ T1829] do_syscall_64+0x103/0x610 [ 1333.220884][ T1829] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1333.243292][ T1829] RIP: 0033:0x458da9 01:56:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x3}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1333.247188][ T1829] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1333.249247][ T1840] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1333.266808][ T1829] RSP: 002b:00007fbc1acf4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1333.266822][ T1829] RAX: ffffffffffffffda RBX: 00007fbc1acf4c90 RCX: 0000000000458da9 [ 1333.266836][ T1829] RDX: 0000000020000080 RSI: 0800000000008982 RDI: 0000000000000003 [ 1333.266843][ T1829] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 1333.266850][ T1829] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc1acf56d4 [ 1333.266857][ T1829] R13: 00000000004bffed R14: 00000000004d2330 R15: 0000000000000004 [ 1333.318056][ T1834] binder: BINDER_SET_CONTEXT_MGR already set [ 1333.346325][ T1845] binder: BINDER_SET_CONTEXT_MGR already set 01:56:25 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x13, 0x0, &(0x7f0000000080)) [ 1333.354037][ T1834] binder: 1827:1834 ioctl 40046207 0 returned -16 [ 1333.365932][ T1847] binder_alloc: 1843: binder_alloc_buf, no vma [ 1333.381343][ T1845] binder: 1843:1845 ioctl 40046207 0 returned -16 01:56:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0045878, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1333.402533][ T1846] binder_alloc: 1843: binder_alloc_buf, no vma 01:56:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1333.569261][ T1840] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1333.589262][ T1840] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1333.609312][ T1840] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1333.618031][ T1840] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1333.639573][ T1840] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1333.648409][ T1840] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1333.689292][ T1840] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1333.698006][ T1840] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1333.721252][ T1840] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1333.741169][ T1840] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1333.775916][ T1840] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1333.793004][ T1840] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1333.821176][ T1840] Interruptibility = 00000000 ActivityState = 00000000 [ 1333.841170][ T1840] *** Host State *** [ 1333.845241][ T1840] RIP = 0xffffffff811b4980 RSP = 0xffff88806253f8e0 [ 1333.873312][ T1840] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1333.893000][ T1840] FSBase=00007f101dc26700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1333.921144][ T1840] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1333.927868][ T1840] CR0=0000000080050033 CR3=000000008f7e2000 CR4=00000000001426e0 [ 1333.941333][ T1840] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1333.948834][ T1840] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1333.958637][ T1840] *** Control State *** [ 1333.965728][ T1840] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000c2 [ 1333.976013][ T1840] EntryControls=0000d1ff ExitControls=002fefff [ 1333.985371][ T1840] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1333.996150][ T1840] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1334.006584][ T1840] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1334.016781][ T1840] reason=80000021 qualification=0000000000000000 [ 1334.026929][ T1840] IDTVectoring: info=00000000 errcode=00000000 [ 1334.038230][ T1840] TSC Offset = 0xfffffd3374fa895e [ 1334.046525][ T1840] EPT pointer = 0x000000009ee8f01e 01:56:26 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7a00000000000000}], &(0x7f00000005c0)=[0x0, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:26 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x14, 0x0, &(0x7f0000000080)) 01:56:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0046209, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x5}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:26 executing program 2 (fault-call:2 fault-nth:7): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1334.130907][ T1863] binder_transaction: 1 callbacks suppressed [ 1334.130921][ T1863] binder: 1859:1863 got transaction with invalid offset (0, min 24 max 24) or object. [ 1334.146505][ T1865] FAULT_INJECTION: forcing a failure. [ 1334.146505][ T1865] name failslab, interval 1, probability 0, space 0, times 0 [ 1334.146523][ T1865] CPU: 0 PID: 1865 Comm: syz-executor.2 Not tainted 5.1.0-rc6+ #85 [ 1334.146531][ T1865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1334.146536][ T1865] Call Trace: [ 1334.146559][ T1865] dump_stack+0x172/0x1f0 [ 1334.146591][ T1865] should_fail.cold+0xa/0x15 [ 1334.167948][ T1866] binder: BINDER_SET_CONTEXT_MGR already set [ 1334.177117][ T1865] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 1334.177138][ T1865] ? ___might_sleep+0x163/0x280 [ 1334.177156][ T1865] __should_failslab+0x121/0x190 [ 1334.177171][ T1865] should_failslab+0x9/0x14 [ 1334.177187][ T1865] kmem_cache_alloc_trace+0x2d1/0x760 [ 1334.177213][ T1865] garp_init_applicant+0xdc/0x4d0 [ 1334.177234][ T1865] vlan_gvrp_init_applicant+0x1d/0x30 [ 1334.177250][ T1865] register_vlan_dev+0x1aa/0x7a0 [ 1334.177271][ T1865] ? alloc_netdev_mqs+0x98f/0xd30 [ 1334.199235][ T1866] binder: 1861:1866 ioctl 40046207 0 returned -16 [ 1334.201336][ T1865] vlan_ioctl_handler+0xc3c/0xfff [ 1334.231078][ T1866] binder_fixup_parent: 7 callbacks suppressed [ 1334.231090][ T1866] binder: 1861:1866 got transaction with invalid parent offset or type [ 1334.231307][ T1865] ? register_vlan_dev+0x7a0/0x7a0 [ 1334.236281][ T1866] binder_transaction: 31 callbacks suppressed [ 1334.236298][ T1866] binder: 1861:1866 transaction failed 29201/-22, size 64-16 line 3389 [ 1334.241264][ T1865] ? tomoyo_init_request_info+0x105/0x1d0 [ 1334.241286][ T1865] ? register_vlan_dev+0x7a0/0x7a0 [ 1334.241303][ T1865] sock_ioctl+0x3d9/0x610 [ 1334.241323][ T1865] ? dlci_ioctl_set+0x40/0x40 [ 1334.258204][ T1863] binder: 1859:1863 transaction failed 29201/-22, size 24-16 line 3242 [ 1334.258821][ T1865] ? __fget+0x35a/0x550 [ 1334.278486][T19060] binder_release_work: 31 callbacks suppressed [ 1334.278495][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1334.286782][ T1865] ? dlci_ioctl_set+0x40/0x40 [ 1334.286801][ T1865] do_vfs_ioctl+0xd6e/0x1390 [ 1334.286822][ T1865] ? ioctl_preallocate+0x210/0x210 [ 1334.286844][ T1865] ? __fget+0x381/0x550 [ 1334.286865][ T1865] ? ksys_dup3+0x3e0/0x3e0 [ 1334.295322][ T1863] binder: BINDER_SET_CONTEXT_MGR already set [ 1334.297699][ T1865] ? tomoyo_file_ioctl+0x23/0x30 [ 1334.297717][ T1865] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1334.297742][ T1865] ? security_file_ioctl+0x93/0xc0 01:56:26 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x15, 0x0, &(0x7f0000000080)) [ 1334.315708][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1334.319774][ T1865] ksys_ioctl+0xab/0xd0 [ 1334.319795][ T1865] __x64_sys_ioctl+0x73/0xb0 [ 1334.319814][ T1865] do_syscall_64+0x103/0x610 [ 1334.319844][ T1865] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1334.326121][ T1873] binder_alloc: 1859: binder_alloc_buf, no vma [ 1334.332144][ T1865] RIP: 0033:0x458da9 [ 1334.332159][ T1865] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1334.332168][ T1865] RSP: 002b:00007fbc1acf4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1334.332181][ T1865] RAX: ffffffffffffffda RBX: 00007fbc1acf4c90 RCX: 0000000000458da9 [ 1334.332189][ T1865] RDX: 0000000020000080 RSI: 0800000000008982 RDI: 0000000000000003 [ 1334.332197][ T1865] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 1334.332206][ T1865] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc1acf56d4 [ 1334.332213][ T1865] R13: 00000000004bffed R14: 00000000004d2330 R15: 0000000000000004 01:56:27 executing program 2 (fault-call:2 fault-nth:8): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:27 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1334.385121][ T1866] binder: BINDER_SET_CONTEXT_MGR already set [ 1334.449803][ T1863] binder: 1859:1863 ioctl 40046207 0 returned -16 [ 1334.450016][ T1873] binder: 1859:1873 transaction failed 29189/-3, size 24-16 line 3148 [ 1334.504824][ T1866] binder: 1861:1866 ioctl 40046207 0 returned -16 [ 1334.511700][ T1874] binder: 1861:1874 transaction failed 29189/-22, size 64-16 line 2995 01:56:27 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x16, 0x0, &(0x7f0000000080)) 01:56:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc018620b, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1334.529455][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1334.574748][ T1879] FAULT_INJECTION: forcing a failure. [ 1334.574748][ T1879] name failslab, interval 1, probability 0, space 0, times 0 [ 1334.587837][ T1879] CPU: 0 PID: 1879 Comm: syz-executor.2 Not tainted 5.1.0-rc6+ #85 [ 1334.595733][ T1879] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1334.595768][ T1879] Call Trace: [ 1334.595798][ T1879] dump_stack+0x172/0x1f0 [ 1334.595822][ T1879] should_fail.cold+0xa/0x15 [ 1334.595851][ T1879] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 1334.595881][ T1879] __should_failslab+0x121/0x190 [ 1334.595899][ T1879] should_failslab+0x9/0x14 [ 1334.595927][ T1879] kmem_cache_alloc_trace+0x4b/0x760 [ 1334.607278][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1334.609281][ T1879] __hw_addr_create_ex+0x5e/0x310 [ 1334.609302][ T1879] __hw_addr_add_ex+0x1ef/0x2b0 [ 1334.609324][ T1879] __dev_mc_add+0x80/0xd0 [ 1334.659005][ T1879] dev_mc_add+0x20/0x30 [ 1334.663176][ T1879] garp_init_applicant+0xf9/0x4d0 [ 1334.668210][ T1879] vlan_gvrp_init_applicant+0x1d/0x30 [ 1334.673589][ T1879] register_vlan_dev+0x1aa/0x7a0 [ 1334.678539][ T1879] ? alloc_netdev_mqs+0x98f/0xd30 [ 1334.683584][ T1879] vlan_ioctl_handler+0xc3c/0xfff [ 1334.688616][ T1879] ? register_vlan_dev+0x7a0/0x7a0 [ 1334.693740][ T1879] ? tomoyo_init_request_info+0x105/0x1d0 [ 1334.699491][ T1879] ? register_vlan_dev+0x7a0/0x7a0 [ 1334.704615][ T1879] sock_ioctl+0x3d9/0x610 [ 1334.708950][ T1879] ? dlci_ioctl_set+0x40/0x40 [ 1334.713635][ T1879] ? __fget+0x35a/0x550 [ 1334.717800][ T1879] ? dlci_ioctl_set+0x40/0x40 [ 1334.722505][ T1879] do_vfs_ioctl+0xd6e/0x1390 [ 1334.727103][ T1879] ? ioctl_preallocate+0x210/0x210 [ 1334.732220][ T1879] ? __fget+0x381/0x550 [ 1334.736385][ T1879] ? ksys_dup3+0x3e0/0x3e0 [ 1334.740821][ T1879] ? tomoyo_file_ioctl+0x23/0x30 [ 1334.745770][ T1879] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1334.752023][ T1879] ? security_file_ioctl+0x93/0xc0 [ 1334.757440][ T1879] ksys_ioctl+0xab/0xd0 [ 1334.761614][ T1879] __x64_sys_ioctl+0x73/0xb0 [ 1334.766217][ T1879] do_syscall_64+0x103/0x610 [ 1334.770823][ T1879] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1334.776721][ T1879] RIP: 0033:0x458da9 [ 1334.780617][ T1879] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1334.800231][ T1879] RSP: 002b:00007fbc1acf4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1334.808650][ T1879] RAX: ffffffffffffffda RBX: 00007fbc1acf4c90 RCX: 0000000000458da9 [ 1334.816625][ T1879] RDX: 0000000020000080 RSI: 0800000000008982 RDI: 0000000000000003 01:56:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x8000000000000000}], &(0x7f00000005c0)=[0x0, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1334.824595][ T1879] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 1334.832569][ T1879] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc1acf56d4 [ 1334.840546][ T1879] R13: 00000000004bffed R14: 00000000004d2330 R15: 0000000000000004 [ 1334.890359][ T1883] binder: 1881:1883 got transaction with invalid parent offset or type [ 1334.898705][ T1883] binder: 1881:1883 transaction failed 29201/-22, size 64-16 line 3389 [ 1334.915626][ T1887] binder: BINDER_SET_CONTEXT_MGR already set [ 1334.923454][ T1887] binder: 1884:1887 ioctl 40046207 0 returned -16 01:56:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc018620c, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1334.940210][ T1887] binder: 1884:1887 got transaction with invalid offset (0, min 24 max 24) or object. [ 1334.952575][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1334.960438][ T1883] binder: BINDER_SET_CONTEXT_MGR already set [ 1334.966450][ T1883] binder: 1881:1883 ioctl 40046207 0 returned -16 [ 1334.978417][ T1887] binder: transaction release 9369 bad handle 1, ret = -22 01:56:27 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x17, 0x0, &(0x7f0000000080)) [ 1334.987493][ T1887] binder: 1884:1887 transaction failed 29201/-22, size 24-16 line 3242 [ 1334.996247][ T1890] binder: 1881:1890 transaction failed 29189/-22, size 64-16 line 2995 [ 1335.005967][ T1891] *** Guest State *** [ 1335.018429][T19558] binder: undelivered TRANSACTION_ERROR: 29189 [ 1335.027927][ T1894] binder: 1884:1894 got transaction with invalid offset (0, min 24 max 24) or object. [ 1335.039496][ T1893] binder: 1892 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 1335.039510][ T1893] binder: 1892:1893 ioctl c018620c 20000780 returned -22 [ 1335.055244][ T1891] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1335.065384][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:56:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1335.087976][ T1894] binder: 1884:1894 transaction failed 29201/-22, size 24-16 line 3242 [ 1335.103539][ T1891] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1335.114725][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:56:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xfdfdffff00000000}], &(0x7f00000005c0)=[0x0, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1335.134528][ T1897] binder: 1892 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. [ 1335.134542][ T1897] binder: 1892:1897 ioctl c018620c 20000780 returned -22 [ 1335.148618][ T1891] CR3 = 0x0000000000000000 [ 1335.155093][ T1891] RSP = 0x0000000000000000 RIP = 0x0000000000000000 01:56:27 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x18, 0x0, &(0x7f0000000080)) [ 1335.184610][ T1891] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1335.209684][ T1891] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1335.222580][ T1900] binder: 1898:1900 got transaction with invalid offset (0, min 24 max 24) or object. 01:56:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0189436, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1335.236502][ T1901] binder: BINDER_SET_CONTEXT_MGR already set [ 1335.243622][ T1891] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1335.252857][ T1900] binder: 1898:1900 transaction failed 29201/-22, size 24-16 line 3242 [ 1335.261520][ T1901] binder: 1899:1901 ioctl 40046207 0 returned -16 [ 1335.268085][ T1891] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1335.278127][ T1901] binder: 1899:1901 got transaction with invalid parent offset or type [ 1335.291669][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1335.298396][ T1900] binder: BINDER_SET_CONTEXT_MGR already set [ 1335.308978][ T1891] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1335.318339][ T1903] binder: 1898:1903 transaction failed 29189/-22, size 24-16 line 2995 [ 1335.327134][ T1901] binder: transaction release 9381 bad handle 1, ret = -22 01:56:27 executing program 2 (fault-call:2 fault-nth:9): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1335.335834][ T1891] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1335.345614][ T1900] binder: 1898:1900 ioctl 40046207 0 returned -16 [ 1335.359935][T19558] binder: undelivered TRANSACTION_ERROR: 29189 [ 1335.373974][ T1909] binder_alloc: 1899: binder_alloc_buf, no vma [ 1335.380447][ T1891] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1335.405311][ T1891] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1335.432904][ T1891] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1335.447328][ T1891] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1335.457636][ T1891] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1335.467250][ T1891] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1335.476369][ T1891] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1335.484072][ T1891] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1335.492745][ T1891] Interruptibility = 00000000 ActivityState = 00000000 [ 1335.509771][ T1891] *** Host State *** [ 1335.513808][ T1891] RIP = 0xffffffff811b4980 RSP = 0xffff88805fda78e0 [ 1335.529374][ T1891] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1335.549362][ T1891] FSBase=00007f101dc47700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1335.569277][ T1891] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1335.575985][ T1891] CR0=0000000080050033 CR3=0000000056b22000 CR4=00000000001426f0 [ 1335.599276][ T1891] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1335.620271][ T1891] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1335.627143][ T1891] *** Control State *** [ 1335.639261][ T1891] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000c2 [ 1335.659264][ T1891] EntryControls=0000d1ff ExitControls=002fefff [ 1335.669555][ T1891] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1335.691664][ T1891] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1335.709563][ T1891] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1335.716888][ T1891] reason=80000021 qualification=0000000000000000 [ 1335.735753][ T1891] IDTVectoring: info=00000000 errcode=00000000 [ 1335.755771][ T1891] TSC Offset = 0xfffffd326fb5568d [ 1335.760986][ T1891] EPT pointer = 0x00000000a83c401e 01:56:28 executing program 1: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_IRQCHIP(0xffffffffffffffff, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r1, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r1, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r1, 0xae80, 0x0) 01:56:28 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x19, 0x0, &(0x7f0000000080)) 01:56:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xffffffff00000000}], &(0x7f00000005c0)=[0x0, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xa}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc020660b, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:28 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306202, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1335.880385][ T1920] binder: 1913:1920 got transaction with invalid offset (0, min 24 max 24) or object. 01:56:28 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1a, 0x0, &(0x7f0000000080)) 01:56:28 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000000002, &(0x7f0000000080)) [ 1335.926440][ T1918] binder: BINDER_SET_CONTEXT_MGR already set [ 1335.952645][ T1920] binder: BINDER_SET_CONTEXT_MGR already set [ 1335.959364][ T1918] binder: 1916:1918 ioctl 40046207 0 returned -16 [ 1335.969818][ T1926] binder_alloc: 1913: binder_alloc_buf, no vma 01:56:28 executing program 1: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_IRQCHIP(0xffffffffffffffff, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r1, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r1, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r1, 0xae80, 0x0) [ 1336.000905][ T1920] binder: 1913:1920 ioctl 40046207 0 returned -16 [ 1336.002088][ T1927] binder: 1916:1927 got transaction with invalid parent offset or type 01:56:28 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000005421, &(0x7f0000000080)) 01:56:28 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1b, 0x0, &(0x7f0000000080)) 01:56:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:28 executing program 1: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_IRQCHIP(0xffffffffffffffff, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r1, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r1, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r1, 0xae80, 0x0) 01:56:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x10}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1336.061333][ T1936] binder: 1929:1936 ioctl c0306202 20000780 returned -22 [ 1336.092336][ T1937] binder: 1929:1937 ioctl c0306202 20000780 returned -22 01:56:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306225, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:28 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000005450, &(0x7f0000000080)) [ 1336.172679][ T1942] binder: 1941:1942 got transaction with invalid offset (2, min 0 max 24) or object. 01:56:28 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1d, 0x0, &(0x7f0000000080)) [ 1336.228285][ T1948] binder: BINDER_SET_CONTEXT_MGR already set [ 1336.262153][ T1948] binder: 1946:1948 ioctl 40046207 0 returned -16 [ 1336.262388][ T1951] binder: 1941:1951 got transaction with invalid offset (2, min 0 max 24) or object. 01:56:28 executing program 1: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r0, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 1336.271856][ T1954] binder: 1949:1954 ioctl c0306225 20000780 returned -22 [ 1336.301279][ T1957] binder: 1946:1957 got transaction with invalid parent offset or type 01:56:28 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1e, 0x0, &(0x7f0000000080)) 01:56:28 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000005451, &(0x7f0000000080)) [ 1336.343598][ T1960] binder: 1949:1960 ioctl c0306225 20000780 returned -22 [ 1336.360137][ T1957] binder: BINDER_SET_CONTEXT_MGR already set 01:56:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x3, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1336.392103][ T1957] binder: 1946:1957 ioctl 40046207 0 returned -16 [ 1336.392283][ T1962] binder: 1946:1962 got transaction with invalid parent offset or type 01:56:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc030625b, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:29 executing program 1: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r0, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 01:56:29 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x21, 0x0, &(0x7f0000000080)) [ 1336.474207][ T1967] binder: 1965:1967 got transaction with invalid offset (3, min 0 max 24) or object. [ 1336.506582][ T1962] binder: transaction release 9403 bad handle 1, ret = -22 01:56:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x28}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1336.523308][ T1973] binder: 1965:1973 got transaction with invalid offset (3, min 0 max 24) or object. [ 1336.549658][ T1975] binder: 1970:1975 ioctl c030625b 20000780 returned -22 01:56:29 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000005452, &(0x7f0000000080)) 01:56:29 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x22, 0x0, &(0x7f0000000080)) 01:56:29 executing program 1: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r0, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 1336.595490][ T1977] binder: 1970:1977 ioctl c030625b 20000780 returned -22 01:56:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x4, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x5b, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:29 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000005460, &(0x7f0000000080)) [ 1336.675220][ T1982] binder: 1978:1982 got transaction with invalid parent offset or type [ 1336.727229][ T1988] binder: BINDER_SET_CONTEXT_MGR already set [ 1336.739583][ T1988] binder: 1985:1988 ioctl 40046207 0 returned -16 [ 1336.750286][ T1988] binder: 1985:1988 got transaction with invalid offset (4, min 0 max 24) or object. [ 1336.770560][ T1992] binder: 1989:1992 unknown command 0 01:56:29 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:29 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x23, 0x0, &(0x7f0000000080)) [ 1336.778164][T19558] binder: send failed reply for transaction 9415 to 1989:1992 [ 1336.789506][ T1982] binder: BINDER_SET_CONTEXT_MGR already set [ 1336.805710][ T1982] binder: 1978:1982 ioctl 40046207 0 returned -16 [ 1336.820083][ T1992] binder: 1989:1992 ioctl c0306201 20000780 returned -22 01:56:29 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008901, &(0x7f0000000080)) 01:56:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x5, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1336.828177][T19060] binder: undelivered TRANSACTION_COMPLETE 01:56:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x38}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:29 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:29 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008902, &(0x7f0000000080)) 01:56:29 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x24, 0x0, &(0x7f0000000080)) 01:56:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x2, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:29 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1337.016166][ T2078] binder: 2052:2078 got transaction with invalid parent offset or type [ 1337.052097][ T2114] binder: BINDER_SET_CONTEXT_MGR already set 01:56:29 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x66, 0x0, &(0x7f0000000080)) 01:56:29 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008903, &(0x7f0000000080)) [ 1337.083282][ T2114] binder: 2083:2114 ioctl 40046207 0 returned -16 [ 1337.083584][ T2116] binder: 2052:2116 got transaction with invalid parent offset or type [ 1337.119808][ T2114] binder: BINDER_SET_CONTEXT_MGR already set [ 1337.151369][ T2114] binder: 2083:2114 ioctl 40046207 0 returned -16 [ 1337.165244][ T2123] binder: 2120:2123 unknown command 16456 01:56:29 executing program 1: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r0, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 01:56:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x48}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1337.199319][ T2123] binder: 2120:2123 ioctl c0306201 20000780 returned -22 [ 1337.217890][ T2127] binder: 2120:2127 unknown command 16456 01:56:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x7, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:29 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x6c, 0x0, &(0x7f0000000080)) [ 1337.247922][ T2127] binder: 2120:2127 ioctl c0306201 20000780 returned -22 01:56:29 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008904, &(0x7f0000000080)) [ 1337.307053][ T2134] binder: 2130:2134 got transaction with invalid parent offset or type [ 1337.331178][ T2136] binder: BINDER_SET_CONTEXT_MGR already set 01:56:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x3, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1337.353721][ T2136] binder: 2132:2136 ioctl 40046207 0 returned -16 01:56:29 executing program 1: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r0, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 01:56:29 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x6d, 0x0, &(0x7f0000000080)) [ 1337.388166][ T2134] binder: BINDER_SET_CONTEXT_MGR already set [ 1337.412024][ T2134] binder: 2130:2134 ioctl 40046207 0 returned -16 [ 1337.416496][ T2142] binder: 2141:2142 unknown command 64 [ 1337.426060][ T2144] binder_alloc: 2132: binder_alloc_buf, no vma [ 1337.452196][ T2142] binder: 2141:2142 ioctl c0306201 20000780 returned -22 01:56:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0xa, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4c}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:30 executing program 1: openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r0, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r0, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 01:56:30 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x6f, 0x0, &(0x7f0000000080)) [ 1337.496916][ T2150] binder: 2141:2150 unknown command 64 [ 1337.517419][ T2150] binder: 2141:2150 ioctl c0306201 20000780 returned -22 01:56:30 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008940, &(0x7f0000000080)) 01:56:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x4, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1337.606534][ T2156] binder: BINDER_SET_CONTEXT_MGR already set [ 1337.639495][ T2156] binder: 2151:2156 ioctl 40046207 0 returned -16 [ 1337.640050][ T2159] binder: BINDER_SET_CONTEXT_MGR already set 01:56:30 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x70, 0x0, &(0x7f0000000080)) 01:56:30 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(0xffffffffffffffff, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1337.672420][ T2159] binder: 2154:2159 ioctl 40046207 0 returned -16 [ 1337.680257][ T2162] binder: 2160:2162 unknown command 0 [ 1337.700929][ T2162] binder: 2160:2162 ioctl c0306201 20000780 returned -22 01:56:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x10, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1337.721450][ T2167] binder_alloc: 2154: binder_alloc_buf, no vma [ 1337.734434][ T2168] binder: 2160:2168 unknown command 0 01:56:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x50}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:30 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x71, 0x0, &(0x7f0000000080)) 01:56:30 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008941, &(0x7f0000000080)) [ 1337.763868][ T2168] binder: 2160:2168 ioctl c0306201 20000780 returned -22 01:56:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x5, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x18, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1337.891344][ T2181] *** Guest State *** [ 1337.915366][ T2181] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1337.944399][ T2186] binder: 2182:2186 unknown command 0 [ 1337.955074][ T2187] binder: BINDER_SET_CONTEXT_MGR already set 01:56:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x60}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:30 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x72, 0x0, &(0x7f0000000080)) [ 1337.962107][ T2186] binder: 2182:2186 ioctl c0306201 20000780 returned -22 [ 1337.974132][ T2181] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1337.987495][ T2187] binder: 2183:2187 ioctl 40046207 0 returned -16 [ 1338.004667][ T2189] binder: 2182:2189 unknown command 0 01:56:30 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x80000000000894c, &(0x7f0000000080)) [ 1338.021134][ T2181] CR3 = 0x0000000000000000 [ 1338.027997][ T2189] binder: 2182:2189 ioctl c0306201 20000780 returned -22 [ 1338.059431][ T2181] RSP = 0x0000000000000000 RIP = 0x0000000000000000 01:56:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x68}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1338.089384][ T2181] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1338.118913][ T2181] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1338.158490][ T2181] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1338.194636][ T2181] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1338.224026][ T2201] binder: 2199:2201 unknown command 0 [ 1338.229845][ T2181] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1338.238799][ T2201] binder: 2199:2201 ioctl c0306201 20000780 returned -22 [ 1338.246923][ T2181] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1338.274782][ T2205] binder: 2199:2205 unknown command 0 [ 1338.286704][ T2181] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1338.298730][ T2181] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1338.312824][ T2205] binder: 2199:2205 ioctl c0306201 20000780 returned -22 [ 1338.322711][ T2181] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1338.352070][ T2181] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1338.370354][ T2181] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1338.395295][ T2181] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1338.434938][ T2181] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1338.475020][ T2181] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1338.503328][ T2181] Interruptibility = 00000000 ActivityState = 00000000 [ 1338.535365][ T2181] *** Host State *** [ 1338.539703][ T2181] RIP = 0xffffffff811b4980 RSP = 0xffff88806243f8e0 [ 1338.546400][ T2181] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1338.595100][ T2181] FSBase=00007f101dc47700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1338.604024][ T2181] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1338.635030][ T2181] CR0=0000000080050033 CR3=0000000095e85000 CR4=00000000001426e0 [ 1338.655028][ T2181] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1338.669378][ T2181] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1338.677035][ T2181] *** Control State *** [ 1338.689272][ T2181] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000c2 [ 1338.709294][ T2181] EntryControls=0000d1ff ExitControls=002fefff [ 1338.715587][ T2181] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1338.739351][ T2181] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1338.746839][ T2181] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 01:56:31 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(0xffffffffffffffff, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x28, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:31 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x73, 0x0, &(0x7f0000000080)) 01:56:31 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008980, &(0x7f0000000080)) 01:56:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6c}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x7, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1338.769303][ T2181] reason=80000021 qualification=0000000000000000 [ 1338.776457][ T2181] IDTVectoring: info=00000000 errcode=00000000 [ 1338.789277][ T2181] TSC Offset = 0xfffffd30e36b7b48 [ 1338.794422][ T2181] EPT pointer = 0x00000000892da01e [ 1338.880610][ T2214] binder: BINDER_SET_CONTEXT_MGR already set [ 1338.887603][ T2213] binder: 2210:2213 unknown command 0 [ 1338.897199][ T2212] binder: BINDER_SET_CONTEXT_MGR already set [ 1338.909587][ T2214] binder: 2209:2214 ioctl 40046207 0 returned -16 [ 1338.917370][ T2213] binder: 2210:2213 ioctl c0306201 20000780 returned -22 01:56:31 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008981, &(0x7f0000000080)) 01:56:31 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x74, 0x0, &(0x7f0000000080)) 01:56:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x48, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1338.925996][ T2212] binder: 2206:2212 ioctl 40046207 0 returned -16 [ 1338.937609][ T2220] binder: BINDER_SET_CONTEXT_MGR already set [ 1338.944878][ T2222] binder: 2210:2222 unknown command 0 [ 1338.956899][ T2220] binder: 2209:2220 ioctl 40046207 0 returned -16 [ 1338.969255][ T2222] binder: 2210:2222 ioctl c0306201 20000780 returned -22 01:56:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0xa, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1339.030668][ T2225] *** Guest State *** [ 1339.034706][ T2225] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:56:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x74}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:31 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x75, 0x0, &(0x7f0000000080)) [ 1339.116206][ T2225] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1339.133982][ T2233] binder: 2230:2233 unknown command 0 [ 1339.166047][ T2233] binder: 2230:2233 ioctl c0306201 20000780 returned -22 [ 1339.169429][ T2225] CR3 = 0x0000000000000000 [ 1339.173943][ T2236] binder_fixup_parent: 8 callbacks suppressed [ 1339.173953][ T2236] binder: 2235:2236 got transaction with invalid parent offset or type [ 1339.192357][ T2225] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1339.209356][ T2225] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1339.217775][ T2238] binder: 2230:2238 unknown command 0 [ 1339.223404][ T2236] binder_transaction: 46 callbacks suppressed [ 1339.223420][ T2236] binder: 2235:2236 transaction failed 29201/-22, size 64-16 line 3389 [ 1339.228247][ T2225] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1339.259319][ T2238] binder: 2230:2238 ioctl c0306201 20000780 returned -22 [ 1339.268848][T19558] binder_release_work: 47 callbacks suppressed [ 1339.268856][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1339.282511][ T2239] binder: BINDER_SET_CONTEXT_MGR already set [ 1339.289558][ T2225] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1339.309398][ T2239] binder: 2235:2239 ioctl 40046207 0 returned -16 [ 1339.329396][ T2225] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1339.344967][ T2225] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1339.345484][ T2240] binder: 2235:2240 got transaction with invalid parent offset or type [ 1339.366073][ T2225] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1339.388580][ T2225] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1339.393324][ T2240] binder: 2235:2240 transaction failed 29201/-22, size 64-16 line 3389 [ 1339.410846][ T2225] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1339.431972][ T2225] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1339.436508][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1339.453063][ T2225] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1339.473069][ T2225] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1339.495372][ T2225] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1339.529357][ T2225] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1339.549294][ T2225] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1339.559449][ T2225] Interruptibility = 00000000 ActivityState = 00000000 [ 1339.579311][ T2225] *** Host State *** [ 1339.595393][ T2225] RIP = 0xffffffff811b4980 RSP = 0xffff8880650e78e0 [ 1339.615233][ T2225] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1339.635176][ T2225] FSBase=00007f101dc47700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1339.669338][ T2225] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1339.689274][ T2225] CR0=0000000080050033 CR3=00000000a533e000 CR4=00000000001426e0 [ 1339.709294][ T2225] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1339.729289][ T2225] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1339.736169][ T2225] *** Control State *** [ 1339.749284][ T2225] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000c2 [ 1339.759454][ T2225] EntryControls=0000d1ff ExitControls=002fefff [ 1339.765635][ T2225] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1339.815071][ T2225] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1339.835205][ T2225] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1339.855049][ T2225] reason=80000021 qualification=0000000000000000 [ 1339.869310][ T2225] IDTVectoring: info=00000000 errcode=00000000 [ 1339.875584][ T2225] TSC Offset = 0xfffffd3048468d08 [ 1339.889266][ T2225] EPT pointer = 0x00000000a4c0901e 01:56:32 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008983, &(0x7f0000000080)) 01:56:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x4c, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:32 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x76, 0x0, &(0x7f0000000080)) 01:56:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x48, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:32 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(0xffffffffffffffff, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7a}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1340.011339][ T2247] binder_transaction: 12 callbacks suppressed [ 1340.011353][ T2247] binder: 2245:2247 got transaction with invalid offset (76, min 0 max 24) or object. [ 1340.027876][ T2249] binder: 2242:2249 unknown command 0 [ 1340.033691][ T2249] binder: 2242:2249 ioctl c0306201 20000780 returned -22 [ 1340.033861][ T2248] binder: BINDER_SET_CONTEXT_MGR already set [ 1340.052184][ T2253] binder: 2242:2253 unknown command 0 01:56:32 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x8000000000089a0, &(0x7f0000000080)) 01:56:32 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x7a, 0x0, &(0x7f0000000080)) [ 1340.064403][ T2253] binder: 2242:2253 ioctl c0306201 20000780 returned -22 [ 1340.076423][ T2247] binder: 2245:2247 transaction failed 29201/-22, size 24-16 line 3242 [ 1340.099378][ T2248] binder: 2243:2248 ioctl 40046207 0 returned -16 01:56:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x4c, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1340.129418][ T2255] binder: 2243:2255 got transaction with invalid parent offset or type [ 1340.141605][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1340.149008][ T2259] binder: BINDER_SET_CONTEXT_MGR already set [ 1340.160700][ T2261] *** Guest State *** [ 1340.173975][ T2261] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1340.186242][ T2255] binder: 2243:2255 transaction failed 29201/-22, size 64-16 line 3389 [ 1340.198628][ T2259] binder: 2245:2259 ioctl 40046207 0 returned -16 [ 1340.198768][ T2260] binder: 2245:2260 got transaction with invalid offset (76, min 0 max 24) or object. [ 1340.215070][ T2261] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:56:32 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x7b, 0x0, &(0x7f0000000080)) 01:56:32 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x8000000000089a1, &(0x7f0000000080)) [ 1340.226720][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1340.226834][ T2248] binder: BINDER_SET_CONTEXT_MGR already set [ 1340.249356][ T2261] CR3 = 0x0000000000000000 [ 1340.267268][ T2261] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1340.299353][ T2261] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1340.310624][ T2248] binder: 2243:2248 ioctl 40046207 0 returned -16 [ 1340.330187][ T2261] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1340.341592][ T2255] binder: 2243:2255 got transaction with invalid parent offset or type 01:56:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x60, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1340.356124][ T2260] binder: 2245:2260 transaction failed 29201/-22, size 24-16 line 3242 [ 1340.377004][ T2255] binder: 2243:2255 transaction failed 29201/-22, size 64-16 line 3389 [ 1340.390420][ T2261] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 01:56:32 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x7c, 0x0, &(0x7f0000000080)) [ 1340.413940][ T2261] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1340.435866][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1340.444510][ T2261] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 01:56:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x60, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1340.462818][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1340.474984][ T2261] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 01:56:33 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000040049409, &(0x7f0000000080)) 01:56:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x300}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1340.512141][ T2261] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1340.589536][ T2261] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1340.593781][ T2279] binder: 2277:2279 got transaction with invalid offset (96, min 0 max 24) or object. [ 1340.602510][ T2261] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1340.637252][ T2261] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1340.641204][ T2281] binder: BINDER_SET_CONTEXT_MGR already set [ 1340.659430][ T2279] binder: 2277:2279 transaction failed 29201/-22, size 24-16 line 3242 [ 1340.671478][ T2261] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1340.682254][ T2281] binder: 2280:2281 ioctl 40046207 0 returned -16 [ 1340.698922][ T2261] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1340.707131][ T2284] binder: 2280:2284 got transaction with invalid parent offset or type [ 1340.719897][ T2261] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1340.721525][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1340.739278][ T2285] binder: BINDER_SET_CONTEXT_MGR already set [ 1340.745295][ T2285] binder: 2277:2285 ioctl 40046207 0 returned -16 [ 1340.745509][ T2286] binder: 2277:2286 got transaction with invalid offset (96, min 0 max 24) or object. [ 1340.769346][ T2261] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1340.771285][ T2284] binder: 2280:2284 transaction failed 29201/-22, size 64-16 line 3389 [ 1340.789275][ T2261] Interruptibility = 00000000 ActivityState = 00000000 [ 1340.793237][ T2286] binder: 2277:2286 transaction failed 29201/-22, size 24-16 line 3242 [ 1340.808397][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1340.809275][ T2261] *** Host State *** [ 1340.820441][ T2281] binder: BINDER_SET_CONTEXT_MGR already set [ 1340.833583][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1340.839279][ T2261] RIP = 0xffffffff811b4980 RSP = 0xffff8880986678e0 [ 1340.843387][ T2284] binder: 2280:2284 got transaction with invalid parent offset or type [ 1340.858718][ T2281] binder: 2280:2281 ioctl 40046207 0 returned -16 [ 1340.871390][ T2261] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1340.872265][ T2284] binder: 2280:2284 transaction failed 29201/-22, size 64-16 line 3389 [ 1340.878516][ T2261] FSBase=00007f101dc47700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1340.878528][ T2261] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1340.878543][ T2261] CR0=0000000080050033 CR3=000000008c093000 CR4=00000000001426e0 [ 1340.878559][ T2261] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1340.878579][ T2261] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1340.890426][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1340.944239][ T2261] *** Control State *** [ 1340.948951][ T2261] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000c2 [ 1340.964251][ T2261] EntryControls=0000d1ff ExitControls=002fefff [ 1340.972969][ T2261] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1340.991712][ T2261] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1340.999112][ T2261] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1341.012763][ T2261] reason=80000021 qualification=0000000000000000 [ 1341.020574][ T2261] IDTVectoring: info=00000000 errcode=00000000 [ 1341.026731][ T2261] TSC Offset = 0xfffffd2fa9cf1796 [ 1341.037945][ T2261] EPT pointer = 0x0000000092a4d01e 01:56:33 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 01:56:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x68, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:33 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x80000004020940d, &(0x7f0000000080)) 01:56:33 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x7d, 0x0, &(0x7f0000000080)) 01:56:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x68, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x500}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:33 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0xc0045878, &(0x7f0000000080)) 01:56:33 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x2) [ 1341.156272][ T2291] binder: 2290:2291 got transaction with invalid parent offset or type [ 1341.178659][ T2295] binder: BINDER_SET_CONTEXT_MGR already set [ 1341.199379][ T2295] binder: 2289:2295 ioctl 40046207 0 returned -16 01:56:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6c, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1341.230178][ T2295] binder: 2289:2295 got transaction with invalid offset (104, min 0 max 24) or object. [ 1341.243106][ T2301] binder: 2290:2301 got transaction with invalid parent offset or type [ 1341.265632][ T2295] binder: BINDER_SET_CONTEXT_MGR already set 01:56:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x600}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1341.318933][ T2295] binder: 2289:2295 ioctl 40046207 0 returned -16 01:56:33 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x8000000c0045878, &(0x7f0000000080)) 01:56:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6c, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:34 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 01:56:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x74, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:34 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x3) [ 1341.448572][ T2313] binder: 2312:2313 got transaction with invalid parent offset or type [ 1341.458989][ T2317] binder: BINDER_SET_CONTEXT_MGR already set 01:56:34 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x8000000c0189436, &(0x7f0000000080)) [ 1341.498224][ T2317] binder: 2314:2317 ioctl 40046207 0 returned -16 [ 1341.507454][ T2323] binder: BINDER_SET_CONTEXT_MGR already set [ 1341.529564][ T2323] binder: 2312:2323 ioctl 40046207 0 returned -16 01:56:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x7a, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:34 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x300) [ 1341.549711][ T2326] binder: 2314:2326 got transaction with invalid offset (108, min 0 max 24) or object. [ 1341.549805][ T2324] binder: 2312:2324 got transaction with invalid parent offset or type [ 1341.639092][ T2326] binder: 2314:2326 got transaction with invalid offset (108, min 0 max 24) or object. [ 1341.658888][ T2330] *** Guest State *** [ 1341.679041][ T2330] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:56:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x700}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:34 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x8000000c020660b, &(0x7f0000000080)) [ 1341.681062][ T2317] binder: BINDER_SET_CONTEXT_MGR already set 01:56:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x300, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1341.729330][ T2330] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1341.735781][ T2317] binder: 2314:2317 ioctl 40046207 0 returned -16 01:56:34 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x2000000) [ 1341.779314][ T2330] CR3 = 0x0000000000000000 [ 1341.783861][ T2330] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1341.813807][ T2330] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 01:56:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x74, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1341.840483][ T2330] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1341.866967][ T2330] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 01:56:34 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = syz_open_dev$admmidi(&(0x7f0000000040)='/dev/admmidi#\x00', 0x400, 0x202) ioctl$sock_bt_bnep_BNEPCONNDEL(r1, 0x400442c9, &(0x7f0000000100)={0xff, @random="60096814d56a"}) ioctl(r0, 0x800000000008988, &(0x7f00000000c0)="e8c0b970b74297980b2019c36d9debdbe8a584999b24a8eac5f241791610718980503d") [ 1341.898218][ T2330] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1341.959609][ T2330] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1341.985851][ T2352] binder: 2349:2352 got transaction with invalid offset (116, min 0 max 24) or object. [ 1341.989354][ T2330] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1342.025104][ T2354] binder: 2349:2354 got transaction with invalid offset (116, min 0 max 24) or object. [ 1342.032846][ T2330] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1342.055584][ T2330] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1342.096273][ T2330] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1342.108180][ T2330] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1342.128131][ T2330] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1342.137121][ T2330] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1342.153245][ T2330] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1342.162429][ T2330] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1342.174701][ T2330] Interruptibility = 00000000 ActivityState = 00000000 [ 1342.186013][ T2330] *** Host State *** [ 1342.193918][ T2330] RIP = 0xffffffff811b4980 RSP = 0xffff88808f6478e0 [ 1342.202721][ T2330] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1342.213845][ T2330] FSBase=00007f101dc47700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1342.224516][ T2330] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1342.235163][ T2330] CR0=0000000080050033 CR3=00000000a056e000 CR4=00000000001426f0 [ 1342.244938][ T2330] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1342.256545][ T2330] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1342.265702][ T2330] *** Control State *** [ 1342.274071][ T2330] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000c2 [ 1342.296400][ T2330] EntryControls=0000d1ff ExitControls=002fefff [ 1342.302758][ T2330] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1342.317263][ T2330] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1342.325022][ T2330] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1342.338248][ T2330] reason=80000021 qualification=0000000000000000 [ 1342.345697][ T2330] IDTVectoring: info=00000000 errcode=00000000 01:56:34 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r2, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 01:56:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xa00}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x500, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:34 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x3000000) 01:56:34 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000000)={0x1, 'veth4_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x7a, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1342.357904][ T2330] TSC Offset = 0xfffffd2edd3a31c1 [ 1342.363279][ T2330] EPT pointer = 0x0000000099fbf01e 01:56:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x600, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1342.452318][ T2365] IPVS: stopping master sync thread 8002 ... [ 1342.469788][ T2361] binder: BINDER_SET_CONTEXT_MGR already set [ 1342.476334][ T2361] binder: 2358:2361 ioctl 40046207 0 returned -16 [ 1342.477197][ T2366] binder: BINDER_SET_CONTEXT_MGR already set 01:56:35 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x200000000000000) 01:56:35 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) socketpair(0x4, 0x80a, 0x2, &(0x7f0000000000)={0xffffffffffffffff}) recvmsg$kcm(0xffffffffffffffff, &(0x7f0000001440)={&(0x7f00000000c0)=@hci={0x1f, 0x0}, 0x80, &(0x7f00000013c0)=[{&(0x7f0000000040)=""/23, 0x17}, {&(0x7f0000000140)=""/87, 0x57}, {&(0x7f00000001c0)=""/36, 0x24}, {&(0x7f0000000200)=""/236, 0xec}, {&(0x7f0000000300)=""/4096, 0x1000}, {&(0x7f0000001300)=""/112, 0x70}, {&(0x7f0000001380)=""/1, 0x1}], 0x7}, 0x20) ioctl$sock_inet6_SIOCSIFADDR(r1, 0x8916, &(0x7f0000001480)={@dev={0xfe, 0x80, [], 0x18}, 0x7c, r2}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x2000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1342.514779][ T2366] binder: 2355:2366 ioctl 40046207 0 returned -16 [ 1342.545484][ T2370] binder: 2355:2370 got transaction with invalid offset (122, min 0 max 24) or object. 01:56:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x300, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1342.619919][ T2369] *** Guest State *** [ 1342.623944][ T2369] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1342.654578][ T2369] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:56:35 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x300000000000000) [ 1342.686905][ T2369] CR3 = 0x0000000000000000 [ 1342.702853][ T2369] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1342.733844][ T2369] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1342.751380][ T2384] binder: BINDER_SET_CONTEXT_MGR already set [ 1342.751644][ T2369] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1342.780611][ T2384] binder: 2382:2384 ioctl 40046207 0 returned -16 [ 1342.791063][ T2369] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1342.819795][ T2369] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1342.839584][ T2369] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1342.859312][ T2369] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1342.876566][ T2369] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1342.896581][ T2369] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1342.908234][ T2369] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1342.923945][ T2369] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1342.933760][ T2369] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1342.948441][ T2369] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1342.958746][ T2369] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1342.971935][ T2369] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1342.983148][ T2369] Interruptibility = 00000000 ActivityState = 00000000 [ 1342.993172][ T2369] *** Host State *** [ 1342.997162][ T2369] RIP = 0xffffffff811b4980 RSP = 0xffff8880608b78e0 [ 1343.006994][ T2369] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1343.017350][ T2369] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1343.028902][ T2369] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1343.038568][ T2369] CR0=0000000080050033 CR3=00000000a8286000 CR4=00000000001426f0 [ 1343.052464][ T2369] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1343.062010][ T2369] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1343.069029][ T2369] *** Control State *** [ 1343.078185][ T2369] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1343.087703][ T2369] EntryControls=0000d1ff ExitControls=002fefff [ 1343.097917][ T2369] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1343.107637][ T2369] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1343.119053][ T2369] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1343.128423][ T2369] reason=80000021 qualification=0000000000000000 [ 1343.143504][ T2369] IDTVectoring: info=00000000 errcode=00000000 [ 1343.152697][ T2369] TSC Offset = 0xfffffd2e5b6f3c41 [ 1343.158174][ T2369] TPR Threshold = 0x00 [ 1343.167037][ T2369] EPT pointer = 0x0000000091f1001e 01:56:35 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x0, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x700, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x2800}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:35 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = syz_open_dev$vcsa(&(0x7f0000000000)='/dev/vcsa#\x00', 0x3, 0x8000) ioctl$VIDIOC_S_SELECTION(r1, 0xc040565f, &(0x7f00000000c0)={0x5, 0x103, 0x7, {0x1df, 0x20, 0x27e9, 0x2}}) ioctl$IOC_PR_PREEMPT_ABORT(r1, 0x401870cc, &(0x7f0000000040)={0x8, 0xffffffff, 0x60b3, 0x7ff}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:35 executing program 0: r0 = socket$unix(0x1, 0x1, 0x0) r1 = syz_open_dev$midi(&(0x7f0000000040)='/dev/midi#\x00', 0x6, 0x10000) getsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(0xffffffffffffff9c, 0x84, 0x76, &(0x7f00000000c0)={0x0, 0xf7}, &(0x7f0000000100)=0x8) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r1, 0x84, 0x6c, &(0x7f0000000140)={r2, 0xec, "154410e26171a8b5c28517f946dff90af79e54854ccc006b5928f4bb059064539da06bb7f5d7c3863f30fbc6696e3e6363cdd108c454991b4e6bea2bac359d3cc9ca1cba59c30cc0ae0ae24c0fa6b0533bdf4785441239c2c95ed84271e24d7e47b7b9c83f0f1dbb4d7e1614d4ba21e54c38ecdd842341fdc94782abfc3439ff649f143838e3471eb4901b81876ddc8589038c8c31eb87b2eb50a9af9d2b81f2173984401e86ff7f35b5f119906eec05f81333d2fff37ec5fda2773808cd1d084b0cc0c40e62c299cb632fbf37dc08d8b6f1a5d860b8295669502294b2b439ff8d0e78b18d92fbe076733bf4"}, &(0x7f0000000240)=0xf4) ioctl$IMDELTIMER(r1, 0x80044941, &(0x7f0000000280)=0x2) ioctl$FITRIM(r0, 0xc0185879, &(0x7f0000000000)={0xff, 0x80000001, 0xfffffffffffffffc}) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r3, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x500, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:35 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f00000000c0)=0x178) [ 1343.312793][ T2397] binder: BINDER_SET_CONTEXT_MGR already set [ 1343.334823][ T2397] binder: 2389:2397 ioctl 40046207 0 returned -16 01:56:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0xa00, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:35 executing program 2: r0 = semget(0x2, 0x7, 0x400) fstat(0xffffffffffffff9c, &(0x7f0000000480)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000000500)=0x0, &(0x7f0000000540), &(0x7f0000000580)) stat(&(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0}) getgroups(0x7, &(0x7f0000000680)=[0xffffffffffffffff, 0xee01, 0xee01, 0xffffffffffffffff, 0xee01, 0x0, 0xffffffffffffffff]) semctl$IPC_SET(r0, 0x0, 0x1, &(0x7f00000006c0)={{0x4, r1, r2, r3, r4, 0x0, 0xffffffff}, 0xffff, 0x9, 0x9}) r5 = syz_open_dev$vcsn(&(0x7f00000002c0)='/dev/vcs#\x00', 0x7ffffffc, 0x800) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO(r5, 0xc02c5341, &(0x7f00000000c0)) r6 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000280)={0x2, 'veth0_to_bridge\x00'}, 0x18) r7 = openat(r5, &(0x7f0000000000)='./file0\x00', 0x1, 0x10) ioctl$SG_GET_ACCESS_COUNT(r5, 0x2289, &(0x7f0000000080)) bind$vsock_dgram(r5, &(0x7f0000000240), 0x10) ioctl$VHOST_GET_VRING_BASE(r5, 0xc008af12, &(0x7f0000000200)) r8 = socket$inet(0x2, 0x2, 0x9) ioctl$sock_inet_udp_SIOCOUTQ(r6, 0x5411, &(0x7f0000000300)) ioctl(r8, 0x800000000008982, &(0x7f0000000080)) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r5, 0xc08c5335, &(0x7f0000000140)={0x7fffffff, 0x1000, 0xa0000, 'queue1\x00', 0x1}) r9 = syz_genetlink_get_family_id$tipc(&(0x7f0000000380)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r7, &(0x7f0000000440)={&(0x7f0000000340), 0xc, &(0x7f0000000400)={&(0x7f00000003c0)={0x24, r9, 0x800, 0x70bd29, 0x25dfdbfd, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x7}}, [""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000000}, 0x40) ioctl$PPPIOCGIDLE(r5, 0x8010743f, &(0x7f0000000040)) 01:56:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x600, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1343.364228][ T2397] binder: BINDER_SET_CONTEXT_MGR already set [ 1343.421347][ T2397] binder: 2389:2397 ioctl 40046207 0 returned -16 01:56:36 executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFBR(r0, 0x8940, &(0x7f0000000140)=@get={0x1, &(0x7f00000000c0)=""/75, 0x1eb}) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x80000, 0x0) getsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(0xffffffffffffff9c, 0x84, 0x76, &(0x7f0000000040)={0x0, 0x200}, &(0x7f0000000180)=0x8) lsetxattr$trusted_overlay_upper(&(0x7f0000000540)='./file0\x00', &(0x7f0000000440)='trusted.overlay.upper\x00', &(0x7f0000000480)=ANY=[], 0x0, 0x3) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r2, 0x84, 0x5, &(0x7f00000001c0)={r3, @in={{0x2, 0x4e20, @rand_addr=0x6}}}, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000080)) sendmsg$nl_crypto(r0, &(0x7f00000003c0)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000380)={&(0x7f0000000400)=ANY=[@ANYBLOB="1000507029e1f36f974de07000fcdb0026000000009900000000"], 0x10}, 0x1, 0x0, 0x0, 0x48001}, 0x40) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f0000000280)={0x7, 0x3, 0x8204, 0x7, 0x9, 0x7, 0x9548, 0x0, r3}, &(0x7f00000002c0)=0x20) [ 1343.480289][ T2402] *** Guest State *** 01:56:36 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008980, &(0x7f00000000c0)="60935edadc8ac537619af90301762f9d01755a58108c600916623aa27d7794b3906df8470df61273ea7fb88060ff9254018ab2507cf8d88763949f5c5b8ce5d537736880392ef76085d6") r1 = socket$tipc(0x1e, 0x2, 0x0) openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000001380)='/dev/btrfs-control\x00', 0x200, 0x0) sendmsg$tipc(r1, &(0x7f0000001340)={&(0x7f0000000000)=@id={0x1e, 0x3, 0x1, {0x4e24, 0x1}}, 0x10, &(0x7f0000001300)=[{&(0x7f0000000140)="bdf37ef137de804b4252fe1dded5cdace6fe33075429dce8dc298df68df499ff4cdd8ca02cc789cf4621511747f506749ec0d041b47b4757690704d0b2434303ec6e4a02c784cde71c64e61ce997e584dde66ec83bfeea34a83018665aef70a9c54ca4838beb52c4aa3d951618024e7efa1b7ce6c8369fdcb380b2c8f0d627db24fa5712810be92291b862d9d017f595eb3d75d465e87d32463e", 0x9a}, {&(0x7f0000000200)="75871e8eb07ec6f80ab44d7279273fdbd2c8c5e637734143ee46c6f8c66495fc4715724965e0c2c02917cf6edbc2fe58325194b02e53584e5a37a38f73e35075a628d7f0de67df8fcb1d373a0f74a90b75ac0bc5e8c92ce7b6401eff0afd2407bc0ed6af46d5c09e1c1ed59798dbbd8baf97d197febe93be9333f05af1bd4887b85124e11c424f6c87f1a40c518980038adaa36ae1eeb76a1c2ccbd6d07caada20a5ad99fe62764866e8d6dd46ac2d171770c91cb23edde0a332d45c7f0c48cad1c3f7ed69f6925ba8d435696bff4f", 0xcf}, {&(0x7f0000000300)="56c9156e538fbabb04486d97845ac7a27e0581f7f21a17ad4b2a09040ca5a1b1bf44ac07a43cf327151dcf40b76ca6d78470262779ff0b9ca1b0af8cde3edd854d37adf85e5a796b8e3a9d319f6f45cf881bd6f96597e468d0838b3f81592d82e3493b53c99ac4683b3e65eccbee787944f5dc18c4b8e2b911801a381bb2109f2cd8660d05e005267647c76f7ec06db04e893c7c7cbc54af872bf61d710e87758e36afd929c129cf6e518f7063211f4ff32c24e493ca32fcb32988e91ece5e15e44e60a94f11f6b9f358f992d07d67f7ddfed72baaf7e821964d85340ab981dacf08ac2d2a6977c1d8ba5e4a30dfe0b12ebc9ba475bb60ee74275a9ceb1d987eaaf520714abc3791b15ff7618d44e842993356b59a1a198902269a84de7a613c403ed5c2ac6d626e16532edab750e8a59d2e8eaece2809da447904ec2a4f522bb46bdfef6278ea4044d2c816e6cdaf874b99dc31834aad3e16cbd0b449a1bdc4c9a497bcc19c37c11b50365430588009a7dea14dd5d484e7f9f3a03fbce2e40d65826ab17ead3614ff50e32907913a2f2ddd572d050f945398ef6f064b5089339685fc7dc06b031ba74d908b19b824f9bef317729953d9f83d4a148ec89672b40022807c33ee01d58c270dd95ec4f73506c2b540391a2e2df302cda29e462973bcc6c7041260370721a14baa3cc6c8578916dd6dcc47874d5970951bd5e076b1492c7b2e6209ef504866e4a323a36fbd5fc63870ddd1addb9e02e97764171f8bad7a220d20b747e460d2a2455efe200fd63fa14c0b1256394b5dff5bf2cfc0b1c2506c6c8e715bde37c3864cb7fb1249181e62724a0a4d1faaafd118652a1a065160082fc13e05b1878363550f11443cc94b9c8ad7d84a82eb255543f9d109404e54e5458ac9fc9905c93457ac63ba687e8ba9e3b0894ad7c4aedcc168e5168767dbd5b6877f7b228e36200e76901f124e6c7f6215a5d3d39f338d11e5473b0842fa47e00c5ebb1536a336e07d400fb6a9dd3a453515a71256a65f298b6f64230e6dd0ba203e41a575bb724b630cf677fcf84344c16710bf3317bebcb9c33b568e39ef072ff517f69fe8e1f93cf52f6ade6e110ff99505a37ad14f037182b9530bc0708781d48aa0349795b9f5cc0efd8a85a5cd0408d9de32e606adffe0d8f017826cccb683d42ef3aaa72f3ad281ee6e5df4e228ef60d0059260726a4f7abc3f398fac2e819bfe7fa1115f5d4d6db33aa716a34adac708d7210841cf704d847a9e0e48f8394761d61a000c93e277a76edc02b46e94a4401309b65ea7fe8e6ed45d7b0b5c9bca8fa98dc4c38f176d6221430d580035be91ee5eea6ab03454e9b6e62941fe4c66ef24d588bd696551e3e6e3481db59145b408d7e2f3c2614e7538138eb8f36b2aa66239cf67bac59e9100669ad6cab492d994e4c2bd9cec3f8cfdf97604b0c483b80dc3a3d875debcfa4aa5ab885a08ee5540b377a98fafa92f8c5feb44fdfb6a92ca87aaaec868b8bf16c100a9a2b0027ea3013934ff1e3fcac35189b82d3b0ffa7f7d914374c7376206f5f038143dd02d9f88c57d0fb184ca1be98c57ec1740a836ea358416da0cd98377a96d7edc5d3901681975767dd91b2e5db5365a91be28da7a676740f08023c31ceb195b4e7293bed576f3db549339f7db489126c972db049a566d5ab947a68d36d0c515a9ba743e7ba529edaa1ebec22973ce9706e6451551b3f97bf4701e345370001a48cf52157918818f73a59f37cc28d2e6b12a4a7e3d2f8f567ccacd00e1f73f423d42ee553efb384dd14d056dd51c225645d7200fb5f3384dbcfe8ef87d5b8ba9839722eb9ad58820b0e6fff59285b8e7151d25f87793f4ea9f65530cc6a42059a50dc1382ab1361d2c8cc62de77c21e8e355773a154d9d41f5963bc306964a203efa42123e394a06af1ec69cf5fc1f2d2b346f16808102723e1b62392cf986ecf2baba7a86eea706cf2e189af4fe2b41097d91d096210e42847a63a0d32ab93f336ff00ee127664719e097a630e9a19d307c653d6505b0c55c430297ecbe71808699786d650cc1bcd47686df1de2fe47b1a739164fda03775b5d5865d9ccbda85f0ebe671e93836ac979ebbd429c683a61aaa56c1686ab63061a147c3a8097678af23e53349bd68de4eb9e2b7ced53da0cccec7c1a028a50ba336e497b2e1d5714d7c67ef91fa36ca2a5b57421be5ad80f73bcf773573fee7294cde23daf3a492cca26fcdb6a565639149e679a7e988c834b70fa08926bfcbcbe8c2cc7bd46d57abce95cfcd2e98981829434390b460ea3f60706b617ae28c2aa696b477e56281c8074238d2a11b11c6ea7c12470f681578484422434b60fbe8f44d99b9da1db438820930acb212d814f3db5298c58f54e2eef6e9f249c2e7f7ce68c9669fddf6d5d1cee02e3146249275eec2344aa88c02fd063a3e9229bc9aefafe898a61dba5eaa8a22fc5508050768bb51a10274e6787e939ce85d473eaec3c07a85cf7b7adf5687ae20962fff74012efc5cba660da65f6d9aaa1f590d48b79d5fb4102fd95810b672144ef346e78f698bc49c5243e59ec1831f39b97dcc0da08e522d9a3a76289350ff5e7b29411cc990b1095ec747649632c6ac1d3200615805ed9c0d6cf72a1aff540df3d49c22b6249e9138cad9bcc9f4f3420a6870f7b1190c5b4caa6c5e2a2db3f385f0fc19ffbf100656c464179ecb78214b0176f7b6e6644ca9b8f18bcaff35a52e29c85bc2c55bc868430bbc236e0a70c17c3bd12444b74ac96f090412ea7ea2a4c4c4518dc89b6972813dd749c700555537dac618be5a9319c427ba956514aeff2c9e148eefcb4cc6a5836bb3fc43d07d4fab4165fdfd44f5bbe5896cb6135cded5481926df049f927341332ce8093cebf43f9d7ffae364c2cfa52d35ce56b5ec9075b6a96b8fa89b4a4ce985b4125bb4b92c6ded06579f12433fcc00aabb45d6411c77d1da44e5c3a4d4cce9fbcbb59edcca88e0619a27720deb2ca7dfe02f7a6bfbe31916db2b4cda3bbeebbb180909a71b80ba791674027637319c6bff2a1c34c3c849dd0ea9dc43d62bd55fa1a2daaf4dda4ddaa2c4a91376c3d54560dd84ec4b5d615edfed14ee7ff13c5415f560fa028b283e99c9201411a17be09ca308e9958f24c4f9282508df896f7465613edf6b5b1605adfdeb3a8870102c681b772c2256d85fcdb2a8920c7bdcd8a075aae810ebbe48c9e8f10f279c9c60be56a8924386940eb37ca9d8aadc636f0fd644c693b0e29d6ed286785500235b194f518e6a1e5fa4358be0c5ccab67645080628780259f42019d52e9f4d71c72192a50bc11e7cf9e08cc859ac1c358f907f2847504ecf267a9c050a2fb5c7b1a81ebb502ddf9853d2c0035185d58b741ff493cc3138932dd270af494faf2210ffa1b4ff126851c8f0568b7f814f8b4bb95a8a7e8427456abfa98d4426c798cc4be1cdc1bcc076b0ed4018be0880d06abf18e1f854d93635efadd4a0c089af0905209ca0d1cc8bfb6dfd28409c0eb966f32a70b89e14698211045c29166f9a72377eb622af96b1a261bf4c24f42174b885db32cee13d93d4cac677b9a2dd76b028ddeaf6333e3a10a11323c0cbb4b0aa6d18fc2e46367db5b498ceba2ecbdb6e201b49b092821797df6d163b45faec723a07e873c5472dcba475f40187052008c035fad00ac1f156a8ed832e655a8c350529679fc0d87d5bcd2fe886b142e897c45d6d7cc9e3bbc06f73c4391d6284474477defe4a04de468a1eecfea4593171e07ebe9a279bcf4b275c245418e70a6435bbec46c6f138b741e27bbe7b415a370017bf9b450144eab81ce4db91f5665488a4ce9a6a4ac790536460f771d2fdcf6cb7bea0b7866aa4e7a37b785baf45618996ba0e59dd731c62ae248bb4b6d4795994edbcf522b13a6caec99a8bd3c5948d6428abff54745bcfab5083913276cbc65d29f684b85380d29b155fb9b5a2b80f7fec8a1fe5c224ac341464dae373b9749ea696863883cd4837e95bb3c5c321c43408406643e27177be20bec346fcb3f4f179aa9832cd29a6cffe15c945d3ab0f1ae47bdec5a57df438fd76a82e21971a70b28bd82919699397cd72337879d89428aad6b8d70d91ae98db49891f9736dc3a90c4a030ff219f492b48c85acf7779e6a6369c8190f065fd8ac3a189af2cf6dbc7ae6542ea18430a3b28dbb1d0eab6295e10ea1527be86be26149158a60f7343f5fc79039e995056b6e6ccfd471dc30083efd94bb43d1497edcb277ebf44023e95cd76aba56373ee2da5db40028ed4e41271e33a8d71e3faf3ef6124a010765a26e46b7604619ce7695803619c36e3a7567ed0baee432ea73bd5e869bfa8d8ac20be56aae12f21d575b173944a66e3e45744aaf0ba94d1a460ffcb4d37faa07b56b8d617e64331c3e314e037ff828f26c05be72b0797f01e89a0f240f5fb88f91117ba19d6479117f9c92b58d98eb0179ef8c255dfce026152fb3e0fe69af3ddd93c59cf6fedffc4d320447692d23dc4ad550ccdfba496934ab24ee96290ad74b7b0f78dd738dde92bef1e2ebeb4555d7b8787e39eb8482c90ed6bc348954823a528f4a5d597324af7447615a0eb8651413f01574a28b83d555a3ffe6f279b829bab8ba897db9939eb05b332e2f500ef855cbfae62e745efaca9e7357702a5938058732824458dc8d584e5c87928b544f4912f330757c6fcdedb2b013009eda2480e053a5ed5e7aa2097852dca483e93ba799bc9c743de46602967470ea3fbd1a14c675c2b27439a3fecd390e2c45fc826560c4b73b5ef824774475702c5dfb91c44143bacd933057e425694f8057b758430fc7c3d837ba57cd4ac9e114d2d56ad253045232706ecbd05c00131abcefb1d3f7f3c41e6ab1f839767412a86c3b76f4688daf7a27395a814f7219572ab91ef95769d0bcc71da5fd31e3fc6d92407e853b1a04c3150159ec465e49bddbef2fa5e000137832f0e9481630e4b7c261616e1700179e971e3861eb50f75e80e42b8372c1b98fdd924fd8c8e625ed9d0c79eea9ea9c7a6f28117885bb7202e2b04a36a6e9be7ab04b4dd66dd8bd7ec6baa416d94cdcc57ae7de3abd9721ef4097091215ab978736dd47547154472cd87d4613125412d3a320bec3b6969d6e2870e428587f4cd0f22368aa01074a1581e86ad91cd10ac0f9c59db4ad5e38de66d3637ecff027eda816edb66ab153cd1b19b33dadadeab5f58f057ef69f605f432859b5816ebd9f4cc66ec8853f8fcd12624b3f457668072aa8e3464cf66c3b9ac831257728f71e8c1fc359b54ed1d1e6cbca8aaaf4ce49ce46aa38a2cf7ce76f0c3ffaaa9916e4f93a311dcd44b7e8eba972f542d6fee3648032fd9f8f6e08941d46c23af6ba50f7dbc96d40718a0235cc5f2afc5045476e605141cba4d17b3374b4e25cd3c620fd2826e834ba44d6952d12c980f43331af6fcf8537c7d775e3eadea43c4def6849503d723a9489aba76a41c1ccaf29412ad58d92979f83a72bc0c3020df8729722adfb5d371e16c7c760767b6aeac3a5bd7f7ba6f69899d569d1317dcc5d467730c7b34064c06ec7a88b5443c275dd86585a1066094765e7b646c15cea4a22189a5b81abf37779a01c6d4d102b441121d8f0b53bf1936bc5c9a4c7bc03fca1b6ff4f1037bbbd22ca372c9c827921e69a4ee3f3f8c304cf29893f0eca526eccf6042603f50293d45fccc9ee930f0ccb8743b51a8d1de06f64c8ad8d7af906e559a56cb9b961a227ca340b01af4fda60e", 0x1000}, {&(0x7f0000000040)="d08df69d8a4bb44c5b694dd1d0c65145d8335b80263bba209fffc51a6eb3257047d367e781", 0x25}], 0x4, 0x0, 0x0, 0x200000c0}, 0x40) [ 1343.509427][ T2402] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1343.546169][ T2402] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1343.594671][ T2402] CR3 = 0x0000000000000000 [ 1343.606458][ T2402] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1343.639378][ T2402] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1343.646929][ T2402] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1343.657888][ T2402] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1343.667176][ T2402] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1343.676396][ T2402] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1343.685301][ T2402] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1343.694290][ T2402] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1343.703294][ T2402] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1343.712203][ T2402] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1343.721116][ T2402] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1343.730884][ T2402] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1343.739866][ T2402] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1343.748688][ T2402] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1343.756007][ T2402] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1343.764357][ T2402] Interruptibility = 00000000 ActivityState = 00000000 [ 1343.771537][ T2402] *** Host State *** [ 1343.775586][ T2402] RIP = 0xffffffff811b4980 RSP = 0xffff88805e05f8e0 [ 1343.782623][ T2402] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1343.790006][ T2402] FSBase=00007f101dc68700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1343.798647][ T2402] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1343.805461][ T2402] CR0=0000000080050033 CR3=000000008a1e8000 CR4=00000000001426e0 [ 1343.813398][ T2402] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1343.820949][ T2402] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1343.827842][ T2402] *** Control State *** [ 1343.832180][ T2402] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1343.839765][ T2402] EntryControls=0000d1ff ExitControls=002fefff [ 1343.846097][ T2402] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1343.854070][ T2402] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1343.862656][ T2402] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1343.870133][ T2402] reason=80000021 qualification=0000000000000000 [ 1343.877308][ T2402] IDTVectoring: info=00000000 errcode=00000000 [ 1343.883645][ T2402] TSC Offset = 0xfffffd2de2ac16ac 01:56:36 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x0, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x3800}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x2000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1343.888800][ T2402] TPR Threshold = 0x00 [ 1343.893047][ T2402] EPT pointer = 0x000000009a2c801e 01:56:36 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = dup(r0) write$P9_RLERRORu(r1, 0xffffffffffffffff, 0x0) statx(r1, &(0x7f0000000000)='./file0\x00', 0x100, 0x410, &(0x7f00000000c0)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r2, 0xc028660f, 0x0) bind$inet6(r3, &(0x7f00000000c0)={0xa, 0x4e22}, 0x1c) listen(r3, 0x0) sendto$inet6(r2, 0x0, 0x0, 0x20000003, &(0x7f0000000080)={0xa, 0x100000004e22, 0x0, @loopback}, 0x1c) setsockopt$inet6_tcp_TCP_ULP(r2, 0x6, 0x1f, &(0x7f0000000080)='tls\x00', 0x232) r4 = dup3(r2, r3, 0x0) setsockopt$inet6_tcp_TLS_TX(r2, 0x11a, 0x1, &(0x7f0000000100), 0x28) setsockopt$inet6_MRT6_DEL_MFC_PROXY(0xffffffffffffffff, 0x29, 0xd3, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_REM(0xffffffffffffffff, 0x84, 0x65, 0x0, 0x0) sendto$inet6(r2, &(0x7f00000005c0), 0xfffffffffffffd47, 0x0, 0x0, 0x0) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000480)={r1, 0xc0, &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280)=0x1, 0x0, 0x0, 0x0, &(0x7f00000002c0)={0x8, 0x8000}, 0x0, 0x0, &(0x7f0000000300)={0x1, 0x8, 0x98, 0x6}, &(0x7f0000000340)=0x6, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000380)=0x92}}, 0x10) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r5 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000580)='IPVS\x00') sendmsg$IPVS_CMD_NEW_DAEMON(r4, &(0x7f00000006c0)={&(0x7f0000000540)={0x10, 0x0, 0x0, 0x80804}, 0xc, &(0x7f0000000680)={&(0x7f00000005c0)={0x94, r5, 0x400, 0x70bd2d, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x6773}, @IPVS_CMD_ATTR_SERVICE={0xc, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'ovf\x00'}]}, @IPVS_CMD_ATTR_SERVICE={0x18, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8, 0xb, 'sip\x00'}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0xa, 0x4}}]}, @IPVS_CMD_ATTR_SERVICE={0x54, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x20, 0x2}}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x2, 0x8}}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@loopback}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x2}}, @IPVS_SVC_ATTR_PORT={0x8, 0x4, 0x4e20}, @IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0x8}]}]}, 0x94}, 0x1, 0x0, 0x0, 0x5}, 0x4044000) getsockopt$MISDN_TIME_STAMP(r1, 0x0, 0x1, &(0x7f0000000040), &(0x7f00000001c0)=0x4) getsockopt$inet_sctp6_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f0000000780), &(0x7f00000007c0)=0x4) epoll_pwait(r1, &(0x7f00000004c0)=[{}, {}], 0x2, 0xffffffffffff8000, &(0x7f0000000500), 0x8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000200)={0x0}) getsockopt$inet_int(r1, 0x0, 0x13, &(0x7f0000000700), &(0x7f0000000740)=0x4) ioctl$DRM_IOCTL_LOCK(r1, 0x4008642a, &(0x7f0000000240)={r6, 0x2}) 01:56:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x700, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:36 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = open(&(0x7f0000000000)='./file0\x00', 0x6200, 0xa) r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000100)='/dev/zero\x00', 0x101000, 0x0) ioctl$BLKBSZGET(r2, 0x80081270, &(0x7f0000000140)) setsockopt$IP_VS_SO_SET_EDIT(r0, 0x0, 0x483, &(0x7f00000000c0)={0x84, @multicast1, 0x4e22, 0x0, 'dh\x00', 0x1, 0x2, 0x47}, 0x2c) ioctl$EVIOCGBITSW(r1, 0x80404525, &(0x7f0000000040)=""/64) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000100)) [ 1344.011489][ T2429] binder: BINDER_SET_CONTEXT_MGR already set 01:56:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0xa00, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:36 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x100000000, 0x20042) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r1, 0xc08c5335, &(0x7f00000000c0)={0xc9, 0x8001, 0x6, 'queue0\x00', 0xb20}) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) sendmsg$nl_netfilter(r1, &(0x7f0000000440)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x400008}, 0xc, &(0x7f0000000400)={&(0x7f0000000180)={0x270, 0x2, 0xd, 0x2, 0x70bd2a, 0x25dfdbfc, {0xa, 0x0, 0x5}, [@nested={0x58, 0x3c, [@generic="3b71e1783dc6e94d4524fef029a4d2428d6eefdea24c8dd9d5734bc69fb5a38b09568880c40b2cb6ff9e61c5b2b4d8fb6169aeb2811985af4d3b0708db15739eb5b6eb22458ba016c119c813d155132570"]}, @generic="a1918ab27e9d13246214e079fff281e67dc1394306334b656564958ad02977bf080432dd282d0e8915eed1102ceef924a31d3860e733fc", @nested={0x90, 0x45, [@generic="192b3a6101e8821149956f69a55bf1e06b59881fe130f84b536aab412ee750912fe7f33286367269edfe0cf9307fd5f12c06ea3d28814ff3ef7b99abec137d0e5467f1716eab4ee8f4031cf78592b1157045f9427027c3b6e8ebbb1449a9a553fe082b22163301147a3a31ccf223d3db01ed7e98cee592eb8cd576e4d402f26bf58ce6c62f1ef7dac9582b73"]}, @nested={0x60, 0x15, [@generic="29f58846de7adfdb70e6352c9936e457ae99da4bc8e0e8d8d8b8646aa30f10140a4545678253087edd3b5545f186bc219f77506f0580f8e929827bb03ae6eab45ae850b124ef", @typed={0x14, 0x4e, @ipv6=@empty}]}, @typed={0xc, 0x53, @u64=0x1}, @generic="35494e51d75b0a4ff3d941af5b26bddc7ef647b07a7635d041a4e73948ae84a54046f9f183d5ef82967a034001a5ab622e92633b6a3d931cadc16219b94836cff9d4e847a52e056533f6c25af9aab6a4aaa5d72747b43f0a5e8f12df14b4bc86ee43ade34b65188c2874e7a82bace80785d6cf85cd2dfbd206fa33a540e2a94f41adf24c5e0a6cea5c74f80de6f31958e573a417cd2c1a07fa82272554d1d40d5de1d1841feb51a94d16f3de00f43e187a487c3512bd015413107286e24ff677d445f04e2f3c2eb6acf54b82f583"]}, 0x270}, 0x1, 0x0, 0x0, 0x40000}, 0x8810) [ 1344.055741][ T2429] binder: 2421:2429 ioctl 40046207 0 returned -16 [ 1344.061932][ C1] net_ratelimit: 6 callbacks suppressed [ 1344.062019][ C1] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. 01:56:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x4800, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x3f00}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1344.157642][ T2436] *** Guest State *** [ 1344.179894][ T2436] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1344.219396][ T2436] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:56:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x4c00, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:36 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) sendto$inet(r0, &(0x7f0000000000)="c6ef413cdbac5cdddaeff3990d4d10c9f3d596b99c1d66964eaaacf5e667bcf8f51991fc2eb4306e4c0b6819ea2c60631849dcb692c84e663175e5c39ed949b0bba4d9bb2f2b45df844d2d3ce83a5417214a2c", 0x53, 0x0, &(0x7f00000000c0)={0x2, 0x4e24, @local}, 0x10) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1344.277304][ T2458] binder: BINDER_SET_CONTEXT_MGR already set [ 1344.279338][ T2436] CR3 = 0x0000000000000000 [ 1344.301772][ T2436] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1344.321218][ T2436] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1344.338598][ T2436] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1344.352235][ T2458] binder: 2449:2458 ioctl 40046207 0 returned -16 [ 1344.352255][ T2461] binder_alloc: 2444: binder_alloc_buf, no vma [ 1344.377806][ T2436] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1344.402410][ T2436] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1344.419949][ T2461] binder_transaction: 30 callbacks suppressed [ 1344.419965][ T2461] binder: 2449:2461 transaction failed 29189/-3, size 64-16 line 3148 [ 1344.442913][ T2436] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1344.468692][ T2461] binder_fixup_parent: 8 callbacks suppressed [ 1344.468702][ T2461] binder: 2449:2461 got transaction with invalid parent offset or type [ 1344.484587][ T2436] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1344.488296][T17703] binder_release_work: 30 callbacks suppressed [ 1344.488303][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1344.506291][ T2436] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1344.518151][ T2461] binder: 2449:2461 transaction failed 29201/-22, size 64-16 line 3389 [ 1344.530761][ T2436] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1344.552454][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1344.586176][ T2436] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1344.619364][ T2436] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1344.628087][ T2436] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1344.665483][ T2436] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1344.685644][ T2436] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1344.705318][ T2436] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1344.749391][ T2436] Interruptibility = 00000000 ActivityState = 00000000 [ 1344.769266][ T2436] *** Host State *** [ 1344.773296][ T2436] RIP = 0xffffffff811b4980 RSP = 0xffff8880608b78e0 [ 1344.789285][ T2436] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1344.809279][ T2436] FSBase=00007f101dc47700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1344.832172][ T2436] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1344.838803][ T2436] CR0=0000000080050033 CR3=000000008ee6c000 CR4=00000000001426e0 [ 1344.859344][ T2436] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1344.866885][ T2436] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1344.895496][ T2436] *** Control State *** [ 1344.915307][ T2436] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1344.935260][ T2436] EntryControls=0000d1ff ExitControls=002fefff [ 1344.949344][ T2436] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1344.957013][ T2436] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1344.989232][ T2436] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1344.996558][ T2436] reason=80000021 qualification=0000000000000000 [ 1345.029240][ T2436] IDTVectoring: info=00000000 errcode=00000000 [ 1345.035449][ T2436] TSC Offset = 0xfffffd2d858aa9be [ 1345.049236][ T2436] TPR Threshold = 0x00 [ 1345.053334][ T2436] EPT pointer = 0x00000000567c901e 01:56:37 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x0, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x1800, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:37 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000000)='cpuacct.usage_percpu_user\x00', 0x0, 0x0) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX(r0, 0x84, 0x6e, &(0x7f0000000040)=[@in6={0xa, 0x4e21, 0x101, @mcast2, 0x5}, @in6={0xa, 0x4e21, 0x401, @empty, 0x9}], 0x38) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:37 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x3}) ioctl$DRM_IOCTL_RES_CTX(r1, 0xc0106426, &(0x7f0000000140)={0x7, &(0x7f00000000c0)=[{}, {}, {}, {}, {}, {0x0}, {}]}) ioctl$DRM_IOCTL_NEW_CTX(r1, 0x40086425, &(0x7f0000000180)={r2, 0x2}) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/sys/net/ipv4/vs/conntrack\x00', 0x2, 0x0) 01:56:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6800, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1345.171949][ T2476] binder: 2468:2476 got transaction with invalid parent offset or type [ 1345.186403][ T2475] binder: BINDER_SET_CONTEXT_MGR already set 01:56:37 executing program 0: socket$inet6_sctp(0xa, 0x0, 0x84) r0 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2) recvmsg$kcm(r0, &(0x7f0000001700)={0x0, 0x0, &(0x7f00000015c0)=[{&(0x7f00000000c0)=""/84, 0x54}, {&(0x7f0000000140)=""/176, 0xb0}, {&(0x7f0000000200)=""/4096, 0x1000}, {&(0x7f0000001200)=""/104, 0x68}, {&(0x7f0000000040)=""/12, 0xc}, {&(0x7f0000001280)=""/220, 0xdc}, {&(0x7f0000001380)=""/169, 0xa9}, {&(0x7f0000001440)=""/172, 0xac}, {&(0x7f0000001500)=""/149, 0x95}], 0x9, &(0x7f0000001680)=""/118, 0x76}, 0x2) ioctl$sock_bt_bnep_BNEPGETSUPPFEAT(r0, 0x800442d4, &(0x7f0000001840)=0x8000) r1 = shmget(0x0, 0x3000, 0x20, &(0x7f0000ffa000/0x3000)=nil) shmctl$SHM_STAT(r1, 0xd, &(0x7f0000001740)=""/192) [ 1345.219399][ T2475] binder: 2470:2475 ioctl 40046207 0 returned -16 [ 1345.226112][ T2476] binder: 2468:2476 transaction failed 29201/-22, size 64-16 line 3389 [ 1345.235283][ T2479] binder_transaction: 10 callbacks suppressed [ 1345.235297][ T2479] binder: 2470:2479 got transaction with invalid offset (6144, min 0 max 24) or object. 01:56:37 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x101000, 0x0) ioctl$UI_DEV_DESTROY(r1, 0x5502) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1345.268483][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1345.275245][ T2476] binder: BINDER_SET_CONTEXT_MGR already set [ 1345.301262][ T2479] binder: 2470:2479 transaction failed 29201/-22, size 24-16 line 3242 [ 1345.301761][ T2476] binder: 2468:2476 ioctl 40046207 0 returned -16 01:56:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6c00, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1345.309749][ T2483] binder_alloc: 2468: binder_alloc_buf, no vma [ 1345.366669][ T2479] binder: 2470:2479 got transaction with invalid offset (6144, min 0 max 24) or object. [ 1345.379364][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:56:38 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x7400, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1345.406885][ T2483] binder: 2468:2483 transaction failed 29189/-3, size 64-16 line 3148 [ 1345.439954][ T2479] binder: 2470:2479 transaction failed 29201/-22, size 24-16 line 3242 [ 1345.450822][ T2488] *** Guest State *** 01:56:38 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) chmod(&(0x7f0000000380)='./file0\x00', 0x141) r1 = openat(0xffffffffffffffff, &(0x7f0000000180)='./file0\x00', 0x2080, 0x1) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000200)='TIPC\x00') sendmsg$TIPC_CMD_SET_NODE_ADDR(r1, &(0x7f00000002c0)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000240)={0x24, r2, 0x300, 0x70bd28, 0x25dfdbfe, {{}, 0x0, 0x8001, 0x0, {0x8, 0x11, 0xff}}, ["", "", "", "", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000880}, 0x80) pipe(&(0x7f0000000100)={0xffffffffffffffff}) ioctl$TIOCLINUX2(r3, 0x541c, &(0x7f0000000140)={0x2, 0x137, 0x3ff, 0x6, 0x81, 0x1}) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0xfffffffffffffeea) ioctl$sock_inet_SIOCGARP(r0, 0x8954, &(0x7f0000000000)={{0x2, 0x4e20, @initdev={0xac, 0x1e, 0x0, 0x0}}, {0x6, @local}, 0x0, {0x2, 0x4e22, @dev={0xac, 0x14, 0x14, 0x1a}}, 'veth1_to_bridge\x00'}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r4 = signalfd4(r0, &(0x7f00000000c0)={0xffffffff}, 0x8, 0x800) fsetxattr$trusted_overlay_nlink(r4, &(0x7f0000000300)='trusted.overlay.nlink\x00', &(0x7f0000000340)={'U+', 0x2}, 0x28, 0x2) [ 1345.459021][ T2488] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1345.471449][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1345.477653][T19558] binder: undelivered TRANSACTION_ERROR: 29189 [ 1345.516723][ T2488] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1345.564048][ T2488] CR3 = 0x0000000000000000 [ 1345.586002][ T2488] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1345.608661][ T2488] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1345.626287][ T2488] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1345.634489][ T2488] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1345.649764][ T2488] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1345.658659][ T2488] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1345.674077][ T2488] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1345.684300][ T2488] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1345.698383][ T2488] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1345.720276][ T2488] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1345.740285][ T2488] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1345.759313][ T2488] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1345.779417][ T2488] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1345.809273][ T2488] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1345.816532][ T2488] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1345.839285][ T2488] Interruptibility = 00000000 ActivityState = 00000000 [ 1345.860222][ T2488] *** Host State *** [ 1345.864272][ T2488] RIP = 0xffffffff811b4980 RSP = 0xffff8880650e78e0 [ 1345.879285][ T2488] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1345.899310][ T2488] FSBase=00007f101dc47700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1345.919285][ T2488] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1345.926014][ T2488] CR0=0000000080050033 CR3=00000000590df000 CR4=00000000001426f0 [ 1345.949271][ T2488] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1345.956788][ T2488] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1345.979278][ T2488] *** Control State *** [ 1345.983566][ T2488] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1346.009269][ T2488] EntryControls=0000d1ff ExitControls=002fefff [ 1346.015568][ T2488] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1346.026803][ T2488] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1346.049358][ T2488] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1346.066790][ T2488] reason=80000021 qualification=0000000000000000 [ 1346.089297][ T2488] IDTVectoring: info=00000000 errcode=00000000 [ 1346.095614][ T2488] TSC Offset = 0xfffffd2cd4c80e37 [ 1346.101177][ T2488] TPR Threshold = 0x00 [ 1346.109529][ T2488] EPT pointer = 0x00000000993a501e 01:56:38 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:38 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/conn_reuse_mode\x00', 0x2, 0x0) getsockname$tipc(r1, &(0x7f0000000040), &(0x7f00000000c0)=0x10) 01:56:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4800}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:38 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x7a00, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:38 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000000)={0x4}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000100)={&(0x7f0000ffd000/0x1000)=nil, &(0x7f0000ffa000/0x4000)=nil, &(0x7f0000ffb000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ff9000/0x2000)=nil, &(0x7f0000ff8000/0x1000)=nil, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000040)="b7b3ed7e84ac729f015acd2974ea1a6ea9bec47ca4af2ec407d05d260085233847d3943db4bff4ede9cc3b8afdf32ee9b95378a09d933ea5fd9d502f86588d92772af186f2cbbf8cde0c6904d11d164132844da4ca627c20d7e6b19d1e8fad58908261aa564c4bc22dacaf90e8fc0b2745ce23833a475d667634189aafd928a250925e701c5e452c8a3b7e90584deb83f340bddcca651bf50069", 0x9a, r0}, 0x68) [ 1346.217035][ T2513] binder: 2512:2513 got transaction with invalid offset (8192, min 0 max 24) or object. [ 1346.221159][ T2514] binder: BINDER_SET_CONTEXT_MGR already set 01:56:38 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x1000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:38 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000040)=0x52d) 01:56:38 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f00000000c0)="7f6277d8af9509ca8d439c77d431aad8f9bcc83fc0c12128e2940840354955ea75b444021c737a5b958e894e9bc810fa5f4fb5978203a2ca7dd4e7371470fbfa3f7ce0840224ddfcf04f70230b7bb8cab1e7c0391847cf8f787ba8926133adc1964efef0246429cd548353e63bd38cc8ef8f5ce88e476a4d2863a54e1b1079d05c82d231655501d265938b1047e0ff9cb2885dd9cc22b0f3bb6becc4fc9c70751f6fc66b1ee75a26629b291e57007e88923e43887e5cdf4d693263fd3162aabefaceffe40dc093ea4d008304000000000000001c533ca72dbeff50d6ef5985f8039f83060ce00fd965264eb68da649cbe1bfd87d51a478f1360187ebf1f2716a7c1e58cef51e2d8059a9e0b5175ad1f9bcd7d87b9297132ef778c4eb7f9db4a55ccf056219e3e5dbfdac07291869eb24ddf48b6002227ee5f4") [ 1346.273588][ T2513] binder: 2512:2513 transaction failed 29201/-22, size 24-16 line 3242 [ 1346.283353][ T2523] binder: 2508:2523 got transaction with invalid parent offset or type [ 1346.309426][ T2514] binder: 2508:2514 ioctl 40046207 0 returned -16 [ 1346.321701][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1346.343167][ T2528] binder_alloc: 2512: binder_alloc_buf, no vma [ 1346.343174][ T2513] binder: BINDER_SET_CONTEXT_MGR already set [ 1346.343195][ T2513] binder: 2512:2513 ioctl 40046207 0 returned -16 [ 1346.359025][ T2531] *** Guest State *** 01:56:39 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000000)) r1 = socket(0x9, 0x4, 0x7) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000080)='TIPCv2\x00') sendmsg$TIPC_NL_MEDIA_GET(r1, &(0x7f0000000280)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000000c0)={0x14c, r2, 0x100, 0x70bd26, 0x25dfdbfc, {}, [@TIPC_NLA_NET={0x64, 0x7, [@TIPC_NLA_NET_ADDR={0x8, 0x2, 0x6}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x127f}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x8000}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x5}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x3}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x9}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x1ff}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x2}, @TIPC_NLA_NET_NODEID_W1={0xc}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x2}]}, @TIPC_NLA_MON={0x24, 0x9, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x79b}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x4}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x494}]}, @TIPC_NLA_SOCK={0x28, 0x2, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x6}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x9}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x7}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}]}, @TIPC_NLA_BEARER={0x30, 0x1, [@TIPC_NLA_BEARER_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3}, @TIPC_NLA_PROP_MTU={0x8}]}]}, @TIPC_NLA_NET={0x28, 0x7, [@TIPC_NLA_NET_NODEID={0xc, 0x3, 0x9}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x4}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x4}, @TIPC_NLA_NET_ID={0x8, 0x1, 0xfffffffeffffffff}]}, @TIPC_NLA_MON={0x24, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x101}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x7}, @TIPC_NLA_MON_REF={0x8, 0x2, 0xa56}]}, @TIPC_NLA_SOCK={0xc, 0x2, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x3}]}]}, 0x14c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0) [ 1346.375921][ T2531] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1346.402812][ T2531] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:56:39 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = add_key(&(0x7f0000000000)='cifs.spnego\x00', &(0x7f0000000040)={'syz', 0x2}, &(0x7f00000000c0)="c4432ea20e6d09c2fdb029774d8bfbf230b91bf6fb5eb9024bbf6a6c1d46798fcb8f723bb3e32a02400ccb616429b141a04c9e39263f24911e6c7e5faa6fbe6c1198e1757b0b7e127c4f0d362285db9ecff6e964f76b5014931820c80ced3b67227302772c0cedb5f264b482f7d8d9c11d9e2314dc", 0x75, 0xfffffffffffffffe) stat(&(0x7f0000000200)='./file0\x00', &(0x7f0000000180)={0x0, 0x0, 0x0, 0x0, 0x0}) r3 = getgid() keyctl$chown(0x4, r1, r2, r3) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:39 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x2000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1346.436319][ T2531] CR3 = 0x0000000000000000 [ 1346.448717][ T2523] binder: 2508:2523 transaction failed 29201/-22, size 64-16 line 3389 [ 1346.457749][ T2531] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1346.458077][ T2528] binder: 2512:2528 transaction failed 29189/-3, size 24-16 line 3148 [ 1346.491906][ T2531] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1346.503049][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1346.503895][ T2523] binder: 2508:2523 got transaction with invalid parent offset or type [ 1346.520432][ T2531] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1346.545518][ T2523] binder: 2508:2523 transaction failed 29201/-22, size 64-16 line 3389 [ 1346.553894][ T2531] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1346.553914][ T2531] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1346.553932][ T2531] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1346.553951][ T2531] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1346.564634][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1346.639135][ T2531] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1346.669713][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1346.678620][ T2531] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1346.704820][ T2531] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1346.729386][ T2531] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1346.738102][ T2531] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1346.764377][ T2531] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1346.784188][ T2531] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1346.799362][ T2531] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1346.807545][ T2531] Interruptibility = 00000000 ActivityState = 00000000 [ 1346.849224][ T2531] *** Host State *** [ 1346.853179][ T2531] RIP = 0xffffffff811b4980 RSP = 0xffff88805ffd78e0 [ 1346.889259][ T2531] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1346.896426][ T2531] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1346.905492][ T2531] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1346.912446][ T2531] CR0=0000000080050033 CR3=000000009173d000 CR4=00000000001426f0 [ 1346.920523][ T2531] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1346.927927][ T2531] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1346.935071][ T2531] *** Control State *** [ 1346.939530][ T2531] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1346.946904][ T2531] EntryControls=0000d1ff ExitControls=002fefff [ 1346.953572][ T2531] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1346.962399][ T2531] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1346.970088][ T2531] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1346.977374][ T2531] reason=80000021 qualification=0000000000000000 [ 1346.984961][ T2531] IDTVectoring: info=00000000 errcode=00000000 [ 1346.991453][ T2531] TSC Offset = 0xfffffd2c5924a89b [ 1346.996498][ T2531] TPR Threshold = 0x00 [ 1347.009234][ T2531] EPT pointer = 0x00000000a969701e 01:56:39 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2800, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:39 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x4, &(0x7f00000000c0)) r1 = syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00', 0x5, 0x2) ioctl$RTC_EPOCH_SET(r1, 0x4008700e, 0x3311) 01:56:39 executing program 0: r0 = socket$inet6_sctp(0xa, 0x2, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getresgid(&(0x7f0000000900), &(0x7f0000000940), &(0x7f0000000980)=0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f00000009c0)={0x0, 0x0, 0x0}, &(0x7f0000000a00)=0xc) r3 = getgid() setresgid(r1, r2, r3) r4 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000700)='/dev/vsock\x00', 0x2, 0x0) write$UHID_CREATE(r4, &(0x7f00000007c0)={0x0, 'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000740)=""/83, 0x53, 0x7, 0x1, 0x8000, 0x0, 0xaac5}, 0x120) r5 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x200000800, 0x0) readv(r0, &(0x7f0000000640)=[{&(0x7f00000000c0)=""/145, 0x91}, {&(0x7f0000000180)=""/92, 0x5c}, {&(0x7f0000000200)=""/252, 0xfc}, {0x0}, {&(0x7f0000000300)=""/119, 0x77}, {&(0x7f0000000380)=""/113, 0x71}, {&(0x7f0000000400)=""/29, 0x1d}, {&(0x7f0000000440)=""/180, 0xb4}, {&(0x7f0000000500)=""/99, 0x63}, {&(0x7f0000000580)=""/148, 0x94}], 0xa) ioctl$PPPIOCATTCHAN(r5, 0x40047438, &(0x7f0000000040)=0x3) 01:56:39 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x3000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4c00}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:39 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = add_key$keyring(&(0x7f00000001c0)='keyring\x00', &(0x7f0000000200)={'syz', 0x1}, 0x0, 0x0, 0xfffffffffffffff8) add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040)={'syz', 0x2}, &(0x7f00000000c0)="e9b9e74d1dfc2a3aead18a7308ec5b19dda2706d4f8ee17eaafed4b39f3175907dd6fb678c68772f11d0a6178fc0028a45827abef7efa558d18e20d02da96b671e6a34ba1671512d575fc05e5b07ede4d81539c2ec7b5c9bf68be5ee61e3ed37166388baecc101b290aa91f8d98771d16499c67dca7870dc71a1ec179f526c3628d1a515667eb4531d341e67bf258bd405d80f65e61f206fbcd4763192be93da48f5c5b644421e711964329a7d6291ce9b3ae5d55cb4f418e9495010b719aab8ffbbca64e6f6d7de24347130250514a5598a468942f2f5266a65f340964387b4567c1b9d200cda4f6d8cff2a65b5f847c86ea18bea437cda4d1dc7e9", 0xfc, r1) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) setsockopt$IP_VS_SO_SET_EDITDEST(r0, 0x0, 0x489, &(0x7f0000000240)={{0x3b, @multicast2, 0x4e23, 0x3, 'ovf\x00', 0x1, 0x3f, 0x65}, {@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4e20, 0x10001, 0xda0, 0x0, 0x800}}, 0x44) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) add_key$keyring(&(0x7f00000002c0)='keyring\x00', &(0x7f0000000300)={'syz', 0x1}, 0x0, 0x0, r1) [ 1347.157915][ T2557] binder: BINDER_SET_CONTEXT_MGR already set [ 1347.186339][ T2557] binder: 2549:2557 ioctl 40046207 0 returned -16 [ 1347.186555][ T2555] binder: 2546:2555 got transaction with invalid offset (10240, min 0 max 24) or object. 01:56:39 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x4000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:39 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = syz_open_dev$mice(&(0x7f00000000c0)='/dev/input/mice\x00', 0x0, 0x200) ioctl$VIDIOC_ENUM_FRAMESIZES(r1, 0xc02c564a, &(0x7f0000000100)={0xffffffff, 0x34325258, 0x3, @stepwise={0x4, 0x3f7, 0x1c1, 0x9, 0x7, 0x8}}) r2 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x3, 0x2) ioctl$VIDIOC_ENUMAUDOUT(r2, 0xc0345642, &(0x7f0000000040)={0x4, "37549a12906f9a2a112aab3279f2f63296ee22606360ae3fc93bfd175276985c", 0x3, 0x1}) [ 1347.215359][ T2562] binder: 2549:2562 got transaction with invalid parent offset or type [ 1347.266035][ T2557] binder: BINDER_SET_CONTEXT_MGR already set [ 1347.274766][ T2568] IPVS: set_ctl: invalid protocol: 59 224.0.0.2:20003 [ 1347.281910][ T2557] binder: 2549:2557 ioctl 40046207 0 returned -16 [ 1347.291007][ T2570] IPVS: set_ctl: invalid protocol: 59 224.0.0.2:20003 [ 1347.298233][ T2555] binder: BINDER_SET_CONTEXT_MGR already set [ 1347.305309][ T2562] binder: 2549:2562 got transaction with invalid parent offset or type [ 1347.314645][ T2571] binder: 2546:2571 got transaction with invalid offset (10240, min 0 max 24) or object. [ 1347.345506][ T2555] binder: 2546:2555 ioctl 40046207 0 returned -16 01:56:39 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x31) r1 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x3, 0x2) r2 = ioctl$LOOP_CTL_GET_FREE(0xffffffffffffffff, 0x4c82) ioctl$LOOP_CTL_REMOVE(r1, 0x4c81, r2) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:39 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x5000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x5000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1347.363996][ T2574] *** Guest State *** [ 1347.368015][ T2574] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1347.447442][ T2574] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1347.477917][ T2583] binder: 2576:2583 got transaction with invalid parent offset or type [ 1347.500818][ T2574] CR3 = 0x0000000000000000 [ 1347.510986][ T2574] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1347.528783][ T2585] binder: 2576:2585 got transaction with invalid parent offset or type [ 1347.537345][ T2574] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1347.545438][ T2574] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1347.573299][ T2574] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1347.594602][ T2574] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1347.604091][ T2574] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1347.604108][ T2574] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1347.628000][ T2574] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1347.637251][ T2574] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1347.646676][ T2574] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1347.669383][ T2574] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1347.678254][ T2574] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1347.699333][ T2574] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1347.719326][ T2574] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1347.726506][ T2574] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1347.782600][ T2574] Interruptibility = 00000000 ActivityState = 00000000 [ 1347.812171][ T2574] *** Host State *** [ 1347.816120][ T2574] RIP = 0xffffffff811b4980 RSP = 0xffff888063ff78e0 [ 1347.849500][ T2574] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1347.856787][ T2574] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1347.879325][ T2574] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1347.899313][ T2574] CR0=0000000080050033 CR3=000000009b91d000 CR4=00000000001426f0 [ 1347.907208][ T2574] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1347.925472][ T2574] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1347.947181][ T2574] *** Control State *** [ 1347.985187][ T2574] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1347.993033][ T2574] EntryControls=0000d1ff ExitControls=002fefff [ 1348.025253][ T2574] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1348.045118][ T2574] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1348.065217][ T2574] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1348.105136][ T2574] reason=80000021 qualification=0000000000000000 [ 1348.112642][ T2574] IDTVectoring: info=00000000 errcode=00000000 [ 1348.118803][ T2574] TSC Offset = 0xfffffd2bce208be6 [ 1348.144288][ T2574] TPR Threshold = 0x00 [ 1348.148418][ T2574] EPT pointer = 0x000000009438f01e 01:56:40 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x3f00, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:40 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio\x00', 0xc00, 0x0) setsockopt$RXRPC_MIN_SECURITY_LEVEL(r1, 0x110, 0x4, &(0x7f0000000140)=0x1, 0x4) 01:56:40 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:40 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x100, 0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1348.250406][ T2593] binder: 2590:2593 got transaction with invalid parent offset or type [ 1348.250613][ T2592] binder: BINDER_SET_CONTEXT_MGR already set [ 1348.283074][ T2592] binder: 2587:2592 ioctl 40046207 0 returned -16 [ 1348.283147][ T2598] binder: 2590:2598 got transaction with invalid parent offset or type [ 1348.297144][ T2601] binder: 2587:2601 got transaction with invalid offset (16128, min 0 max 24) or object. [ 1348.339493][ T2592] binder: BINDER_SET_CONTEXT_MGR already set 01:56:40 executing program 0: r0 = socket$inet6_sctp(0xa, 0x6, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x4000, 0x0) socket$inet6_sctp(0xa, 0x1, 0x84) 01:56:40 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x20000, 0x0) ioctl$sock_inet6_tcp_SIOCINQ(r1, 0x541b, &(0x7f0000000040)) 01:56:40 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x7000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1348.352646][ T2592] binder: 2587:2592 ioctl 40046207 0 returned -16 [ 1348.367359][ T2601] binder: 2587:2601 got transaction with invalid offset (16128, min 0 max 24) or object. 01:56:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x4800, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6800}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1348.465370][ T2603] *** Guest State *** [ 1348.493980][ T2603] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1348.494326][ T2609] Unknown ioctl 21531 01:56:41 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0xa000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1348.536071][ T2603] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1348.547931][ T2617] binder: 2615:2617 got transaction with invalid offset (18432, min 0 max 24) or object. [ 1348.561326][ T2616] binder: BINDER_SET_CONTEXT_MGR already set [ 1348.574756][ T2616] binder: 2614:2616 ioctl 40046207 0 returned -16 [ 1348.583727][ T2603] CR3 = 0x0000000000000000 [ 1348.593152][ T2619] binder: 2615:2619 got transaction with invalid offset (18432, min 0 max 24) or object. [ 1348.607763][ T2603] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1348.626614][ T2603] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1348.637195][ T2616] binder: BINDER_SET_CONTEXT_MGR already set [ 1348.649499][ T2603] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1348.669743][ T2616] binder: 2614:2616 ioctl 40046207 0 returned -16 [ 1348.689085][ T2603] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1348.727951][ T2603] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1348.757105][ T2603] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1348.789293][ T2603] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1348.799722][ T2603] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1348.819323][ T2603] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1348.839289][ T2603] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1348.849538][ T2603] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1348.869356][ T2603] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1348.889268][ T2603] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1348.909262][ T2603] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1348.919580][ T2603] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1348.939347][ T2603] Interruptibility = 00000000 ActivityState = 00000000 [ 1348.959252][ T2603] *** Host State *** [ 1348.963260][ T2603] RIP = 0xffffffff811b4980 RSP = 0xffff888055a9f8e0 [ 1348.979275][ T2603] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1348.989467][ T2603] FSBase=00007f101dc47700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1349.009354][ T2603] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1349.029263][ T2603] CR0=0000000080050033 CR3=000000009ea2e000 CR4=00000000001426f0 [ 1349.037101][ T2603] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1349.059320][ T2603] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1349.079312][ T2603] *** Control State *** [ 1349.083590][ T2603] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1349.109273][ T2603] EntryControls=0000d1ff ExitControls=002fefff [ 1349.115569][ T2603] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1349.135295][ T2603] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1349.149331][ T2603] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1349.156633][ T2603] reason=80000021 qualification=0000000000000000 [ 1349.179260][ T2603] IDTVectoring: info=00000000 errcode=00000000 [ 1349.185446][ T2603] TSC Offset = 0xfffffd2b37d0015a 01:56:41 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:41 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00', 0x80}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x4c00, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6c00}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:41 executing program 0: r0 = socket$inet6_sctp(0xa, 0x0, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:41 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x20000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1349.209220][ T2603] TPR Threshold = 0x00 [ 1349.213334][ T2603] EPT pointer = 0x000000008b4f301e [ 1349.310952][ T2636] binder: BINDER_SET_CONTEXT_MGR already set [ 1349.347146][ T2636] binder: 2629:2636 ioctl 40046207 0 returned -16 01:56:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7400}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:41 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) openat$ppp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ppp\x00', 0x100, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1349.377504][ T2647] binder: 2629:2647 got transaction with invalid offset (19456, min 0 max 24) or object. 01:56:42 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x48000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:42 executing program 0: r0 = socket$inet6_sctp(0xa, 0x1000000005, 0x84) r1 = syz_open_procfs(0x0, &(0x7f0000000000)='auxv\x00') getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r1, 0x6, 0x23, &(0x7f0000000040)={&(0x7f0000ff9000/0x4000)=nil, 0x4000}, &(0x7f00000000c0)=0x10) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1349.441759][ T2647] binder_transaction: 17 callbacks suppressed [ 1349.441776][ T2647] binder: 2629:2647 transaction failed 29201/-22, size 24-16 line 3242 [ 1349.442987][ T2645] *** Guest State *** 01:56:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:42 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = creat(&(0x7f0000000400)='./file0\x00', 0x101) getsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000440)=@sack_info={0x0, 0x401, 0x5ff}, &(0x7f0000000480)=0xc) setsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f00000004c0)={r2, 0x9, 0x7, [0x3ff, 0x4, 0x10001, 0x2, 0x1, 0x5, 0x3]}, 0x16) socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1349.507130][ T2651] binder: BINDER_SET_CONTEXT_MGR already set [ 1349.519623][ T2645] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1349.534313][ T2651] binder: 2649:2651 ioctl 40046207 0 returned -16 [ 1349.542132][ T2645] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1349.578231][ T2651] binder: 2649:2651 transaction failed 29189/-22, size 64-16 line 2995 [ 1349.591849][ T2662] binder: 2658:2662 transaction failed 29201/-22, size 24-16 line 3242 [ 1349.605541][ T2645] CR3 = 0x0000000000000000 [ 1349.620222][ T2645] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1349.627998][T17703] binder_release_work: 18 callbacks suppressed [ 1349.628005][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1349.636846][ T2662] binder: BINDER_SET_CONTEXT_MGR already set [ 1349.658884][ T2645] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1349.665550][ T2666] binder_alloc: 2658: binder_alloc_buf, no vma [ 1349.666460][ T2667] binder: BINDER_SET_CONTEXT_MGR already set [ 1349.678669][ T2645] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1349.689639][ T2662] binder: 2658:2662 ioctl 40046207 0 returned -16 [ 1349.693228][ T2645] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1349.705500][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1349.712517][ T2666] binder: 2658:2666 transaction failed 29189/-3, size 24-16 line 3148 [ 1349.717541][ T2667] binder: 2649:2667 ioctl 40046207 0 returned -16 [ 1349.729328][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1349.741405][ T2645] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1349.762151][ T2645] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1349.783828][ T2645] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1349.795769][ T2645] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1349.807610][ T2645] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1349.823294][ T2645] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1349.834263][ T2645] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1349.847041][ T2645] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1349.857905][ T2645] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1349.873332][ T2645] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1349.882612][ T2645] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1349.894883][ T2645] Interruptibility = 00000000 ActivityState = 00000000 [ 1349.904149][ T2645] *** Host State *** [ 1349.908181][ T2645] RIP = 0xffffffff811b4980 RSP = 0xffff888063ff78e0 [ 1349.918923][ T2645] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1349.928211][ T2645] FSBase=00007f101dc68700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1349.947814][ T2645] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1349.957423][ T2645] CR0=0000000080050033 CR3=00000000a8ff6000 CR4=00000000001426e0 [ 1349.971380][ T2645] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1349.978893][ T2645] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1349.988719][ T2645] *** Control State *** [ 1349.996069][ T2645] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1350.006553][ T2645] EntryControls=0000d1ff ExitControls=002fefff [ 1350.015897][ T2645] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1350.026909][ T2645] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1350.037418][ T2645] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1350.047830][ T2645] reason=80000021 qualification=0000000000000000 [ 1350.058005][ T2645] IDTVectoring: info=00000000 errcode=00000000 [ 1350.067580][ T2645] TSC Offset = 0xfffffd2ab2598599 [ 1350.075788][ T2645] TPR Threshold = 0x00 [ 1350.083878][ T2645] EPT pointer = 0x00000000a8b8a01e 01:56:42 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:42 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x4c000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:42 executing program 0: r0 = socket(0x9, 0x7, 0x8) r1 = syz_genetlink_get_family_id$tipc(&(0x7f0000000100)='TIPC\x00') sendmsg$TIPC_CMD_SET_NETID(r0, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x24, r1, 0x400, 0x70bd26, 0x25dfdbfc, {{}, 0x0, 0x800b, 0x0, {0x8, 0x2, 0x2}}, [""]}, 0x24}, 0x1, 0x0, 0x0, 0x4010}, 0x8000) r2 = socket$inet6_sctp(0xa, 0x400000001, 0x84) getsockopt$sock_linger(r2, 0x1, 0xd, &(0x7f0000000000), &(0x7f0000000040)=0x8) pipe2(&(0x7f0000000200)={0xffffffffffffffff}, 0x800) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000240)=0x0) write$cgroup_pid(r3, &(0x7f0000000280)=r4, 0x12) ioctl$KVM_CHECK_EXTENSION(r3, 0xae03, 0x1000) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r2, 0x84, 0x1c, 0x0, &(0x7f00000000c0)) ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f00000002c0)={0x0, 0x0, 0x2}) ioctl$DRM_IOCTL_GEM_FLINK(r3, 0xc008640a, &(0x7f0000000300)={r5}) 01:56:42 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'tunl0\x00'}, 0x18) r1 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x383e, 0x10000) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO(r1, 0xc02c5341, &(0x7f00000000c0)) ioctl$RTC_PIE_OFF(r1, 0x7006) openat$rdma_cm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) setxattr$security_capability(&(0x7f0000000040)='./file0\x00', &(0x7f0000000140)='security.capability\x00', &(0x7f0000000180)=@v2={0x2000000, [{0x6, 0x8dc1}, {0xffffffffffffffc0, 0x8}]}, 0x14, 0x0) getpeername$inet6(r1, &(0x7f0000000200)={0xa, 0x0, 0x0, @ipv4={[], [], @multicast1}}, &(0x7f0000000240)=0x1c) 01:56:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6800, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7a00}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1350.185136][ T2674] binder: 2672:2674 transaction failed 29201/-22, size 24-16 line 3242 [ 1350.196774][ T2676] binder: BINDER_SET_CONTEXT_MGR already set [ 1350.210495][ T2676] binder: 2671:2676 ioctl 40046207 0 returned -16 [ 1350.219421][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:56:42 executing program 0: socket$inet6_sctp(0xa, 0x5, 0x84) r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) modify_ldt$read(0x0, &(0x7f00000000c0)=""/241, 0xf1) [ 1350.244463][ T2684] binder_transaction: 3 callbacks suppressed [ 1350.244494][ T2684] binder: 2672:2684 got transaction with invalid offset (26624, min 0 max 24) or object. [ 1350.261140][ T2676] binder_fixup_parent: 4 callbacks suppressed [ 1350.261151][ T2676] binder: 2671:2676 got transaction with invalid parent offset or type 01:56:42 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x60000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1350.298208][ T2676] binder: 2671:2676 transaction failed 29201/-22, size 64-16 line 3389 [ 1350.303402][ T2684] binder: 2672:2684 transaction failed 29201/-22, size 24-16 line 3242 [ 1350.336376][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1350.336959][ T2676] binder: BINDER_SET_CONTEXT_MGR already set 01:56:42 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x2001, 0x0) ioctl$KVM_GET_DIRTY_LOG(r1, 0x4010ae42, &(0x7f0000000040)={0x1, 0x0, &(0x7f0000ffb000/0x3000)=nil}) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1350.373408][ T2676] binder: 2671:2676 ioctl 40046207 0 returned -16 [ 1350.404464][ T2688] binder: 2671:2688 got transaction with invalid parent offset or type [ 1350.408189][T17703] binder: undelivered TRANSACTION_ERROR: 29201 01:56:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x68000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6c00, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1350.421660][ T2691] *** Guest State *** [ 1350.425662][ T2691] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1350.448975][ T2688] binder: 2671:2688 transaction failed 29201/-22, size 64-16 line 3389 01:56:43 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x20040, 0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = syz_open_dev$midi(&(0x7f00000000c0)='/dev/midi#\x00', 0x6, 0x400000) write$P9_RUNLINKAT(r1, &(0x7f0000000040)={0x7, 0x4d, 0x1}, 0x7) [ 1350.499603][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1350.511114][ T2691] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1350.560217][ T2691] CR3 = 0x0000000000000000 [ 1350.572129][ T2706] binder: 2701:2706 got transaction with invalid offset (27648, min 0 max 24) or object. [ 1350.585489][ T2691] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1350.600307][ T2691] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1350.629421][ T2706] binder: 2701:2706 transaction failed 29201/-22, size 24-16 line 3242 [ 1350.637844][ T2691] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1350.647528][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1350.655567][ T2712] binder: BINDER_SET_CONTEXT_MGR already set [ 1350.660693][ T2691] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1350.686897][ T2691] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1350.696118][ T2712] binder: 2701:2712 ioctl 40046207 0 returned -16 [ 1350.706962][ T2691] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1350.725619][ T2691] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1350.728135][ T2713] binder: 2701:2713 got transaction with invalid offset (27648, min 0 max 24) or object. [ 1350.746772][ T2691] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1350.766843][ T2691] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1350.777872][ T2713] binder: 2701:2713 transaction failed 29201/-22, size 24-16 line 3242 [ 1350.788043][ T2691] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1350.808061][ T2691] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1350.817045][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1350.828159][ T2691] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1350.848192][ T2691] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1350.869442][ T2691] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1350.905110][ T2691] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1350.913823][ T2691] Interruptibility = 00000000 ActivityState = 00000000 [ 1350.945198][ T2691] *** Host State *** [ 1350.965116][ T2691] RIP = 0xffffffff811b4980 RSP = 0xffff8880a875f8e0 [ 1350.972657][ T2691] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1350.999336][ T2691] FSBase=00007f101dc47700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1351.019254][ T2691] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1351.042001][ T2691] CR0=0000000080050033 CR3=00000000a49ec000 CR4=00000000001426f0 [ 1351.059224][ T2691] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1351.066612][ T2691] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1351.085220][ T2691] *** Control State *** [ 1351.089829][ T2691] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1351.125426][ T2691] EntryControls=0000d1ff ExitControls=002fefff [ 1351.132066][ T2691] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1351.165191][ T2691] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1351.173098][ T2691] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1351.199341][ T2691] reason=80000021 qualification=0000000000000000 [ 1351.206393][ T2691] IDTVectoring: info=00000000 errcode=00000000 [ 1351.229227][ T2691] TSC Offset = 0xfffffd2a2ad252ac [ 1351.234280][ T2691] TPR Threshold = 0x00 [ 1351.238343][ T2691] EPT pointer = 0x000000008eeaa01e 01:56:43 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x1000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:43 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x109041, 0x0) setsockopt$netrom_NETROM_T4(r1, 0x103, 0x6, &(0x7f0000000040)=0x5, 0x4) 01:56:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6c000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:43 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000000)="baeede068c9713b7d54e720ff98323513ad5f73f3e83144a8ff6d78f7214666784b468d526ee414d214b573c80e68b37517aebf9675b77f3b3a4803c42fccd09", 0x40}, {&(0x7f00000000c0)="882e1a6531be531e0e34a2951469197606c767ecd06cfb753ed9e1273c2f04884f269f5ea57ca01bfd2a52336a712eeffd6558140587960b24347237b6a9cb2eefaa89f67639efeb0ff1dbe2b55be8fddfd6c62c237624179ef7ac5bf9e1ff13987a5bad2e346da26ada253b97b4c77c73c7b2c22f2db1d0b519d3f15f998780dafc1c8a99f422aa9da4a013d77f692488fed7c6786334a96471430791481c0e8d1e4f05572a36f5a6eedb4b8d848bedc4968d0f74e914ed5ac02368189b9098f60e48edf8961e8e38043774a5b190e6d15a4e23c8ed73240ea98cf6e012bd3d5f0eee4493d8fc8bfac083320cc0640a446b5e519b7ecf80", 0xf8}], 0x2, 0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) poll(&(0x7f00000001c0)=[{r0, 0x10}, {r0, 0x40}, {r0, 0x1058}, {r0, 0x3424}], 0x4, 0x100000000) 01:56:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x7400, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1351.340794][ T2719] binder: BINDER_SET_CONTEXT_MGR already set [ 1351.348881][ T2719] binder: 2718:2719 ioctl 40046207 0 returned -16 [ 1351.356209][ T2720] binder: 2714:2720 got transaction with invalid parent offset or type 01:56:43 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f00000000c0)={0x0, 'veth0_to_bridge\x00', 0x8002}, 0xfffffffffffffde9) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x77, &(0x7f000055bfe4)=[@in6={0xa, 0x0, 0x0, @loopback}], 0x1c) ioctl$FITRIM(r0, 0xc0185879, &(0x7f0000000000)={0x2, 0xffffffffffff7ffb, 0x8001}) 01:56:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x74000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:44 executing program 0: r0 = socket$inet6_sctp(0xa, 0xec12329a41f09c32, 0x84) clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) r3 = dup3(r0, r0, 0x80000) r4 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') sendmsg$IPVS_CMD_GET_SERVICE(r3, &(0x7f00000002c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000280)={&(0x7f0000000180)={0xe8, r4, 0x100, 0x70bd27, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_DEST={0x34, 0x2, [@IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x29}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x8000}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x300000000000}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x40}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x4c24f2eb}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0x2}]}, @IPVS_CMD_ATTR_DEST={0x38, 0x2, [@IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0xfffffffffffffffc}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}, @IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@remote}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x8}, @IPVS_DEST_ATTR_WEIGHT={0x8}]}, @IPVS_CMD_ATTR_DEST={0x3c, 0x2, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0x2}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x6b}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}, @IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}]}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x2}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x6}]}, 0xe8}, 0x1, 0x0, 0x0, 0x4000}, 0x20000000) utimes(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)={{0x0, 0x2710}, {r1, r2/1000+10000}}) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1351.390545][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1351.390710][ T2719] binder: 2718:2719 got transaction with invalid offset (29696, min 0 max 24) or object. [ 1351.407818][ T2720] binder: BINDER_SET_CONTEXT_MGR already set [ 1351.420443][ T2720] binder: 2714:2720 ioctl 40046207 0 returned -16 01:56:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x2000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1351.487237][ T2737] binder: 2718:2737 got transaction with invalid offset (29696, min 0 max 24) or object. 01:56:44 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) fcntl$getownex(r0, 0x10, &(0x7f00000001c0)={0x0, 0x0}) r2 = syz_open_dev$swradio(&(0x7f0000000200)='/dev/swradio#\x00', 0x0, 0x2) perf_event_open(&(0x7f0000000140)={0x7, 0x70, 0x5, 0x4, 0x0, 0x7fffffff, 0x0, 0x101, 0x4, 0x4, 0x0, 0x3, 0x3f, 0xbc, 0x8, 0x5, 0x8d, 0x7, 0x3, 0x80000001, 0x6a4, 0xff, 0x4, 0x4, 0x6, 0x5, 0x800, 0xb7e4299, 0x2, 0x3ff, 0x7, 0x10001, 0x3, 0x9, 0x401, 0x7, 0x5, 0x9, 0x0, 0x1, 0x5, @perf_config_ext={0x1, 0x3}, 0x8, 0x6, 0x400, 0x9, 0x2, 0x0, 0x284415d}, r1, 0x5, r2, 0x3) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f0000000040)={0x6, &(0x7f0000000000)=[{}, {}, {}, {}, {}, {0x0}]}) ioctl$DRM_IOCTL_SET_SAREA_CTX(r0, 0x4010641c, &(0x7f0000000100)={r3, &(0x7f00000000c0)=""/53}) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:44 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x7a000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1351.554616][ T2740] binder: BINDER_SET_CONTEXT_MGR already set [ 1351.578950][ T2741] *** Guest State *** [ 1351.594280][ T2740] binder: 2739:2740 ioctl 40046207 0 returned -16 [ 1351.604530][ T2742] binder: 2739:2742 got transaction with invalid parent offset or type [ 1351.625556][ T2741] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1351.638968][ T2742] binder: transaction release 9681 bad handle 1, ret = -22 [ 1351.654755][ T2741] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1351.695907][ T2741] CR3 = 0x0000000000000000 [ 1351.725711][ T2741] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1351.732943][ T2741] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1351.748911][ T2741] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1351.756685][ T2741] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1351.772159][ T2741] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1351.784043][ T2741] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1351.795876][ T2741] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1351.807597][ T2741] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1351.843131][ T2741] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1351.863081][ T2741] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1351.883183][ T2741] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1351.911349][ T2741] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1351.929323][ T2741] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1351.938026][ T2741] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1351.979229][ T2741] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1351.987414][ T2741] Interruptibility = 00000000 ActivityState = 00000000 [ 1352.029216][ T2741] *** Host State *** [ 1352.033176][ T2741] RIP = 0xffffffff811b4980 RSP = 0xffff88805fda78e0 [ 1352.059232][ T2741] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1352.066379][ T2741] FSBase=00007f101dc46700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1352.086081][ T2741] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1352.105119][ T2741] CR0=0000000080050033 CR3=00000000a9379000 CR4=00000000001426e0 [ 1352.125138][ T2741] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1352.144905][ T2741] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1352.164855][ T2741] *** Control State *** [ 1352.169243][ T2741] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1352.199327][ T2741] EntryControls=0000d1ff ExitControls=002fefff [ 1352.205522][ T2741] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1352.249227][ T2741] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1352.256639][ T2741] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1352.279305][ T2741] reason=80000021 qualification=0000000000000000 [ 1352.286489][ T2741] IDTVectoring: info=00000000 errcode=00000000 [ 1352.314967][ T2741] TSC Offset = 0xfffffd298c4a4327 [ 1352.320162][ T2741] TPR Threshold = 0x00 [ 1352.339333][ T2741] EPT pointer = 0x0000000094ca401e 01:56:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x7a00, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:44 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$vimc0(0xffffffffffffff9c, &(0x7f0000000000)='/dev/video0\x00', 0x2, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(r1, 0xc0205648, &(0x7f00000000c0)={0xfffffff, 0xfffffffffffffffa, 0x9, [], &(0x7f0000000040)={0x990902, 0x1, [], @value64=0x7}}) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0xffffffffffffffff, 'veth0_to_bridge\x00'}, 0xfffffffffffffff5) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:44 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0xfdfdffff, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:44 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c12") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:44 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:44 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x3000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:45 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getsockopt$inet6_mreq(r0, 0x29, 0x1c, &(0x7f0000000000)={@dev}, &(0x7f0000000040)=0x14) [ 1352.425293][ T2759] binder: 2749:2759 got transaction with invalid offset (31232, min 0 max 24) or object. [ 1352.446179][ T2757] binder: BINDER_SET_CONTEXT_MGR already set 01:56:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0xfffffdfd, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1352.477916][ T2757] binder: 2755:2757 ioctl 40046207 0 returned -16 [ 1352.478220][ T2762] binder: 2749:2762 got transaction with invalid offset (31232, min 0 max 24) or object. [ 1352.485290][ T2757] binder: 2755:2757 got transaction with invalid parent offset or type 01:56:45 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x5, &(0x7f0000000080)) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x1, 0x0) r2 = add_key(&(0x7f0000000180)='rxrpc_s\x00', &(0x7f00000001c0)={'syz', 0x2}, &(0x7f0000000200)="f97fc24db1f4ae603c2b500f9ffe3fad15d3fe7ca8aba1a52c", 0x19, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f00000000c0)={'hwsim0\x00', 0x1800}) keyctl$restrict_keyring(0x1d, r2, 0x0, &(0x7f0000000240)='cpuset\x00') getsockopt$inet_sctp6_SCTP_DELAYED_SACK(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000040)=@sack_info={0x0, 0x9f04, 0x9}, &(0x7f0000000280)=0xc) getsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f0000000100)={0x5, 0x8008, 0x4, 0x1, r3}, &(0x7f0000000140)=0x10) r4 = getpgid(0xffffffffffffffff) getpriority(0x1, r4) 01:56:45 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) ioctl$FS_IOC_ENABLE_VERITY(r0, 0x6685) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x1000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:45 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c12") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1352.591469][ T2770] Unknown ioctl 35092 [ 1352.596396][ T2773] binder: 2755:2773 got transaction with invalid parent offset or type 01:56:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x100000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1352.644568][ T2778] binder: BINDER_SET_CONTEXT_MGR already set 01:56:45 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/sync_sock_size\x00', 0x2, 0x0) write$P9_RCREATE(r1, &(0x7f0000000140)={0x18, 0x73, 0x2, {{0x4, 0x3, 0x5}, 0x6}}, 0x18) ioctl$DMA_BUF_IOCTL_SYNC(r1, 0x40086200, &(0x7f0000000040)=0x1) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) accept4$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@default, @rose, @default, @netrom, @null, @netrom]}, &(0x7f0000000100)=0x40, 0x80800) 01:56:45 executing program 0: r0 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000240)='/proc/capi/capi20\x00', 0x42000, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(0xffffffffffffff9c, 0x84, 0x72, &(0x7f0000000280)={0x0, 0x9, 0x20}, &(0x7f00000002c0)=0xc) getsockopt$inet_sctp_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f0000000300)=@sack_info={r1, 0x0, 0x6}, &(0x7f0000000340)=0xc) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) r3 = syz_open_dev$mice(&(0x7f0000000180)='/dev/input/mice\x00', 0x0, 0x100) getsockopt$bt_BT_RCVMTU(r3, 0x112, 0xd, &(0x7f00000001c0)=0x5, &(0x7f0000000200)=0x2) getpeername$packet(r0, &(0x7f0000000400)={0x11, 0x0, 0x0}, &(0x7f0000000440)=0x14) sendmsg$nl_route_sched(r0, &(0x7f0000000500)={&(0x7f00000003c0)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f00000004c0)={&(0x7f0000000480)=@gettclass={0x24, 0x2a, 0x100, 0x70bd26, 0x25dfdbfb, {0x0, r4, {0xf, 0xffff}, {0x2, 0x9}, {0x6, 0x7}}, [""]}, 0x24}}, 0x0) r5 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r2, 0x84, 0x1c, 0x0, &(0x7f0000000000)) ioctl$sock_bt_bnep_BNEPCONNDEL(r3, 0x400442c9, &(0x7f0000000380)={0x8, @local}) getsockname(r5, &(0x7f0000000040)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @initdev}}}, &(0x7f00000000c0)=0x80) getsockopt$inet_sctp_SCTP_RECVRCVINFO(r6, 0x84, 0x20, &(0x7f0000000100), &(0x7f0000000140)=0x4) [ 1352.694173][ T2778] binder: 2776:2778 ioctl 40046207 0 returned -16 [ 1352.694356][ T2784] binder: 2776:2784 got transaction with invalid offset (16777216, min 0 max 24) or object. 01:56:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x200000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:45 executing program 2: pipe(&(0x7f0000000080)={0xffffffffffffffff}) ioctl$SNDRV_CTL_IOCTL_POWER_STATE(r0, 0x800455d1, &(0x7f00000000c0)) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$VIDIOC_G_AUDOUT(r1, 0x80345631, &(0x7f0000000040)) setsockopt$IP_VS_SO_SET_STOPDAEMON(r1, 0x0, 0x48c, &(0x7f0000000000)={0x0, 'veth0_to_bridge\x00', 0x4}, 0x266) r2 = gettid() ioctl$SNDRV_CTL_IOCTL_ELEM_INFO(r0, 0xc1105511, &(0x7f0000000180)={{0x2, 0x2, 0x7a14, 0x8, '\x00', 0x2}, 0x0, 0x313, 0x1, r2, 0x2, 0x93b6, 'syz0\x00', &(0x7f0000000140)=['security+\x00', 'Akeyring^:\\GPL:em0/\xc2\x00'], 0x1f, [], [0xc00000000000000, 0x6, 0x4, 0x20]}) syz_open_dev$amidi(&(0x7f0000000100)='/dev/amidi#\x00', 0x401, 0x240001) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) [ 1352.805353][ T2785] *** Guest State *** [ 1352.813306][ T2785] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1352.833767][ T2792] binder: 2791:2792 got transaction with invalid parent offset or type [ 1352.844394][ T2778] binder: BINDER_SET_CONTEXT_MGR already set 01:56:45 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x4800, 0x0) r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000100)='/dev/zero\x00', 0x2, 0x0) r3 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci\x00', 0x101000, 0x0) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000180)={r1, r3, 0xd, 0x2}, 0x10) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r2, 0x84, 0x7c, &(0x7f00000000c0)={0x0, 0x100, 0x5}, &(0x7f0000000140)=0x8) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r0, 0x84, 0x66, &(0x7f00000001c0)={r4}, &(0x7f0000000200)=0x8) [ 1352.863063][ T2778] binder: 2776:2778 ioctl 40046207 0 returned -16 [ 1352.866005][ T2785] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1352.884593][ T2796] binder_alloc: 2791: binder_alloc_buf, no vma [ 1352.885127][ T2792] binder: BINDER_SET_CONTEXT_MGR already set [ 1352.904470][ T2785] CR3 = 0x0000000000000000 01:56:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x300000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:45 executing program 2: stat(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0}) mount$bpf(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='bpf\x00', 0x9c08, &(0x7f0000000180)={[{@mode={'mode', 0x3d, 0x800000000000}}, {@mode={'mode', 0x3d, 0x3}}, {@mode={'mode', 0x3d, 0x53}}, {@mode={'mode'}}, {@mode={'mode', 0x3d, 0x9}}, {@mode={'mode', 0x3d, 0xffffffff}}, {@mode={'mode', 0x3d, 0x7ff}}], [{@subj_role={'subj_role', 0x3d, 'veth0_to_bridge\x00'}}, {@fowner_lt={'fowner<', r0}}, {@smackfshat={'smackfshat', 0x3d, '/posix_acl_access*trusted'}}, {@subj_type={'subj_type', 0x3d, 'veth0_to_bridge\x00'}}]}) r1 = socket$inet_udp(0x2, 0x2, 0x0) r2 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000300)='/dev/btrfs-control\x00', 0x0, 0x0) ioctl$SG_SET_TIMEOUT(r2, 0x2201, &(0x7f0000000340)) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) ioctl$DRM_IOCTL_AGP_ALLOC(r2, 0xc0206434, &(0x7f0000000380)={0x4ca, 0x0, 0x10001, 0x1}) ioctl$DRM_IOCTL_AGP_BIND(r2, 0x40106436, &(0x7f00000003c0)={r3, 0x33794dab}) [ 1352.908945][ T2785] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1352.926281][ T2792] binder: 2791:2792 ioctl 40046207 0 returned -16 01:56:45 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_AUTOCLOSE(r0, 0x84, 0x4, &(0x7f0000000000), 0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1352.959761][ T2784] binder_alloc: 2791: binder_alloc_buf, no vma [ 1352.990964][ T2785] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 01:56:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1353.047547][ T2785] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1353.069731][ T2785] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1353.079107][ T2785] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.106661][ T2785] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.109325][ T2810] binder: 2809:2810 got transaction with invalid offset (33554432, min 0 max 24) or object. [ 1353.122570][ T2785] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.134782][ T2785] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.144361][ T2785] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.153551][ T2785] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1353.163337][ T2785] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1353.172498][ T2785] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1353.181426][ T2811] binder: 2809:2811 got transaction with invalid offset (33554432, min 0 max 24) or object. [ 1353.192044][ T2785] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1353.202952][ T2785] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1353.222589][ T2785] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1353.236230][ T2785] Interruptibility = 00000000 ActivityState = 00000000 [ 1353.244678][ T2785] *** Host State *** [ 1353.256121][ T2785] RIP = 0xffffffff811b4980 RSP = 0xffff888060bef8e0 [ 1353.263245][ T2785] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1353.270792][ T2785] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1353.280026][ T2785] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1353.286790][ T2785] CR0=0000000080050033 CR3=000000008c180000 CR4=00000000001426f0 [ 1353.296243][ T2785] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1353.304052][ T2785] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1353.311223][ T2785] *** Control State *** [ 1353.315524][ T2785] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1353.323471][ T2785] EntryControls=0000d1ff ExitControls=002fefff [ 1353.330119][ T2785] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1353.337907][ T2785] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1353.345703][ T2785] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1353.353446][ T2785] reason=80000021 qualification=0000000000000000 [ 1353.360852][ T2785] IDTVectoring: info=00000000 errcode=00000000 [ 1353.367132][ T2785] TSC Offset = 0xfffffd28e3349b09 [ 1353.372596][ T2785] TPR Threshold = 0x00 [ 1353.376803][ T2785] EPT pointer = 0x000000009facc01e 01:56:45 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c12") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x5000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x400000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:45 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) preadv(r0, &(0x7f00000000c0)=[{&(0x7f0000000000)=""/88, 0x58}], 0x1, 0x0) 01:56:45 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000001240)=0x26) fstat(r0, &(0x7f0000001100)={0x0, 0x0, 0x0, 0x0, 0x0}) r2 = getgid() r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000080)='/dev/zero\x00', 0x100, 0x0) write$vnet(r3, &(0x7f0000001600)={0x1, {&(0x7f0000001280)=""/227, 0xe3, &(0x7f0000001540)=""/145, 0x2, 0x5}}, 0x68) stat(&(0x7f0000001180)='./file0\x00', &(0x7f00000011c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r5 = semget$private(0x0, 0x7, 0x504) semctl$SETALL(r5, 0x0, 0x11, &(0x7f0000001680)=[0x20, 0x3, 0x1, 0x80, 0x8001, 0x8001]) syz_mount_image$iso9660(&(0x7f0000000000)='iso9660\x00', &(0x7f0000000040)='./file0\x00', 0x101, 0x1, &(0x7f00000010c0)=[{&(0x7f00000000c0)="ddd955c628335ccc8ba3a8cef1646ba4f821fe9aff98baf3604f3b80991cf1f0ecf9526977f01701019c3af11e01192262f1a7266c7ae5b901b615bae9cf29adf1a5f80aeef7cb43192dbbe81542f78448eb295f1611a7e402d415a964c73790f85882b0542f89f0af7d5d7ca7fdf717fc6808af90605445762ebfdfab757f7ec36cd4aa7a43e7296834a3bb536ffcfb2fd36e727c9085df6c9e513bd3ce44deb4cc5383c7a9f576a221f9b18367ef8aad6580680285459bfb68612b292b6aa61117d4a11822087ac8f14fd4945baae0f28d42da210f71cc07caf20ddac515ac4717f88c1da3c8f101af3775e9eb346748c38e03d07a00e48cbf6c942414627245cdc006b569b884929342a792941e71f2a44ae3a797d5677e1d7a859103fe8c8034aec1304dbc8f0d8556815c658ff5dd4296ccfbe4a63fbc406c6f811b5a557d2d7aed6912d013cee2f1b385a77a4cd478c620e1f5274de5a658b44113d2db87d591cdbcfdaadfe61b311275b3df7d9832afbd738ad4fa99172173b6ef5aae5ebcdc8b258f7b0ca9d98ffdc76fc070d4fd3dfbf79778b9345e55196bbb601e0a6c87af21d268d5e2c6ee649da02b1cbee8281c749b221d70ceb7b250697b587a6bee1675887cb29a45dd714c8d6d869252a5b7c7fa8c79578bc0214027ca7c4bc672cb44eda9e54c9385546e83e36bde32c74fbfb6d68d7be084b27969c256b5e0bd313fdd25abc97506e311d806b48d4043b2585f20fd5122a2a511852d8067d3b71f9c5a5fba80135c4127bf71b89973fce6334d6ce6a1622ac3fac65e4e847013fe730238d796149019b5bb06fd14945606df07d74caffeec95ed934f5726293eef533ec1b2f08e744919acb8cafc8670906576f10b2e219ccb2e67a4cc77eb9b27ad8b8bd597d3083f75cf11bca005e349050a497dc2be9478ccf01db115cd082cf3c3db92e6ef476b5b6240a80a33cc9dc0c8b66aaaf770532bd431247441987d4cfd8bd19bcd4a5faf478178c0821a7f77cacef3e1592488e7cb0b31f267fc20faae24f4aefb4713903d23f950b938ef5ccacc16839dce5822b361983831b68ef8b42c78af7591081969f36fbb3549c0b6857921132ba0300e7b7e18cc61e15bd560dae8efa0f63700bc65200ea9aed92e0d266784722137073d6bb8cf91ff198afc3e6e96d9d714ae2e2ea6121274e37873e6c59602a9b42e172e4bcad49b0c70978c6ae0f2a67f290c0542fc700de68729a63fd06a14064d183938ffaa47a0de2206fe9085a3f831bd5c810e0eb7970b54cb48150443895ad0258fea1af34c5bd61e1760b4721920463df12adcede9211a10c0383fa4887e2e3dc87e9b01889b6ba79d86db0ae6070b52c95624fe0c0720f824e8bc41004e0af6df359c0e400ff2d677cc7056ebf8a73ce02e2f63f4b8736858530414b2cef05c2e65d76959c1c4a0aedd72026cf84ecf2080604e2a291ad29d466627e27294c16edbaa4cbf4832371466f19decbd7c01116a7119a85661da3174afc2375fca39b1e78075f3c6d8f373fa09c790baeaa849ea96e0bfd0618aba4e1b8b517d7085e487cf44b3c19d1fb03a9de6ba8c34cbbb8b0e87f36c9095dd8c8397b805578c6c16b38faa40e7e326532cab3bc5bed1d2acfb917bee4a09a760bb489dbf900ce0f2210c2b9a442b625da61df94560cd39244121d3543322ce164c4a5fac6f9e631b68cb4128e3cd004fad89bd3437f9394eee2c67ff8c76d6be22a7384dabd7cab4f24bac9893f68ff8f1fbb7d05fc696e518e5144a586f993661e923dc165952ad365c56b793054f479a6f70140f99676131752a22782e4aa64dc52d402a72446119de9a28b5ec6d6b90c6d729f30c81f1f529c4891626186d8b7984b8c9aef378669213577a56882dbbc2527582c4896a1f6fd1bd92ef7611c961ea431c82e07ba024d873fdd9392fe023a4ba71e04019d090fa383abf32dbdacdf4360b4d971d6d6a5c534679847e83ba97746b789a15c48cbeb8674e68997463b2783176a063ac151c772cb89f8138d0f7cced361ef36605849f8109c265065a4b1073ac980ebf4d916ae09d03c0bdcc746bb1b29ad4284e536bce239d6b63b3d6d66d6ff8e4968e0a89058b075b621bd8f6a92ce6d86c89570063db0b933c7a5687f6efb1b0d86441ea696fcf4da87a096a1a07832e9b207d71c7533e8eeb22ed9e52d7170263ba1095c915b526b133cc3892f3c8686025e5bb20dad52aad9114e120d2411eff3539b65f8ef389c476722cf4a9dc23dc5a4a87bfd2aa8c416e9143d1b02a61d47931955e41cce913355a38133c0341c9cb4ef3469b20a057c295397cdfbbea668fd92d704e252378c68a71381cb7093615c0be2e78ee3341bb1962ae1c5f1b8ab75297abda497160051e9d217b6137446be67d01e607bb0d894e6852d1beee371ac622be31435f4bc1e780dc2f38a695b2b922ffbd2a865775d1cbf81dc84d63d38e3a4ff576ca169f7995a7401cf476117d5592adebc2a400da6803891f08e597249b2bc539b2b135c0b7552f13f2d1abb8740d37861c97072679087e22ecfadc49613fc7a3eb18a95725978c26052fcab99d0b9fd4d7cde98078105da8bab40cbe78b1b0d3c625646274a8b6b7590413809126f8c45472e75388854756137f3211dd8d0e1a45fbb183a0dd39125cd6fe9ba9c4a8e819ae417684ab579e1c2064f304dfb406b1662eec8846fed1b1142a19f05389bcb09dfd7f541f2c951d9b4a6d3b14b6a5aaf693309c2637877f8b5b75e58622ec12d34a483a2002f6025c1cdfe4573a16e8deb244bf4892eb8e7f315301e1f00d1e2d3ff8f2cd744da510f106ff9b843cae41efea3d4492338dda228bf688b78eeb2ec917aa0b48a4c80a9289a90e322e24939bcdc79f217c850d6937a5a5ee2a3f0cfd463364ee3ed2406316991210f743e90b73d82ba2524b3a4e481784dc32079eef7fc5959071bd943a53be2812fb37f2a5e029a4f63515440b0c2154bd4410417cec5863596790be45feea01f6466dce7b526d8f0976f134fda4d831cb9d0567e94fd578f53b7616e69365bf79cf994d7b7a097874c0fe42051f14dfb4deb4437b0f0c5b881cd1e74de1787e461280270f2973fdfc507178e6d22d0ebf43e61887d7024d50985bf8bcf1d326530b00482d835c772344c0cdab10257f77db6dab73ebc09f047c521e585fc34f071486e5b7b0300e857e84bad1b0357889b77d695a519859a3aebd452db937d1d128eef14c6638266c7fe833f10f8a9015ed3caee1031f995d10b4a0d48cf5d6e94e7501f47e23639c94d385f98516573c974eb9bbd76bf5f4f0b61ec988970dfba649a617842705b185e7cf118fe56c14d59f37cd0ee3b3c4fe1aad68a738e78d6ff54601344288774c383c77ba0b218713dd75f5f55aebb2f571ce7d5fe3a0d4b7b6aebf0ee7629efa6b40d0839f0594519c83cdf38a66202e750a007ed1c5b27b0419a6efb8c312e220e568de0871439a84687a98afba540fd0a489c35f3c28043f989b28b53b60ac6e599466b67c0f6dba41bfb12eb315406425c1afefda8629419b98fc32be71b6917d3749b24c0bb8b183640cd05da4a219cf280cc4ec1d33ae119af778d0e0233919bb124059bde4fb393a87863a1d6fdc0512d566c5a7fecbeef2a04cb184eb8fe5f3d56ee5e4077bb5fae64b98b041a5c58cf9219a93ebd83ea4f81bfe2982cbd8aabf104e9be7d412bdc28f6fa9798f7958bb9d189b38683b0594ad0530490c84e40e4d2612cd7cf28c359830c64a8c9c5210cc1c19cbfce9e8cd21fd3efd30bf1695e4c0d3dc56a52e84a377d35b8fa5938fabb100cb434264f798819c3573801722d38e09c2bd8105fe53122aa3a166e352dffeb7b16900bae827b9304543ce4862f42ad92d6c29e871a0aa77d6c355edfa26304ba8ba35bcc829a27414826a45d68ea4b83a6dbcaba557badb429dde5eafc7f95f8cdfc1add709ccad151affa1551b842f044c35e99d44c9693c1bf60b8e399365be2d29bc96ffaa7fdd3d87153854dea014a93fdab340512ed60ae845b72476fa6aec33662bf5d11634fc7675c171aa521154338f3d51bface6c8f892e190e2778ad82179f6e8fcef91ad8189e34cb305d7e64a3f242e0a16e4eae011d9e4367488cf7070b09834c49ad08621696709b46884b7c053c316eef41cf947ada2e0671c826e29558a55fcba2aa13479fbc087a003105047aa5c7fb6e2dc284f0a61fdff08beb54887ca5e63df1820ef74671195265ef615d3daaea114c02d2c02c9e290dc2b38cfd43ea4e31693d98cffba81e72c8829462f4ad1e91e83e8169b4120bd5313ac64686a9cfb2706bd67210b94e4f55a595d925ddc7db9a4c3009143886f9ce85e9ed9a476d895b05dc10b49001fffecdbeb4a15eae303fe370512da08e2b0413c0c72b107c0534131f704302eacee503f36889973300324833aad8fde0023ef2a070e32e2e600830bd23b4ec772c313a80031066bcb97c056efa9f3b1d1c5d9eb8bd6b2f6a6caddb580bfc93def3dc957bc4848766a5f5c804303fbf48ca628afdc51ec98baccc6b858fc3dc73b2f4030b9c534cf8c34835cd29296f8f0dc09a5fe4ddaa68c3bc7ea75761c2f7af195f34e784d15ebff3229ec0b8d320e7e0e2b171311d8df602b5511edd5a538350ab0dc47a79a3488aa22853e0086c52a907fc1c7cb80456a35a6bca4a404dd3e5811ff76920e3e610a599d66d8bcfde4af428116c3a31f4c0207b72b6b70f499855afe48517b392e83aa83f256f1bb55bcb5048dbe296d4d48d5c6a9cb15759f5be693c74ef4a59eb2f1f9f163bd0d6d9b28480336af8e2fa47a9ebedd932b360d8d6fd1776ffedd0c114565a00cf59c80a9a8abb0e4a853acf8abce4a075a119f8d2bdc0589018f0f94daf6b9332a23a4f44d8d5e7d72e1d51ef2ed560d48c03566019bfed360b35fa8493a73c7a05da83719b5b5c57c0ebd66a985986ddf3a1b2dd30964be906c4da0cfabeaa4feea62458c833de7e572219c91f5bff5b7c53e62ee2d0206f4d8a8d9f7f154f228a65f5f3a314461c4d5bd241e45c6a18ad67bd82a1e478163229285b01da2a30c9bf4a099cad4f5ed5782f9cd04786ee35bdac5165cc565b7e0792f09810dfb4c1fd1552e3ded3491cd070faa3d733e1e437f02e44f5fa848f1365f7007c98868884bbf4ffe644a1bab5c1912058547b267c7f8bba6dfb46833f3a50ce2464c301394ac6614475005af3acd1c8e66c00ce1776bf4bd9594e7a78ab10b86d62cb89c4dac00dde3c5dd42c007990b2465227a62db7de7018e80966510cb81cc573138ea3d74347ee5d3e3bf31e39702e68bb306a9681f21815c3c64ac0f9c366933b925a70386000a896e22cd6099e9dae2c8421f8ed4f9a74741f264a08de94c9bdf751ab4dbc6bcd3ba9100d535b9902168d718256e00d19647318fb6b43eb67d937c792505c4d3bd2a0c08fbcc4c1c95a28f4219e6dfc0f520806e055b3786ecf286f2d92834a4c6e2368b1cdf26463156cfae9cd5d721bd3cef8d4eabc43968aec240caafcfa4127e98f203150ba7c6c19a4a36e10ca2ac2605f980ebc2822c62aa490f7f49ff006b3aaad177523be6b56d93f4b78f807e8859bdc073802115c8977cf9b3e703e1307c505bd79b4ccb1383e0734ed189649033baf8fcc932d3bda3abdeb39690be251104cea814f78d3ec55a0eeba37cc2dff5049683a3f7820b5dae541904cad409350f7b59a4917bd24651830810019a", 0x1000, 0x9}], 0x80, &(0x7f0000001400)=ANY=[@ANYBLOB='overriderockperm,uid=', @ANYRESHEX=r1, @ANYBLOB="2c6d61708400000000000000e49e6494ca7bcb595b2ff5188fed58245f03d417d3d2dfd798ed34c0aa46bf7d437b999bb65e51bd68ffc3b1ca1de615f5450b22ea2c6e553ca82bfdad1293fd43afd9f977516beaadeb725eba409651865c2ec87f472f67ceed435a9f9c08e87fee8e60613a76ae7bd202ee2c2b661f4dcc6a9b75baab3497820a2f6346713d2e880ef3720810ef", @ANYRESHEX=r2, @ANYBLOB=',nojoliet,check=relaxed,overriderockperm,gid=', @ANYRESHEX=r4, @ANYBLOB=',unhide,defcontext=sysadm_u,measure,fscontext=root,\x00']) openat$cachefiles(0xffffffffffffff9c, &(0x7f0000001380)='/dev/cachefiles\x00', 0x400000, 0x0) r6 = dup3(r0, r0, 0x80000) ioctl$SIOCRSGL2CALL(r6, 0x89e5, &(0x7f00000013c0)=@rose) socket$inet6(0xa, 0x0, 0x10001) 01:56:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x3000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1353.465979][ T2821] binder: 2814:2821 got transaction with invalid parent offset or type [ 1353.478313][ T2818] binder: BINDER_SET_CONTEXT_MGR already set [ 1353.487878][ T2818] binder: 2816:2818 ioctl 40046207 0 returned -16 [ 1353.497985][ T2826] binder: 2814:2826 got transaction with invalid parent offset or type 01:56:46 executing program 0: r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f00000004c0)='/proc/self/net/pfkey\x00', 0x0, 0x0) r1 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000540)='SEG6\x00') sendmsg$SEG6_CMD_SETHMAC(r0, &(0x7f0000000600)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x22020}, 0xc, &(0x7f00000005c0)={&(0x7f0000000580)={0x24, r1, 0x410, 0x70bd29, 0x25dfdbfd, {}, [@SEG6_ATTR_ALGID={0x8, 0x6, 0x340d}, @SEG6_ATTR_SECRET={0x8, 0x4, [0x4]}]}, 0x24}, 0x1, 0x0, 0x0, 0x48000}, 0x40408c5) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r2, 0x84, 0x1c, 0x0, &(0x7f0000000040)=0x296) getsockopt$inet_sctp_SCTP_STATUS(0xffffffffffffff9c, 0x84, 0xe, &(0x7f00000000c0)={0x0, 0x2, 0x1, 0xfd580000000, 0x200, 0x5, 0x9, 0xc014, {0x0, @in={{0x2, 0x4e21, @initdev={0xac, 0x1e, 0x1, 0x0}}}, 0x400, 0x0, 0x7, 0x98b8, 0x1}}, &(0x7f0000000000)=0xb0) setsockopt$inet_sctp6_SCTP_MAX_BURST(r2, 0x84, 0x14, &(0x7f0000000180)=@assoc_value={r3, 0x933}, 0x8) r4 = openat$full(0xffffffffffffff9c, &(0x7f0000000300)='/dev/full\x00', 0x8000, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r4, 0x0, 0x80, &(0x7f0000000440)=@broute={'broute\x00', 0x20, 0x0, 0xc0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x20000380], 0x0, &(0x7f0000000340), &(0x7f0000000380)=[{0x0, '\x00', 0x0, 0xfffffffffffffffe}, {0x0, '\x00', 0x0, 0xffffffffffffffff}, {0x0, '\x00', 0x0, 0xfffffffffffffffe}, {0x0, '\x00', 0x0, 0xfffffffffffffffe}]}, 0x138) r5 = syz_open_dev$midi(&(0x7f0000000080)='/dev/midi#\x00', 0x1ff, 0x420200) sendmmsg$inet_sctp(r5, &(0x7f00000002c0)=[{&(0x7f00000001c0)=@in={0x2, 0x4e22, @empty}, 0x10, &(0x7f0000000280)=[{&(0x7f0000000200)="34ad354588a843fb24be4be5fbfc0e7dff", 0x11}, {&(0x7f0000000240)="a75ccec413b1d51b39bc7d0fe126a377158be57373330db9228c27de7605048999c29d9ce20542887a08d8ab93051485c2d01e24", 0x34}], 0x2, 0x0, 0x0, 0x10}], 0x1, 0x8000) 01:56:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x500000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:46 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = dup3(r0, r0, 0x80007) setsockopt$inet_dccp_buf(r1, 0x21, 0xc, &(0x7f00000000c0)="aa02d99886b33eaf8c69108f07a23ac5c6f656ee20757a05f1ebaab1a0b63c533bfd3a93f0986785e6d5f08ab13070dbaa75d7f3f1d41960939eee6a77d5106c493860a82999d5696968e273b550e181f549356352e7e15345386add35742e4c31f3be98a602b6d8af58842a5dface759fcfe31f24b7bae8045ece8939223ab478a8e44d0e40838ad550cd611e473d139f33e2fd0dadb5718100c2bf0734c80b9f56944c38fd81beecd9113b3a4ba4a22427666c3aa5037100a1ec70f92ae3a3a9906801cdb05f93bb7aae4a27ca0a57c569839910ec2a5b1ac69b9a03349f707021e0034cd3d6a18aa7aa", 0xeb) [ 1353.515978][ T2818] binder: BINDER_SET_CONTEXT_MGR already set 01:56:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1353.582063][ T2818] binder: 2816:2818 ioctl 40046207 0 returned -16 [ 1353.590936][ T2829] *** Guest State *** [ 1353.617286][ T2829] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:56:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x4000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:46 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x2db7, 0x400) setsockopt$inet_tcp_TCP_QUEUE_SEQ(r1, 0x6, 0x15, &(0x7f0000000040)=0x4, 0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) umount2(&(0x7f00000000c0)='./file0\x00', 0x4) [ 1353.660624][ T2835] binder: 2833:2835 got transaction with invalid parent offset or type [ 1353.718673][ T2841] binder: BINDER_SET_CONTEXT_MGR already set [ 1353.726203][ T2829] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1353.752203][ T2841] binder: 2833:2841 ioctl 40046207 0 returned -16 [ 1353.772050][ T2829] CR3 = 0x0000000000000000 [ 1353.782169][ T2829] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1353.785832][ T2840] binder: BINDER_SET_CONTEXT_MGR already set [ 1353.815329][ T2829] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1353.830249][ T2829] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1353.837732][ T2840] binder: 2839:2840 ioctl 40046207 0 returned -16 [ 1353.849308][ T2829] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1353.869397][ T2829] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.889326][ T2847] binder_alloc: 2839: binder_alloc_buf, no vma [ 1353.895706][ T2829] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.919304][ T2829] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.949305][ T2829] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.958131][ T2829] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1353.979490][ T2829] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1353.999372][ T2829] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1354.008069][ T2829] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1354.029312][ T2829] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1354.049305][ T2829] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1354.056575][ T2829] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1354.071603][ T2829] Interruptibility = 00000000 ActivityState = 00000000 [ 1354.078541][ T2829] *** Host State *** [ 1354.099485][ T2829] RIP = 0xffffffff811b4980 RSP = 0xffff888055a9f8e0 [ 1354.106316][ T2829] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1354.129298][ T2829] FSBase=00007f101dc46700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1354.137943][ T2829] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1354.144695][ T2829] CR0=0000000080050033 CR3=000000008ee6c000 CR4=00000000001426e0 [ 1354.152600][ T2829] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1354.160135][ T2829] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1354.167018][ T2829] *** Control State *** [ 1354.171393][ T2829] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1354.178896][ T2829] EntryControls=0000d1ff ExitControls=002fefff [ 1354.187421][ T2829] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1354.197173][ T2829] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1354.208469][ T2829] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1354.217940][ T2829] reason=80000021 qualification=0000000000000000 [ 1354.231601][ T2829] IDTVectoring: info=00000000 errcode=00000000 [ 1354.237879][ T2829] TSC Offset = 0xfffffd2878d70a87 [ 1354.247100][ T2829] TPR Threshold = 0x00 [ 1354.263152][ T2829] EPT pointer = 0x000000008595301e 01:56:46 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319b") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:46 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffff9c, 0x89e2, &(0x7f0000000000)={r0}) ioctl$SIOCX25GSUBSCRIP(r1, 0x89e0, &(0x7f00000000c0)={'bond_slave_0\x00', 0x2, 0xbbf2}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r1, 0x84, 0x6, &(0x7f00000001c0)={0x0, @in6={{0xa, 0x4e23, 0xa, @rand_addr="965264c21a43c20739edcd82d52cbe97", 0x5}}}, &(0x7f0000000040)=0x84) setsockopt$inet_sctp_SCTP_ADD_STREAMS(r1, 0x84, 0x79, &(0x7f0000000280)={r2, 0x0, 0x9}, 0x8) 01:56:46 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x600000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:46 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000000)) 01:56:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x5000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:47 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00', 0xffffffffffffffff}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$VT_ACTIVATE(r1, 0x5606, 0x1) 01:56:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x700000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1354.389699][ T2854] binder: BINDER_SET_CONTEXT_MGR already set [ 1354.423044][ T2854] binder: 2851:2854 ioctl 40046207 0 returned -16 01:56:47 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = open(&(0x7f0000000000)='./file0\x00', 0x4000, 0x0) open(&(0x7f00000000c0)='./file0\x00', 0x400100, 0x0) fchmodat(r1, &(0x7f0000000040)='./file0\x00', 0x2) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') sendmsg$IPVS_CMD_FLUSH(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x2002010}, 0xc, &(0x7f00000001c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r2, @ANYBLOB="000141bd4a2bbd7000fcdbd12511b2189afa981cce33e2ade3166a92566f1bba7d0b83f780da2141da062a9c6898485161223b683499e7fbe901eb6c9868b065b38cef247c22ae5830252f2c8868ce1a2905c4b2b0280a"], 0x1c}, 0x1, 0x0, 0x0, 0x41}, 0x4000) 01:56:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xa000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1354.451028][ T2863] binder_transaction: 25 callbacks suppressed [ 1354.451046][ T2863] binder: 2851:2863 transaction failed 29201/-22, size 24-16 line 3242 01:56:47 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x0, 0x2) getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(0xffffffffffffff9c, 0x84, 0x6c, &(0x7f0000000280)=ANY=[@ANYRES32=0x0, @ANYBLOB="880000000d50edd02532bc83c39d186c486a1cdb36eb72fa0e0a98568a440c3598ee0008392d575177a5b2ce034be715e606157342735edf525111c5b8d7d1af0a2d16549d7a3ea449395acc88c6a1c74b610ae9af2dd28685746ec4c9718ffc1d3b44127f906db0ad2dfc43e89127f62c39c8ab58f5b892058034c50a3b449a2354c43b59ef7f5678c023f5cd533129a1229cb01efb201072b7e351d75be0ee65fc9f2ff4e32fd91800cacf2b17c8f46fbc9bf3b5edbbea83d780cd52d85dd5389efe3afe94a5fec2bd3b2788d19708ca76d54c0577d3f48551c30e78fcd2082a865d7b1573ab14ed50b4e25be2e52974a3da39f49d7a27ee4377742b5514bd817f3a0119f15529c653f01b8709000000000000deedb87b41fef43af6bd8a425b670cca208affdd43cf72ea37d377918ab0717e85330ed2658c42300af0d55cd1434944a0cea60485475fb424aaacdadafe6e7401fdbe27b50caa7411593d7dfe1098f1bbb2a7e812d3220010576e04ced5f766a0b5e9ef5f3f8d000000000000"], &(0x7f0000000040)=0x90) getsockopt$inet_sctp_SCTP_MAXSEG(r1, 0x84, 0xd, &(0x7f0000000180)=@assoc_value={r2, 0x100}, &(0x7f00000001c0)=0x8) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0xa00000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1354.558651][ T2875] *** Guest State *** [ 1354.578118][ T2875] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1354.594907][ T2874] binder: 2873:2874 transaction failed 29201/-22, size 64-16 line 3389 [ 1354.640252][ T2874] binder: BINDER_SET_CONTEXT_MGR already set [ 1354.649371][ T2874] binder: 2873:2874 ioctl 40046207 0 returned -16 [ 1354.655975][T17703] binder_release_work: 25 callbacks suppressed [ 1354.655982][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1354.656209][ T2875] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1354.681249][ T2878] binder: 2873:2878 transaction failed 29189/-22, size 64-16 line 2995 [ 1354.724651][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1354.745927][ T2875] CR3 = 0x0000000000000000 [ 1354.756274][ T2875] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1354.769380][ T2875] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1354.787088][ T2875] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1354.809282][ T2875] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1354.829292][ T2875] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1354.849304][ T2875] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1354.869290][ T2875] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1354.889291][ T2875] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1354.909300][ T2875] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1354.929286][ T2875] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1354.949295][ T2875] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1354.969317][ T2875] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1354.989286][ T2875] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1355.009284][ T2875] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1355.021384][ T2875] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1355.052988][ T2875] Interruptibility = 00000000 ActivityState = 00000000 [ 1355.073047][ T2875] *** Host State *** [ 1355.077048][ T2875] RIP = 0xffffffff811b4980 RSP = 0xffff88809d1af8e0 [ 1355.099373][ T2875] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1355.119266][ T2875] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1355.139265][ T2875] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1355.159273][ T2875] CR0=0000000080050033 CR3=00000000a4533000 CR4=00000000001426f0 [ 1355.167142][ T2875] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1355.189283][ T2875] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1355.209267][ T2875] *** Control State *** [ 1355.213554][ T2875] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1355.229277][ T2875] EntryControls=0000d1ff ExitControls=002fefff [ 1355.249287][ T2875] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1355.257060][ T2875] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1355.279285][ T2875] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1355.293259][ T2875] reason=80000021 qualification=0000000000000000 01:56:47 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319b") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:47 executing program 0: r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer\x00', 0x101000, 0x0) ioctl$VIDIOC_S_HW_FREQ_SEEK(r0, 0x40305652, &(0x7f0000000180)={0x20, 0x5, 0xfffffffffffffffc, 0x7936, 0x1, 0x80, 0xf72f}) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r1, 0x84, 0x12, &(0x7f0000000100)=0x1878, 0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r2 = syz_open_dev$amidi(&(0x7f0000000000)='/dev/amidi#\x00', 0x3, 0x200000) getsockopt$inet_tcp_int(r2, 0x6, 0x2f, &(0x7f0000000040), &(0x7f00000000c0)=0x4) pread64(r1, &(0x7f00000001c0)=""/67, 0x43, 0x0) 01:56:47 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x80000001, 0x44000) ioctl$sock_SIOCOUTQNSD(r1, 0x894b, &(0x7f00000014c0)) sendmsg$kcm(r1, &(0x7f0000001480)={&(0x7f00000000c0)=@llc={0x1a, 0x102, 0x400, 0x8000, 0xfffffffffffffff7, 0x7}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000140)="fe33c9c0115df17f2c2c136db9e003b5e429bdaee409d80b8a494ce4b3e9525fe5bcaf77671168d86d2f3012bb1c48af68ffa0627106beacd6a2caaaa42060d87668807f9513271cabe00706d128f8884c32d34a8779e19ef1ddbcd803a28712ff338d451fcd0ade7a27bdc1725cacf738ebcf5bda955a3b70f6947f2e6792fd2649a1687c012392441cf190cad000a93197f5e07f4303651f0ba40cf0fdc761e264fbecb70b0c804af8add8c2c71a2b86310252616834bca5a6a670cdcc3e8dd97d32d929216628ece3d286a933155378c7eb3b7a59c7b8337f08a5a88f81c74142356ec4ec91d8d167f22bfe269390e0095d8379be825375bd69b26084769e5964ce28af3b7d2a59a65cd970b162d6f91f3b14b3c898da247fff9b3b0d122d5607c66ecde02ae87d422d9ebb0eca41c5e25bde6c4b4041f06df9ff3dd3e53c1f249a93175fc2a930ad2398fc7d7e36111466ba7e2ab825df681b2f8ea2c00152c208204fff4cd52342a1ca51ff758f3c8591085a92781fcccadba01c5541d66bdcc5084f780f8129b36d08ab847c507ea584a3816d564d58970d0d32b9173adaea7f8fbe6dfc7ea71e00df03ad8709bd4a70c60c420be9c4196a970f963fabb536a380d89577062132e9d67bbea29a5e1cc7767af8c86bad344286aa1d79394d4a3d96e85534c627a7810563d0448d71b6538eac42eba270c222a4d2e73966b3e019b4f17d8c574adc5d1f9c50e3b62be95495c24f62bf3594ee850414fd573baf252617a28a88e6acec4a0983bee6b217b7b6bcbd1f69e47c068b85f3f91b0c43dae59bb585b910807ab93a833dcab4ce14b21a0a55c367852530a549257c69dad5781870a9e551f2d6d50f9258a52a1071ec2a280ad71f702754b4a35f5b4bebfdf919c36be54efcdc97bc6405a9d50c3e370f0e24e624f45d12290b5cf2b8ff2519b6a989022d609ede352b41636dae350708a00bed5c63f703818abf873c4a8f8f931720851081dbddf3bb8d779684927e1633d0e7fcb5b2173e0ebbc8e4008543789d8a0c879fc50c57abc6aad1432bbcd9ecba54d1cbb471032a3227f26da20b9ab8c2359a1d9ae46cec12bf98b5337b1d253932fef14c2bebdbddbc345ec27eb729774fa2071a98b91a67761f26eba080df5bbd08ee5195d98b4b0028e7867ca34e96f1d0d6a705b21983da2469c653a31d08fb777932db3db121962e83f7c3ee9835ae6ac45e96e207201f9ca4ef8840b14acd64518d11e222c0aeacf17e3fcd541087194c0ee2637fe4243da7ca69445a055b5347fc1a6aa1a125ce709f5597d2b75493478d5a8fa7426d071fb9a3436ecf686b488f2d81f52c942675ce840655752f30fd2e4803f71afc0dce52ea220c36ed4fec22f8333592f9545c8de1f625b4fa9b69be5d9bba5e3a6d68a307b1cfebe3a495acf8c56ee6a19550d2ea29d66a6272d2abb81e8a34ef716334af4da5a2864e05b5aa7aab98c8f63b360c11942c5a65e8c7c8e98d753cd9fbd43c767f942584e48ec5b53353b5c05dbcd3f5b5a5826589f3b5661d19bdb77c7532be8ef006b3f27b7aecec7f37ba3d1db8d0307553d8d598cf2b21674d7f8218b91251576a42584a62aadf5f5bcec2cb062bcb3a307a519b9795a10872c663a73bfcedbdf50420d894d65c9af068188c651fca1415dbcd01379da86b55f3e223ba60ec951fd9b97732a3b524ab47dc97d213ec54205b411d9fc0d99a57a59762f8ac112c949f5752e3ec625365e80ac76cae8df184e92c83de5d39de670692949def1a0bd9eff87ce769f8ac163992825ab03ad118444274e22307d1534fcb57da8a35c4c7c669d52c43de12703901f2c8c66e2bb3082ae3a96608232f4d88ba4c3fe27c281017ff05d7a5555a3d5f3f4dda018c1cc44af1e5707cde25f8ec1996bfb009774e1afbf6e098440b2b59870fea81c38b244ed7e866ffac17edeeb83bdd0a637344240083aa09de9bab4200d0e38aa0fa725df1037d11567f82ba624ce68689421fcce77522e1a231594ce04a8993de8ecbab268aad5a36be5a2e6b308228c68c8f0ea83fe8bf3e9ad8eba51152959bffe3384f5a3ac3d4c1503765d8835ebab872e85300c18088474924d62f4dbd9946e1ad3ab562d087900db2740bc7b3e945cce647ed80fe5eadd8a6e82b70a76f9f207d530b8fab65b435f335c5c97fa33d61d46ff5d7509bf7c91e4f5e2fff64f4c4f4b1d8245ddb1f3f8ceb15d4fc5b7b9f2b2216def802778cdb6ab071f4dc1792cf749bc035dfc2c3e166f01cc5e530b27142b653561d7475cad6436d2a127c49f9d319811487b66e5f08d5b58d081290d9f85293ffc8a25323fac9cf0a65c85b0cedea112046b897807f775078af25de0022a736d1c617dc3f8e58018c09eecc13814d923c9f59aecf7e9ed97a999181472513772c91f1fc77e63c61f77b9e6127ded460500dbe1cf1a4b862aa00de582d9bf9399a1fa3831b3e90a3bd8f350a0e7fe9a2caf24faaf05fd31c0bb29d67b9411112fcc1efa8991893d6dbc9c513cd1de596ec53528ffb61491805c6495998aff6c0b357ad90cdc549b21da0fe7e7f742fcf72a8408f2b16fc6f5c94034c16d79d3a77c3c32906f899a2c68045a7220a7f50bd60080a21795acb7dcdcc100fb6de946d4c1955453b162bedde2a72265365bd25aa6d3fcda5607931f1d8e51f2616f89385c1b76128ce43e040113d74825f5ab72f162b0d6f39ac4c3376df5b12c490667a8317d7cd5978dc94736fd0e6932314f6be03f6d64e080b035809c70961e5d747cbb336df69209d05bde0582f8c1223437ee0b5b2c447c46bc0c362ab88de3eecb9011cc1884203a4723b4a31180b901aa25de66824172dffae01f283a2cb45fc4c9b8a3be966fb997e488e43ef6b48bb1b1d14ca9abc9c6758d4bc0c06a5d4862c3d350cb4deb305aa81a8f2eaba9574a7e4f5a549a76cd613e7d28035af58b9f164655b63ba08a375b187cb396ec208d0769e12c04c8c0b4d2bef108a7eaf6a38aef34de9023a1ded49631a458af921820d8b0b0595cf2a40fee21b2ab6591d738b8f2bd560dd25b6cd97f74b74d3b2c44da276fcca9e5cdf3c5f8a61575c2fbbf196bde12d8863c64554f7d2fa70293d647dc7e91f5e0c47e4b1873aea41886b89d93a43781b874d52dce18b766d8db62bbb0b95f628af9597d9abc38bdbc597a2da7f82ceac8cc7cdb04dbda924f6843980941100f12883735df167e9d1a7f7e1eb3e69b0211cccc1833f16de6a9eaa1b1a291463008d1bc66ea1ba1bfd3ab89304512b92373ac980b2906d56b293a31de2ed6f5edf915ed71ca22c84da38f8c32286490636a1e12167bc2200a2a764e1c439786e6da50b2ef398dd3630b2b16a8e32e89b16511e1a48d4a677d201fa330f3c65efc9837685f95adbf9e1a7b150d3d4bd2236cda9bf7211eb9d5e9aac9ea28c9b31f4e172cca43532c23897dcca463c19c24be3040146dfdb1eb76539dc6bf0885ffa5574d5fc338b3f47897e83a094f3d7fe887f6d3817455f94aec7382e39b3746af46d6c79f3da1ffb2e4518538a4f753739ec091938057abaf1f1a412142bce02226c23df75dd2323a80e5b07d90cee9565985359f0157cdf90aaedb83a4775b47a2594cbe525ee263651e1fb8349b168be6d73f5fab4de5f7c1a6d46c898effef8fe2b2c3a6fac426b94c0df6a30720351cda80935adbc9f7c96de2b479e7706e5a3d3a5098767fcee42ef1daea07308ebee9972e20426f24cd0c63529ee85036e25db274e797bfefe3f3040c41a19f573051e78e314716e898ca7f61c7c29f849b57c40a8c143574fff12fa0546a4d56993f998dea4f4ca090e7bdd0789a5ce980ff311d15e8a89f0142c2954f3c37ce89ed7f042bd8561c997098ea52ac2023e87618963cd9e7d073a57640399919a20c10564c468aed2bf7ce78e4f55edd216754c947a9062aa76e38762f342b432c868c11ab26f4d4c610d8b22f1f96bfadc4a4adb94da56054b198428fbb263fd01cc0275575b927cdc610dec907a7261fe55461eb9858fa4f61ef5edc997457cc5c5af78e9e494a2c6a51454f16b229b86c52a9a701e7f64965e821d95f7bf93d2a62612bce8f206a70a5c193211a00023b15c3a2dfe0261aadfd41761bc26c0cdefd76b95a52c0ea11c221daf22faab534b22c1a568eea9664daf2e3f22b3cbd96a1c3863a863eabc31c34b7274b349e09886927615d4a77c749dadc5a29ff7edb357c8b848308c832324688f44bc47f26e9832cb3b9f2d131a6ade4cc86090acfef97374002c3829a6dce3ff358e720ced663a9686a145ae8ac323a812a1d1d618bb2c709947c8e3534e78eb533d09a69d64f4a6f2b7d7cbe5ae1f16c9f7f47949826120f46f05cd8448bddb701d576b6e45f6507656c0c1f4b4983b06b1ab4e086e7f24344081959b300918979967e9e8a524560d073cb021acee61df008733da1e1bafedfe100e8316bc640bab39b866720b37aa0f28588805e063e47a5e6d97a756ee0b5d7e7c18269db051ba1fbef81c12db41e897a362fc8c4d22254b78fc54576f61076a3f4578f6ccb628986ead1026c0caa4512dab4e72ece57c9f38790a68979c08217742aac69b4aa60e1cc8dba64233472ecbb364e883a8392f4d11e77b463caa29baba10865b75c0a945283ea134b8587b373ca1e229a30bf805068545de8b51ab532a67caac4ee03ae0c92a8d8afa2237dc107ca36baecf25a87e8da6b22c53816ed5735349d9cb357bdbd3e52fbe71773f24e84c576c0b3e1970d3095ffe48153da88304ed29d8c8219b9de90f87deb6641dfe244bccca62d0aa035894a35a694a3c449ee8ccdaddd27db5b3f506f3492a92ac116fc708ad06bbdcc967ca26ec8a6575965ad54679b3b4b660dc7eaf549d7105ef34f5cd7fe46d7105f66fe4ae3cb8b6edf870bdac10a396c576eec59dc8c1630eee8c4afb3f95bfcc0eb3d14b5c8ac581848ce5a05194b4376699feb2014b590b82c20b73fdf434704c6e41e94aedd1130a7d548d7b6fd28ce435e6117669e84fa80e419a146161a14a98a314acfb881356ddedeb908c99fb5bb333cd1ff0d72c6d4c45ceee3892e2d6ba86a65b00790ce728f6c19440b059e2515a669bd8b3c01baa697733744e47e65bf79b1d1b07e882e5df182b7faa6a900044f79f01cc2c168efaaee0ddc70e83574fc20ab396e97788d671ff349faa4a4b7b254ef85c5b67dfc0542755dfd5a7640bc0cd725088828c1f731c4cb12d3fbd8be7e13ffdb19c0c8194822233da951dff44f0cd7b1d87ce5db6688a91c712feab95d0e9a617cdf9f7f1872fbe45b274ffd421df7ec8199ac60262b2a0f7761edc29d4616a2865feeb5337f8eba343c4177aca27e8095c3de1c96c19060fb23406e44b467a1f3530c9cc89cfc641eeeba02657ef60b506d1a7b0472488226cefead0c0fb6d74f8d37c26659bf5309863d5aa10c9b77377145a6296c9dfd4151de9525abfe8fdb5205843d37bbcf7968c7a1421ab5e0e36dc53afa0721683003ed72ed7bffd318c8ddee51eb1c589f6e2ab982107cb797bf7c8db780a6a5108a58f2bd28756019847ae7eef8ddb51d79ecce9fac24ba63432153b2ffa3b0f9418dc4ae4b5bfa8f58dcb38e3f056102b88d3c8906444ebda75d4a22f200c426273d46462eef2c6ea51302d616be2266b6c67f5d115878fe4a8d6ca6f3ce2b44ca5bd2967cdf0ed902247ccbe3f7b08c19d0a668f49f8c5fdab789e07ed59c821f219b5ebd0", 0x1000}, {&(0x7f0000001140)="29bcc637de1ffd7f96e2439c0134728ff3ddda6f1f953d30b48969e8bafd4f4151cce74507f096d53d3b465b857cf100de74cebb19d35cc99715d6f569d43a358288080000000000000034402cd3f37a09aed3b2a507a02c7d9ef17e0afb071d777767110113611ba353832a60d2540e7a796e72b8ad203d29b0cb88f93339c5c0c6b6130bed400c8f4cea2c4c933d2a8f0842bfa0e7bea2310468c2ae8267509da948b07e42216b8bb4fa66ec9e418ed4a5f7b78e5ae6116f7f73c95c915a79d524b480f72e8f99b136de17f8d86a4fc1c2306200162c71e692b6ed2e70ee6ea5fcfd1f4e128a1957668b9bb755737aaf9564186f6cbbc54c84eba68dfa94", 0xff}, {&(0x7f0000000040)="fac13ac8efe52137098366ee9eeb5ce02550c8a632fc2a2bb32c4319026b87e4640a2d6547b130880fa8c6ad00"/55, 0xfffffffffffffffd}, {&(0x7f0000001500)="bd1620e111e0fdde733177174cf4725ddbec5f4a3b527aba4c092444d637a379e7f68ccda3f5e0dfbf02d8c527bf8b99237f500574137f98d4cb288ba0de0a67e8468312d3c095406cab4d20225c80f2df025ef5e2a7aa1549485e82d2f5be7b987e4b1d46261320bdb844a34d4abbc702426042ba8bb9641dd5ce6cbac4a97c1850c9bd07a17a95d60c5242b0c40dea49373528dd08656dfa70b1fe40b2be55c681130954f8ab2408000000000000003ed08d", 0xb3}, {&(0x7f0000001300)="a52183e12cf85b5ea6a2f5a24b415a604b0045e779546e80984399151450ea79d40aa521701bcd7d2b62ba8699f8752dd8ef1b89429032ef119e6420fcc9b4d2feaa425254a0ece1b1ed6f59f0783853123931d4116e14eec004bf18f758a08bab8e698a3899216fdf093a96fcb014fb725a34dd83d3915b5a82428dd854af2ddbfc011e455738b618aa15368cafdd2e0153a5ac6cc67c30f8bd8b4bcf99fc8ad5a99c595bf8dec3b2dd99e8c92a6a7ba22ed5787928ba1e2359652922d37e09c4520c568582c61bc5fbe90ec4300e27db30bc0b", 0xd4}], 0x5, 0x0, 0x2eb}, 0x40000) 01:56:47 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x2000000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x10000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1355.309378][ T2875] IDTVectoring: info=00000000 errcode=00000000 [ 1355.315654][ T2875] TSC Offset = 0xfffffd27f47b0861 [ 1355.329271][ T2875] TPR Threshold = 0x00 [ 1355.333533][ T2875] EPT pointer = 0x000000009573201e [ 1355.413653][ T2889] binder_transaction: 3 callbacks suppressed [ 1355.413668][ T2889] binder: 2887:2889 got transaction with invalid offset (100663296, min 0 max 24) or object. [ 1355.418352][ T2891] binder: BINDER_SET_CONTEXT_MGR already set [ 1355.438445][ T2889] binder: 2887:2889 transaction failed 29201/-22, size 24-16 line 3242 01:56:48 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000000)=0xb2) 01:56:48 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x4800000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:48 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) clock_gettime(0x3, &(0x7f0000000000)) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000002840)='/dev/dlm-control\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(0xffffffffffffffff, 0x84, 0x7b, &(0x7f0000002880)={0x0, 0x100}, &(0x7f00000028c0)=0x8) r3 = openat$cgroup_ro(r1, &(0x7f0000002980)='hugetlb.2MB.usage_in_bytes\x00', 0x0, 0x0) ioctl$LOOP_SET_STATUS64(r3, 0x4c04, &(0x7f00000029c0)={0x0, 0x0, 0x0, 0x5, 0x7, 0x0, 0x1a, 0x1d, 0x18, "e5cbc42860a6d5cd9eb191142a92adca0727d6a65572503af0368089a9d19a4bcd7d4a80ad9950cdc7516f3a9457dcf65cb59bd53f157d56576037f2f9c4333d", "f5d932199f30a349a16ce7beeb2956cd125e808cb965bb998e3ca8ecca0ded5df9cd905e5a35e7cf7c4847464628e903044d77a35a0b32321d422339ec5df5e3", "969bf1eef0ba81bcc13b98dddc814b4956daed5e4971c620a9c42118953fb0f5", [0xc6, 0x4]}) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r1, 0x84, 0x72, &(0x7f0000002900)={r2, 0x9}, &(0x7f0000002940)=0xc) syz_open_dev$ndb(&(0x7f0000000040)='/dev/nbd#\x00', 0x0, 0x400000) r4 = syz_open_dev$vcsa(&(0x7f00000000c0)='/dev/vcsa#\x00', 0xffffffffffffffe1, 0x100) sendmsg$kcm(r4, &(0x7f0000002800)={&(0x7f0000000100)=@vsock={0x28, 0x0, 0x2711, @hyper}, 0x80, &(0x7f0000000300)=[{&(0x7f0000000180)="b91c6eb19963e1652873bd80684833c07ef231f41709a7d44552c5e4e5aa259bf39546de7bc1da482002b6f4e494ee79e5a79d9bf3b97acaebd703a77d6d95b7a4dd1f872d082843f9ff69bca7929fdeefa4f01000a0587b97f76f4e79235ac7457dc056e1b74527e593659d20684d391ed1065a1bbcf07579b687af894ba928be1f9e4109a7d296ff7aeb24461264f6bab3f9b4e6c890158759ad7cdd0bebe2a86d550a6a5ada6be51c20ff1e4e0f64887447ee97355aca198cb080923fbaa1fe0b8c41907bda650a2994942a9fc9be9448ffdfc3c485d338cd015919efab9f3b4f081aac13a948ea5c0174134d229dfaa8fe273f02", 0xf6}, {&(0x7f0000000280)="1af18d730f87da3b8f9177a103587dea603b8b62bba5aabf6eee6c5bdcb5350615556f6ed7a22339b746442d49ddb9435a4086e8a4c21df49421f26de44b13e1427295fe1e2aeb2afaa310f62896fd9d7c325d2ac0fa6e0b540bfb842f276d9b31b68266bdc82b8dccd2f164a54cc4421327680c046f2960410795007d11a1", 0x7f}], 0x2, &(0x7f0000000340)=[{0x108, 0x18b, 0x8, "35699e34d4ab08ee75ccfc3c28629315fd5718c596b11f30212926c9dad4e5a2d3ee605681cb6291d2d0ce332681afb33506e73cb9767998d7a0fe3742e3bbb02f1e72c6b706471353c3f6f7b6b1414bbcd9b9af2589b2fa465cfa90ea23228e91177e724aca8a70dfb4d71becf6395350495199b2937cd65a010edcedf1d26d5deda6c877086a0ca8256c0b6e0e11544f44c091c09c8493d6b3d5f9113010021c27d8b98d5078c2d297cb08631406fcdecb3a1f2af493714e80a247c97e1d3b4898874452c7963e61444fc9ac8adf3281c44a174089e2d8b6b48a7905a45f669550e158b21ecb9a7e461ebfc1eafa0b7a"}, {0xb8, 0x29, 0x43, "208357dbc532a4d6b83bac693336bd0124406202bc2040a1dc52189ea519a91bc3566abc59f65682823e43bf0e10cd16dadb753d1e6ae5d0a4faeebc59174e8f8a0838f5da1b9a4ddadadec6d2f57105915ea0ab26a9d5fa754152f03c11e39438bf5813e1bb54a4d36c9c17f0010ff345d0ecb2a418712cef28d6765387222c25565014be36667199d1e18c3be37556ca85272c38777a5748094824aea631f94cff8aebba596e"}, {0x108, 0x10e, 0x2a4, "96d654f4d912a64024620ee7d4221027b045c9273c933e42b50e4928a16f0881697bc7b278d1c5d71d199dd3e1404e8d38b06c2485a2a3458783752279e66180149c9c6637c720f66dbdb7fd6404ee33d8c4beed588fe0b1d44f94f7e09a8d67a3eea774166bb65ad6555e3061121a68f800599c73ff0612130cb16eb4174785922af4280c04e9fc0beb9cdda0083e81c202607e0d38b1ff5de6b95956258a854996fadef16554942fdc367ebeae1950d515c4ddaaa57e2fc7bc384d0bf6ccd5566bf981ea56f39cbd4017caeac82a73c0a0046ef3f752baa84722ba49add409861ba67220e71269b92c391ab7398535564bab3d"}, {0x1010, 0x117, 0x3, "aa8d4a46c5730993ded8e583a94cfbe6f8fa6385ae55c73fa49d171fd93929d3ca5c6377fa9662dacf0f159db71d2515934176de57218f29803cd1804385a942ef52a3dd7d70fee42226371c3b596e33a9f7649d3c7455f38740e3c80489c060790aeb12a3ffde174d22520054f2dbc05eb7c9af3b75ebc6de01f5bb1ba527ddebf24deabc4a71ddfde1dfc8c8962b735976ad1be20b4cdb2bd0837a52095b9e8b0249fb541969761a4be3a0c0a6617ad97c654b7b3bd0972d11bec7659a38a3fe101c0cf55566bafcbe1cd5e16653116161892e4dc27c042999b3aace0e2da4c53e67912b86d513eee60e13c095b14551e5cae4a1b5f34cfac6d83baf9e3eab16d9315c0021a5b372b18059adcb39d7a703a12c021918ddff7befd584b84040b7e5ac079e1f81b7677a146ba6fc654e2a1b7021ad6007fbabb19b50802c73ef9abb6eae55d179d833c9618027747ef5427a3e5d36ebc624cf5e748986382e47089d8e3af2314e689ac76545d6eb5de270a0bb30dbcb3b72568fd861497d944bc9df204477edeebd8cb51f0e59ef86682b792bfd56e1d013804269623deb0f12d5da8b49b7484214fb213d41324f6e5f8dbedb0eba4172f857cc1f3234b786fb07401f54f2f0513b4d87e8142596fb4bbe66081c6692c965c10fd228874f1b6b59e7f3b32276cf80ed25a59e46abaf36e2460069f2a9940dc4ed44f5cd19ebd6d0d72f60de7fa759a18ef5b5722e5cecc566af4621decb4b31a2783d91fad730a47c590c2684036ed19b3830ec4ea2086a2aa54d0c0d12790921225b8d6145122334a18bc82080ef0e146bc8899ae4ad75d012b9599302d86850644925c55b29838dc103d03f7ea5fdb4e11dd5821e26416c233c90ba70f306b2e73e7e00bf283fd418b5c63ea50b826b2c8f7e6f93278c3fbe776606176ef95e366294023176bbce56a86d55c6f239b75ea5bbac1fb80a3a77c7be0d3cca55deea42caf2b0e76a78d17f0d9959bf1ba9cd74251078e5b2d1f05acadeb6303d434303b94d73e73d0b50c567d770c647a0d79abfb3c374e10602d5be6f51fa51709ff8a8a2493a382c4254835b20af59a78e049b2e93c4533522ab9cae17d56a60565b4faad15bfde172a49c8798c8094e775aa4e50c39922daba6cfa2882d088446063f1af26847d2bcd0d4e22100601834e2f13ea796f8ed184241bb6d7bb5e6501a66c846fa87a72d12dbff467589e9aa12155e9c032c25b9c31ce81d7e20ed8a65d615c2d50bee74c25c1271d86d1a1d8e3ae34ee943b0f6c616ce3a51bc1ebbacbbf25f2ee2faee1348e0df4b375ade5dd612f874f0f92b8c94347a9550ad40e5ddeaf3285698746af90d75d692ba23c12e28d5218825a8ad4a480bb04ef30a17f2b95b41c5d3156748b89c42e65d519cf340b59f616808a7a637eaf009b0031585cec5994f6d50ba1e01844c1c8fb1d1481701d6f8143afd96f554777c78dac3bc22299b05728a159bedea645d53747cf14bf58fc205fed93765ed59d7db77ffaabf51652085e0ce1c9e237552ad238db2ee50d5ae473cae7a68f0e5eea40d02fcdd15776d284ef6c2e9140e0aab9bc248c3b50b6136ed4ef0a64a781702273c0dec8f40808532df482056ee19581e76b4791e2d00b13c81d06f8b7afa9076aaef80f6721de53cbee697be486528e64547a0a0d5fff5b448a74bb8489b9ca40322323c7c01b1fcfbcc12d9774932cb1667fc1035947ad505246a007c8879f9a2c1ed5014f5a0db6eebf0548d1b7a83898685e0e880834b7c6e602695a01cbfe59f24b6706eb71176fd6c2924a86756bfc2a487cfd3c6350fc75bccda2b07d27cc4f8fe6c4eca934796f0b56f2149edffd33408dc6cf5cc54f4521e28a7a0572ec96533339a12cb66b0a72b34faae7636b26d34336c235b9f3d6d9974e6f2a5cc2ffb288901f19bbf0a9b18498d7da8a93090a168ad90d4eaa5dabe7f6f6006eb6d1a1fb2edd4db89d6886e54c68f5ccb211926216d2b2c0181d04d5e72605f5d91a7e165ffbc811063f170eb932f7367e99616ee6035287d795313742fb6424d0e8d9b287c2c078f47eec0423145aeba62bf3668a1bb7519e3e991f964d498a22b2ad11c23093d311795436e96a507348510d694c4ec66f23d264111abd7273f7be6b3c3e26e97945c4dab5ef07e7996f89799a76a9a44a6aa77027ad2e94d34a9b5ccde6848302e1d3d315e954fc800a4991a8792f777de90a1a003622b60e0b92f75cdb0825c150c90940485f93d4a6e7e05949ca2ba729d9a9834e5fdc4fc05770683a0bdde7aa0c2bab60397c3ede331d2219d3cee32b55e1394c2684065cb5a2ba7db37a66fd8903f1bd2e4dcf83762a9e1b8ebad12efc3e246303d8e068b727e47a74df949a0a446a00b96ed114ce27c90ac3b6afc7953d75e8fa1316f44ff0e8417ae2ceb678e621d1fcb788b11c399fc5e697bf7369266d8445982bba7f1ffb6eed49bbe393ad8aa52824b4c1b4a57d1ce5f8a0da0a2103dfe0d50f7b47b83f47900aa4d89fb6fa739921c6fdf1cbbb2b897b63fdf159546fb95829cc934139a59669611b883ee4cac9dffb530baeb61593d4d55991db9bad88ef18aeef4ae10276e6662cfe52ebb7ee6b4e7659918f651fbffca753326352145dfdc6f25ef744bad19b7dfc7bf409c3cbc86a18d47da49d5cca5d56c9ce6bdd51387e6e29d20eb318484226ace34deaf681499d337989ca78c9ac2f6b8e6bc2913a65d6a9544f484515db91bf8dcf4a7744174bfa6ea6a02ed37b63a192c92b1621c0d746b7e8248fb7597919c65db384a6100e667bb15eb99d1c5250dd17e25b6e6a5307686d03af35180a5e72d67a124a3d5cd136de21bd51d8f87984a0bb1e0dcf4fdaf568d4f70eefe108ea36c7275398ecb6ae32aa27e24a19c6f9f5e7cdf2afd7a4437dfc026fe2da057c78ca94fe45bff9db556cf7f7afb4a7c532045402be001d60f6a966e64eadc8c5060e0c3779ac58972fc8e60a38910f6da92a62530cd195dfa65e98f5b17209217b49adcd77308cd590e9053c32ee1429129ea70663c6d6baf227a04eae307cb313686d6b82100693018620f1525c26e315f3e8f21430fa1e71bf8bd992b57fb3ee0f973812563fe31e7aff6eff85150ded9b9a379b87b4246a7497d8df971f01dc4569f464edf9609ba707bb1d4aa265fcd1c9e16bc2b8d42f3bb5b71610441e0b65b1eed484f122f727d4ce31562eb176bf6a7af165314babbdc6476c1d527a4e1f8c32cbe708e5c92f84ce941d56f1e459ee1b9389c508192568de5b203ba8f6ad607f1ee9677a3a15ab75d9094789c200e65f7d55bb68c89f18db9b4d3f4cfd66b925b7537d3a46ff5a40f07fb198a5db0d778f31db90373a6dce99ef8b82f6caf15044c89cc16921b286f71ad678dac3637a50c87a326c0a4a10c471d2def2f29a0a02027cfc5ec6fcf9d079cc1a3c02810c4adcf11919e7ec5defa547eec171425f5bb5b06f3e31ac332cd518c1c83bfd5e3a714d74adf0066d5b7b792ed1a963f440600558c1c74ee52fa9658aef3d8dd8529ec00813a3ef49d1ba2df040e363037eaf3c42aea7f561d681aebfe0ac9017b57de9306b3c3db06fe0e3ee0bedf371c6fbc3e7fbda8131bb0db02ba564415d0a129ee10a58e6ee47bde3a4b578f00e2a0a058656d2b28530bc0d538b421bdad21651d47dd95ac380277c2e03d45b23ac4e9c998a75e0e1c414d1e0080b6478659258e61f4dfe3a220959f86fcd2e966435d01e4a5f2ca7d860e9716ab4cda137f91c1abd6b91a560fc974f437fc1b93a5aa3cf9f5401f9c56c3714d346f5480a2f7363a5b5bd3ba7a93ec2183849faa8936410d20fe214eeff02e11923c44f30e19566bdc7276db535f6841b7609749eb746ee6da33c395b6f949bcd78afc7cb272af7706205ed159c6c88e34c990fe86921c18e449531a6089d33f439e5773478cdadf23a81881746358cbf77e4b26df56107ab6a9b3d3584eec18996259f097b103e6c83a360d8da1f8c710f58a63b03733a980203f428fa23d0867f5a6bc0e2ee34b21c89c8a574da08b93d20e05fc34958fc52a78c19aed8f2dd7e5f5c98ed9a385740cd5d0f269f1fff844e306f6e781205a41c9257890b4e425de8c220393df933a33d87d81409d02edb33dc9a9f63462058e16aaea886695039df3f1ee5b37c5eb82fad3704b9247b9c6cbcab7759ca62fff6bdbb6931e4ad15bfc92c84339b5b4fce8c047a8209bc0a841917cda2fe88604e1e789baed1577ee05a4d08e9a2f8a7c400ab3e4e878e6782a1da481379ce6d6bd666e1b6988b6448e3ecd9824ba96a9284e6edf76eb53689413cf4d7fbdf9e6dae6d2017fdc8bcd61f23bb6a0ef7a1c7f6a8beb3b06afd9a660f0ec3d1f5ab78d31a3e54feba0ee7bb44fb0b96de875be5ae56ea64c3e972c91afd259ceca77e604a5434baa55954e66e4903a4853a13076d0d9cd4e0d0e016486cc58602d882786abf52347430e158430e5f826aec8254503b3dc0b7425c02dc25cf84cbe6386e33d56795223aa615f2ec73e11f8b2c61822ac68a3dab5d7b8dab8f4df23fa9f3b208e4b13fe014c24ef46d7918512a28c71551a1b1dbbc140f0ca27dea87f796ecedfbecce89abbc1223d8605a1a05af1b1fdae25119281ab4e0c88906faa1997ce24321de83af8cc14dbbb93f8ba9137fa5b3cec0c56ef18740fa544b8b7f8183f9df00927985ca32c26b85b306fc22d453b42363c22174c67aa9c7b233eb23664d4a71390ab5658d3a064443fb988e7f76b7483b431ed02466bc99eb73c8f1ee4b9ade9eb960b741d8ab27c76e3f95a68fd0f4328a0bc2ebdf40af1f2067589c5bcf167b067ff991589b2219b6495b427a4bc343dce71c5bc638e7847ed0bb4e741bc43001be1ce5ba6a71a155beedd31dee20d2532b05e93c356033c70746006b2da3f89cf7f66917d3d69ebf9ca91a5128d4458e107430c716631d24f371b1c253a40faa9ddc5d3cf5d621180fcfaaf6ce2ac80256465b757a08c93b84b45791793b1c20584700686d173136a7d89e3616cebe4b305b042b081ea93639547cb19a50e4809e8b85caec55a41a17840c05f39b0b26929d87d5b0f3f6012574be83350ba2542c7e7db02d927f86349661a4d4d8d8bbbc9fada0b3c4b1bfd20f70261f42bc8436fbb9a6b265f48df8afefd5ba401527fa9dbc29c48ac6350c9cc5ce8da9a118993f8e55de4850d7271007401c3a14057c8ef8653a90dd82896399a778f5d22b983c17675d176ee0548f1238e8efbdb2dac91a1b4747291fb5f93217c8838a2749994eece0caaa56ce7443ad400e84e8b330632e9de6bf1127f7686c95ad1526d663829049815faf7943bcff930ae65bbd6a021cc1c1bc598643a5129be0557e184922cf568983e5ad16ef1e1ba6d679abd5e28fb65f56db2a59e172f756aed31d8f4f6194107fd36f0069de635c2c90a49d882838d6dd9bb1047207f2b214b6d2a4c160461b1e0bb0308499658624da6ed16f4639249d111fa188a4d6a36c88487ddd5959e3405ac351b523f4e0181b75be4cb40b0de1740f8c99cee64cb99ae22d6027af8781c257e0f079f1f17bd28d6faa282d907c4c0a8d5d51c14534d97af9b90ea97e8c661108da50efb448e0fbbc92d3f1388b27d242daad0787991e7a1c91b5431ea558a56c89130c0b1d85ea25689f9bffeb11af6ad002c3bb14f4d244990e50a7acf87c7a71a43fd97a0c433229bb87ddf0306ac7c7d8c3d31c9478a3246c9e631"}, {0x1010, 0x29, 0x2, "073f185683f9a408b2bbd720cc21443de7004edc656450ef38444bb0a573cd4bf475e4655d4b135635520d2cd7272f6ca7cf1da8dfe69fedd6b5bfb3022bac47afd3e1a3b690f5692c007c1fdc481b67d117f49cc6d7a5b34f9bdd7af6394fe9cd35c98e578032989bf40134f74d960a6a6fb792909af17f8f81b828d59e1635c387a03211ba588a73716643585944598410b1fd7ca9d16b0e26c32323aaa00f169189a6cc35b2e6e75812ef993ac387feca5635539e5c683d7c22884ed2caf93bc364666400943b1f57b2b06bcad13b6b5687b46d7fcd70221b6baec4cd7c08173dab9c39f2e3a365c0611faaa120502386a9986c2f6be54cf7d00a0b87185e76d82be7bb3b782cd6479711a16cd858d09c2de6622e9e11f0f6f5ac21b470cf70ed3338bad056636eafcb140a77c63bb22c9ee9fd73460bea7021065c868cea4248f1e9c4fbac37511007e87207838dcc4200d70c4ece4f3a9af25eda49b0b6242f3ff001bc455859edb30def612680c1c22ce3cf5e7e6888a291e869ba17a05443f13b1ffe74ac8fd6a13754f7ea845f0f9da494c29b138d7cbafd9cbaa7eb479a04158fc67be36627b1108e59732596f3671f44013b5f1c02aa513d9abc7ae3e29696e532b69c60061810ed1a6b791c11c5de5edc1cbab92f5e52cf8388f91166f9098d75448d19f8f088c3171a14b8b3cd963422b944b3f365701aef2f300cedb4e8acf5e2e90a7aa1a082851900003ff47f18a59103839fd8c7d2524437fa272527a661dfb8089df721e8d204bef4ba7d184234a0dd2a16ca0f12a2188b6ed4c85666dd774cb866eeae438e50d374758fbad0f57260ade7293b1f563f8acce49984d1b157810b11babe7f1e8697b6730ca55452ab7e9ca49e5880bdad1bf5a6278a2ee3b5b3bb95ce680f9926bf7071ebd121beec4b624f8aa463003e9a5841b35435892bc7130a9b9646b72179023c37cbed3579cb7e44a1a84add43405a6081bea07799d6531e37a29fd3a526ea9b752631d7b2451e182feeaf044f2f01bd44d799b667902b2072b6ac13dc0d09c36375b35fe052b4dc1b1433642730a542599acbe708a09cc6e2ffaade772efb62230787085d1f662c02f0734d7f54c464a55880ade0b15a354f4492a38db08e82db92a673d202d4744bbbee65db1cfb9f57b60a25d8059e8b3574b032f23b12176c3585d2c2c3438871fa355cecc6aca05c4af6482249a744f9caa8f8af1026facbfbb26fc2477700bedb73efeef785eaabc676abb5192d67b9a8d047f85f48938f25fd75ef9f24dd9b2bef9c836807625bb0cccdf63e5c6a38fdace68e0adc5818bfa204d96661066876e0f76d46a9422c3887328ed3b831519109705e04028644511d1ee02279e506a15cb674fa69dcd69425a683421cc05084e59a88af3e9f62d89934caf50ce61d0e7053ff24a80ed8f33b2f42477a65edaa6ea689be240c619e9b074725a347181f9a66585a1091f9083a3da5be267e3df00adec79b66894303359c679ae0b8871fc71b9c9f17878b6908ea01ebfac5fc0fd3097993cfc9358bd8c36a8bf804fb5064e062ff29c600182a67bccc3de529f37f4e5cec05a02074f0874ba5e8800ccb1ced2faa374c21715d9228cbe46e22a6ae77aee2b10202eefb1688df30f776cb4be8d3663310eaf60274c1a806128bdfb93f70f8de971c2ba63f2ea32585a65754ec715bef75ddea70f985e4781cc4e794678e24b9b5e7818a32b02a77578ad24eb68c53ab2a107335d2d19bb8474e163a8375e56b55adf85311f1e691a765b4852434e0f0f2f39761c5fcdeffa87d64c692cc0160dfd9c528b5fac08b1c0e3887b1e6e31ea6cb011535de9a43dbe9b7f3408d43f685b72adfec82c3d7556cedf45a0dc858aa60dcba9c2c93ba526f3332a428a6627afd3fc8e83db5c816d92f73fa391ed628640172e1640651db03a62edb0e5d614cce8720888722f940d59c41fea32150abf9a022d038a6db38c49f6eaa9ebe2c13dfc7e43094fc3f302a100b8993aa8108b90d14d31c276b666c26fd3e24e57da04670c9c5380530780cc03ba5051c993ae11274c888d5e81e4f4e4f03fc9855ba718f593341fce536f837d7835f130f647c5d2c404cde9231005a194716d4e73a4f0ee82472f67854733db2beeb7d47c6057ac64a4f4d50caa4119a132f113909b2959b3b2b5de4671e5e5b34d876438c1861f8b688b3f1ddad17a8e5b6e96a63f7e820f5585780497d466e673af61fcc1adcd0632e9f8427da52877c094c67bb82fa118492397ad861e08732c8d0b53b6e396e0a30b71bb6c047d5fcb85e2b37c6ff08b906084e69fa9d0c87351fee5a5508c4c547ada13730df7b089a09aa93ae2e3d8a6a195e63578bba0b49b546b87ce7b2e51c8fc13c40fd1a841d6273b79491d17e5f152b66b6d107603d4eac7db870d7869276ea5a6c8c0f98920abdbaafd19ac06e7055f5e96c3b7fad34e4772bcf2282ff256b07dca6af8665111612537774b41f7cd608fc4b43edad49e5d2315283a9cd790903332c7c22b7ca1463f2abb9f4ed75d3f721f8fd0c6f1e8716f3238f2020a47aa94fb3c5ea59922b2b0da393a8e1000a7caffcce353961147bd62dbaf190109fce60b8c9e44ca54ccdc56eeec24ac046e9dc6077bc5dfa3f5b52e4c00d6291e1f73c2772543328b08f0096ef68cabbd329ee48f9bce0d704f639db35e6544ae43721eede99ca2ba5a68535f447891e030e24243989d1f3b40b7069cb6a1d246bce978a2fe3b2ab3044f744d0ef9be5a69b6bb3f854a2f38bd8b807733685b1f02e0de4ac15bd9f9a7a05d9f95ea88bb6c0f7ad8bb2b9e3b6b65bd1a2d36649a919945816d93dda47c33e10ffb67e3f569618e7304230e71acf1f674b90db8ae3432ffa8968d32bea2b42fb17bbaffef115c36ed2813f5104f676677442cad693234571fbfaa4c4d9f9a64d57d01d05da72e1273625fe68f7a78839e3df8773310ad7c943e409209c6389be522de80864120b1276b561946c51478bb83e109b8aeafa7774a6cd9703f1f1ee20ec6b47f90055985b4aca77b5c8f0f94d771bbc988141972dafa64a3afcdf59d18d3ed594617e8f561890eaf8bf83569823e70d46dd60aca143d539ae370682ee5da397fdccae1fbcf8b467e69e7d654e00a6b79b67e241b0b0b2ce2b51d8c1c07a3ed31aebcc196ce234acf9f082c99f400c4ac3e79f72b626bc647765e5985b0decc5ad00a54f635f8f8492c4aaf1f51c45407b9693326b4ea5a49eae61f0e6aaa507f19914365ac6b67fa9a39c1981a93199585da2d306658cfc0bb3c71128e2b31fcc7d8f81f1a92e893b04c8c8cf56f6890cb61990ad9c36147a4a1ffdee035c5d7c2e551ab6f12eeef2cdb60c681fa6f10c973f88352e7f76f75ffc0180a6b3e392ace2f883e3c454aef714800f4090e5f049b31b82b4ddf6a2c36b83a22f782538487d0fcc6610bac610299a4b619ddda3f4194774a3bedcb7be2e7118e2e32df7223ed768ff3d1494011bc68f50ef858f39f42073ef2064f7e7356dcd19bc7ae18aafdbfe9088b6c5652d0da815c4220b3cd9aab3370dd9527f257711295f0f58e80cd9fb8719706fe7ceb00379325893448ad532160bbfc889097ae09101ecdbe64a8c860e41307c57b5d4276b5b9536fe7ec04c176551f9ae7c96782a35e85a500a2d85bf4842b366856ae48e2c5c3960d6a65b2f83764c7a14c87f4e954d1f249e49d3dd8350e399b16a8dca8d3fa0ac28df83891d181a35c8cec8171d9707d006120a747f836c6ec771434a7d4706d71edef227a79e4e55446b512c466a58d171ea40801dd49e2bfd4f6329a3aa301011c1f4d687ac1e4fcf7bc7336a02efaf0690fcd5372b2eff49e6b0297d6e18f199b27e3697400685ef3bb3fa98e985e5d24f6b3e67d62de7e083e5e9d555fb2221dd8aa4dbc2b2a5bfff9be6ea588489cc2fc344210699d6d5bd9bf837a5edb994ad1dd1c0c8a87669bc0ea6112f25416346cde67df15d45ef577b87489c53bd28fb3d38dd6d825418764f653e76800218eaa281c35f417c781cd68474f9d0fac2c0534224bfa898fee177d154d95cdfb03906eab3153af76b0ae4c58e10e4b3570997798121fe458a981532d17fd9b4e382a53908c6bbb64e4a77fab175f4a9a30c7796708a373480ef53f66a49c496590f8720b0e3a2161e14c247b6522172621f867795971ebd28eb52c0861fd8852ac8b223c57a7ad45c379a6d2576992f373bbe7c4b2f8a2b01ca8c630c101bfbea1d95438b45381a06fe7c43e089323901540448340999986b82b25d0f0e9d7932ee449b5fa1d3dc3f0a6139c38e4c9dd040d38121d9c4c748eea07f262ec82b91fdad5ae655c9c33df90dfd2ca0691962d736ee4a75d992b3bd71370129260299268cc5efa2d2b062c08c148849b35aadcc22b05a16df66f48a453594cde1dcd3be486db394a77648025aa929e81ee6b4e25011aa7b9f44724c9ce6b169f72e40dd18d9aafe78b419b10371c8077e57742f990b8a0275384cc774ade20bc5ffd728ccbfd923f1bd9e647e7f52a4aa9a3db43f0b97fd5eb7df9d625895d677bfbc35fc09c77931d028b5b6df0027cb0064ae52d03cdfaf42a2244eb7052c469f4142af3e00b89e529c441409aa13e739d9dc453de1d99b7d86572bc2ae395aa42341d5211cd33596e7cfab55073f1eaf3a27c4cb477df1a257073ecb3bb33e532dcd160aac50d90eaef8171eed3e2061de0f34459becdbb9fff0f4a5e7b1863b69cd159dc4785cb91598a6478cfd4c48df24ca6788a24791affda6766d0cd37f8a711043b6f4ecb4238f837ddb8186768af19009365b0a113357a96bd84e2a822d82c9ce0308c18f9cedd3e48304271f2a7d16f5472c52912a691742e7490a964217b05d6bcc7eee55234ce8a6b20588c02b6bf07f81bbf09e1635d259ae845ad4439ff221d2f4c9c2c462f068798acfc954ae7e2bc6bebb683de8885fd9dbaf820ae75a96f896fe8c1a1e002dfad5e9acb8d820c937ec1e41f03a7f536faa414961fdf62183f0b991489fe215cfabbdc3aab96ab93b905d823a8f3275e0c44977ed4a8946c2524ed9f1746342d4e2768fec496239377bdad83a5b242e09390a7f7452bf8ad307e1b77b33d42f1aeb87906e164aa75e10c83cc8f5b5552a767e3623c029095b7e879c10366a05baaaa3bf5df2321d7bbb35a3c40ea9aba3ad1873374b765eff1e470a4054d50c42678c5963701443dd9a744c0d24d50eaa07c045b642069819ddb451b67da08c9aa4b86264c70b744b3273789b59e1b5888ed94709981e8426f804f2f9bf5ebb7895383d24554a6ec11666165eaa145960a8caade22d587da47ad86d6baeb190dd3050de1c16725d0c30e2c601c8010bf3f9ac127978b244baf58a83bf708d24fd09e7f6886d94f37f3bcf56f3a134b88c8e67f3c0b380e3ea0bb813381a8f5941e029f7c9bd8668f604f57228a97a8f897423b83f2b491ad789181eed440638164213e7c4b2339926508d39e33de10e89be0ec9658f331edcf5f897e81efdf574d9b0a6faef07a7fbfed58edbdc711d430dd771d5689f82f689692dbae3fce7cc058c27a87ce66339b91d38fee63b87937dd05a6f01358c9f96b00cf354b1d25bf2e7e5101ecba8e0ab8db2f82deaac5f1a2e2973a87eff61ff5602fb1834633cfe19cad712cf798f372b5b9b6598ade5fac2ba06f259523050b254ea432d198080d247c3d87585cf35a54185ae96fb9a7373688f7a823edc"}, {0xe8, 0x29, 0x3ff, "7d69f733ffaa94a0b892c93ca857de2b957b8e67e849fe94b9e40aae435c58bba23fdf46a1a673f6fcc1796935f06334df24547efef591109128d774657321dc905ff48106f6ca08596d9775e2578c75e4bad3b789dfe2d6d8c552b1ba4781b882d0496eae397733271a93ddbabe519ef08436c9f949d8c7033e1f4600b99cc4ba38a2d6fed162a488df110621d784007a6807b96a1a70986bd31555721a0e3f70baa8939d67d37902a9aadb49d9280aa53a27262667489ee86232a45603d98c1ca6c6f9bb96a31a11a5c4d810547250154e70cf97d742"}, {0x38, 0x0, 0x5, "2b1a3536eda49dc079c052d72041c6888aca708e6384875bbf253a319f53d6d82f9aeecd704f"}, {0x80, 0x0, 0x40, "9cee1e2c049c8d60174d42d1e1940380e0e94f7d4f5f5d3ece3d6a560e093ae9fabc83c07a14dfa5ad51569a85ce7f4b518160afe1bc92d89234ca6e11859a5543a3af7691798a78e791957eca4d15e279ad52f35936d5770d7edf40223a426c02b43379674db04db773d4bee3b61b5c"}], 0x2488}, 0x4008000) [ 1355.470869][ T2891] binder: 2888:2891 ioctl 40046207 0 returned -16 [ 1355.480822][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1355.490403][ T2889] binder: BINDER_SET_CONTEXT_MGR already set [ 1355.508151][ T2889] binder: 2887:2889 ioctl 40046207 0 returned -16 [ 1355.535397][ T2898] binder: 2887:2898 transaction failed 29189/-22, size 24-16 line 2995 [ 1355.535422][ T2897] binder_alloc: 2887: binder_alloc_buf, no vma [ 1355.536009][T17703] binder: undelivered TRANSACTION_ERROR: 29189 01:56:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x7000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:48 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = getpid() r2 = ioctl$TIOCGPTPEER(0xffffffffffffff9c, 0x5441, 0x800) ioctl$TCSETAW(r2, 0x5407, &(0x7f00000000c0)={0x3, 0x8, 0x7, 0x100000000, 0x14, 0x80000001, 0x3, 0x4a553e15, 0x0, 0x9}) fcntl$setownex(r0, 0xf, &(0x7f0000000000)={0x0, r1}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) mkdir(&(0x7f0000000040)='./file0\x00', 0x0) [ 1355.636641][ T2897] binder: 2888:2897 transaction failed 29189/-3, size 64-16 line 3148 [ 1355.648975][ T2906] *** Guest State *** [ 1355.659427][ T2906] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1355.677413][ T2897] binder_fixup_parent: 4 callbacks suppressed 01:56:48 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000100)=0xb1) fsetxattr$trusted_overlay_upper(r0, &(0x7f0000000000)='trusted.overlay.upper\x00', &(0x7f0000000140)={0x0, 0xfb, 0x1015, 0x4, 0x10000, "6d6355f05d9aef84ee9740975a37dcce", "9f192971b92ff6d4a8e303aa20b3e4b7461a14f3ebf8d6104eba519b9ba3b709a4ba5a2b2954cff996a084c00a3e16a86e223c4cdcdeb3f4b02445a4e4039c0ca85e402504f7fba04686571d490a1154a1250d45d786bf05b96571a498e8ce11bb3070fd7395af54c64f0bc0d625a393314675a722f75dc243ae441d59a6f68ea85615503c363238eabfd59e170a8a39a9ac797cbae3336d3566608c58d132a1263f30248d441855823e0ff013f2b704d6b3ad5d49c0267d79a1a99d87a26fccefc94723b54ad96b6f803210e1b64b2e3a54cdd567c02de0b9e3a9f353221772c20ca0cb6fa785068af247adf6690e9b7e2fd4f7fb11f2a2816cb19fc0ee248a5e918e757860ae69929e4a72441f37e91c8b1ca685d495e148dcc6b08e371e770eb636cf71f67ccd9128dc9375a2cd53713d03ac8d4c90372e30877fa90c298340d7d3a10068ced771d2d29ed50933c894112d5a4f0abcae506f90d36a74f64460ab7124eb870f134515e93e3b52111d4dad55f227067aec0c831fbf052b6dc729a3673efafdc8ff37ead32359302107d263688095e752ba1bee24dd253902f51e052a2a5f36ee72a464d7232c947e6c4c5dc3bd77610310d4f7e99bd2f538857c719dc2dc694569e03dfb6283bb0fd6406d463be6e647362e9f1589b35ef91c080a3fdb0f27706579cbbf18d1450fe193939a3a20ee12e64cacd5c9b2bd6055413e7fb15229532007abf2f3603bec98bb361be07cba6136e1e3080076149379554b3742208f4dbb409f0685b58260500172ea5f33fabf0d75e0022a63a5d8e2bc784e57f995d364ccff9e360517707e739e71c226ef000f6fcc0aaf6d64bfd2e2bd82e68945de65915319b0874e2c3d5f759f5c1dc1985dce97b085e2f25bb6d8a8d97f47f6ff118d90442afd1cd3dce966f0441dadf278237d8eb727f63cca6513896d7890879840720b6ee7368da31b2b4a01b11e3ca8d815086f0cfaa63a9dbd5a375326b6c95fdfb7c0c0758969cbf218c0ba392c8917245b54097a4ab82c56be8371181f31f6043e2d933d97a2c88187f9be4295a5cbd95718ea04e63620c4b7277e384394245b9ce8bb6ac23609ee9bc97178a7cdc2b1487996d008db61035ad02a5625d1b613f4eab7c243cdcd23219e024d6f069fea935aa7cdf5225ca13d5a07b90049ffbc8ef9937241571191704a69ec3855d07d9e5f242aa1ce100113ea23d45892adba3f4fcea44edb5efe6307bb1f2627415704a7e8a5c53af395441053998e2985aa2a2627b046cdf3db5466cbd82e2d411410ee36269f14b4bc08f0aceb85634bf61c64c05abed0db936dd877353ed807d04675e2de7bed4f8c503589c03282bdc25443c11d18f4e8f3af823ece13c24c7f9ebdeb2e3cb20d333013bd82386473eb48b5842b811c1c95d6536ac4d33a201be163669633b5a7f3ace630adb53909a2fc83ac69703293e4822e898149178b0ef76edef3ef3fa7a7b17733b7e1870bbd14cc35a6a64948a83e40b7728c5371cc9da748b0de4bd80cfe30c672b3e8d15e03649fb7ae89b5f7dc5d48199f4df6d48540b7f3c782959143c273bd0d4000c371fe9a10c25d052be18fa4840b3975b6bab564611da4279541839708db67c748ddb92948f5c6acddf5780b12a6040a88d48ecc0092034642334dfc9e3cfa2ce04b1505a6a513b2267f2edfadfaf43055a589c8802da08e5d79f71e569ad02c2181cdc40f1bda63eee96df6211d01196e4736361dd3f09cc272f7793ddfa15390a99cd9be0b2619fd774dc0b0fb5ce202a270abc1f5e72fa6024fe3f25c13ad2c89c99af43a4fe1f1f45d056d558d4f1212097e52a30eefed1cd6553f4ba8f743ceb8e4675dbb31c0676cb15f41f9ac66111d467f5fd39f062bb059d6a48358aff931e5df53a7cd5f05bd735c187fc22976ed6885edce4d6d1f5a968baec4a992bd41aa7a2ad171305bb43a1b8ad0f2483c07cfa3ec24605ffc0ce5c956c14d6aa17177a72febc7493443d1060e7a515aa285861e6b5268ea37fd310b5ca6c1988268000d57a494b68c9c3a35f30d77cb3f703fa775b515c610a2033840a8ae6fa5742e175c8b9ff2653416447edc2730c86a728a490e70a7fe3c06854aa3ac44956fe67debc7ccf0293ecfa76b21b5637fdfc279d3c0e321ee243945144652fe6663ca6992d07a9d7e7a8421cb64e4f3a26ca716e289db31277d1e37ef124fa356d32697468c019f6f5aa4690297279600b9e7201a6bee62d325eeeac4b5e4f51b9648c79b7b68755996742c11c49f391360c71995fb9a7945366a29952122bfad2256d9b880b3d09ca8dcdfa33ad3a1019c349ab9d27823a88e6c1ba2958d061571ad75ec34cc9e9fb37e721dc78eea11e92256f207f7c67afab684efe0d854bf423c35a8214945477f16d159527a46d8395cc890ec35d77800594776f4d0e8cada8002047ae1f755b4270e72b55f692509d64bbb8321e176fc3cf2ac452505e9f2b36851f6ec661f094ead89542c81d2616f79813109ff3e26dc0ca2980101798486678c85e7634fced1343a449cf8872fe3f80a202ef3949dd11ef1f78566c1677bc3f04577c59e1d9e3c39088197da8df1fa88e34e7497e898840a5528d132d978f347336966b093d5ea46a6b78665c6583eaecb216bc53c89d040bef12803ad54016876ed8ed74ba3bfb6e53434c82c75fae7a86ed0a7f2e827889b7da15ae5039255eb92df8f59eeae144ffb9f245bf10d498b3af84ff98a22f67576871cf7c975fdbf67fd83ed56ce03b20a4f4128c72904f58e689fde0bc59602e5388883b38699021d908cb31be417683c0df0997d6c2665dadd033b7e7dcfbf2000da9db0063783cc562447034b6cfda0c78a70111ebbbae023635115ab534aecaee9d26fc71d16e8959c785bd01a1a634171b92cfb1da14cf705520611dce9b4416db5463f84aa129428abe150fb19274dd034f1c5d261ed7601a5a3e9dfe54d1606c00adcc154d377b2669003a6c0b9a7b0f4524bb42b54578ae9d9ea3099a51eea3030ea0f2968a0e6495e543524b29495abc4368a44a8140bf68392d206888a08eec3bc86e948de2a4c5beabfb0317e5b41061efd444d65057e43b263f94416366d238d88b101948fc3259be795af89e7e3115e709739ac33ed16ecf02571b772980180aab7c62b117cbdafff69a4e6d4bc1e6d581225c51ff9cebe79a56f527f9e0e69a1f3047a9082ae9b455daa32e9fdf3a30d2e494651dbcbf32c45525f09c6a5b93f04ff28a37a226efdce91c5e7459b00b352ee6195f6c0d2c4eb032d1bf2bb3076fe98a2ac2d6079c73b52d94a430102c3a58b8891659d8d95201e1140839c42bcbec70c7f50532c3d0b661f7876398c0eca54129d8f73329ba7c1332c375cdfd19b8ea4265b1e142fcd922c4dcd283a0b3e1cfc3db768504cba8b74fb106eb47c02094732aa32bc9b539e6217f9e84c9fd55edfc7c2d06640e8816458d3354e5166aafdf9db688a591a7faadc8fabd258aa1dc6d11994665ad9beb2373ce479d55d2611f7d6adcdd1255a39e3e892e92819876d1df9a4454a7c0afeccd84f7359eaf2b41f0da7e30d754593ad70ab58f5dcec53731aa4a511bbe5c629b372f063742ccc34a7aacfa536959487d1f0a9afce6d9f06ae3fb871e30719499bcc3502d1e37b14b1dad83b01f8f3c6995fe29551dc9cdd2aab3038e73c2d76fb49388590fcb0d095b10a8b35e8a98151a158fc9de22a5e95fba6772ab94ff2e83d57a2f760f08af9608e4dfee933ec58337a801e9394f72d6dfafde30effe2940dace51ed245a81f08636973085ba8ecd6411669780becd59311a1e86aa42322d6aaa0734d114658c67626f9903259ab1fe979a6bd34e7d3c59823fe396ada0c79bbfbc04b030f2f6dc98a0c6d535dfb736fbe7d7232077a697fd45aaf6228a7a419d371f7b2b978e364f57cfa6540d2f74cb8a750f73263bf0add528b7c01d0fd3409f7707b1699b68c3ac045cdaa3a12e3889c215fba4b949bf517ed072c89529b6175f97e1bc45e3e2115c9dbd66709244828970274e36f547eaa537891d50300d599cb6d1e8cc6f08ee31a252a699e5767cfd74d8c9b88dd50dd95f26f270ae15cfbc585a48003f97508f0a1958ee8f1a99058f6e64bcc2579502b0425a889a97919c03fc157a635364fbd5943e497d15271a764aa46ad9d84888448de452f9200dd76f85b3f02d11d0808e31b5daee575f485eba0ba8b611ee82dbc69b68af185074ae49005e7f465b62b8737034785f918bd89bb787fba8416806864ccb0ef71c8c4a4dc393705d372bdc75c11f343ee3150bf758ade244c77e05239752148b262a54ad29bed19255dfc680bada356df27bd4295aaff1065f9737c098eb4e741afae1936671866c04f50d1efbf737bb4e9e31677c009a9bb2b1396b425db620f3adcb70f1cc77cc9c43e01e93d2df8dcc1ed3e87c231d7ac73aa43d99d5a01cc939b0bf5366b2e13e5711cc460d0b9b0ca9acc34e33975dc7c22393c61c3ebc28d0b6ca7c12307267244f29e848a1ffa55b59d6a6d88df1d727d33548d1d1c614e2277f95b5039d36c31069a809d2b2fe208d48d57e679fcd758facb58b451dcd5e50fe50148d860071b19159c300b0f189b4111fe00e4d874b50d1b45b02da3cb5d66a9c3dbe92d8d7128553b0ec659e9d3b17a704bd8ed3e16e1e933bb93b73b4296173b01051ddda93afe595f9aef70978c1d983311175ec7d77585689e172b2acd7203748a1cd24dd1787cfe7365b4e1b6949fe6ecc170b1787893d846ecac9b9d8f5b24ff25b6915469ab71930960320f1acf27a4ce544040d2e67137ef4d3d03d73e4f6c98f141547eeb81e39eeef3555689d2604601ec9ea616fb322faa48b69092225a8aa658f9a145860b135a90804f1615a2b27aead6c7a1855fb9c6c2d32a305d16c23798a79df2e484eb389cae138238a016685fa12da462fa27f568ad5591505c82ec78ed88b4495ee134cccb5bb126c1288c0c41c29e46aa24cf575d99b733373495cdf9f1b316039e4a2f07ac56616071b2d64f6e84ce0ea4d0e12ff17c4269e1f621313e981830883c27e350a29c1fed4b9913f0884be4a13a542792058d99c842e6fedbbc0a61b6d5b4e645f2bdf9a09d3ab29d286c6f3b2a59beefcba4ba5f7e370e8a6bd7c7783c6b10286d7f71760609cbc98af424f5aeaa04aa08e84c01cbbd4ced753d505ead8fd2aed74eb4660b6e4ae332d3c2924c0729bd6ff092af96d2dc5d1991af1b13c0c0769a3bdd869e3c0d1f7ca89546ef11a09c1693de66f17cd313f59a6221a6044a965b08098a6d7a7145f8f3b118874491e57eb14c8688852301fe5e12c4c2c19c918e062dd9a526b54f4c9f0ceceda1738d7fb94d346d7eaac64cbd4100d96dc1ca229650a9b1c921860ecf7752c0c22962fc9034cca3b970d00baffef0ada46f86d8f63e4039f0ed8af3e9f5066d4c0ce4997afd270964afaf21935afc3d7c652692ea650e7e5002448beaae2d133b5daa21dbea8611c68fedacefc6590fdbd32f3ba492f8755f214145ff8e03bad3834c29739d4e204007242924e3948c3bc79dde1a00abc8a332d25513547b897b01d523616b86b3dde6c7e1a6387774029bc9a35cb103610f4b7036607d5bb6b04f1b9a99619318f2a5b8900fb1f578ff2b6fc3bb6233a7314eba852c8aaf5eaadc88e5c8a0fbcbc1f95dc6db919f0bdd9a1bb7dff74d72262b3afc318dbc0d78522eb3e891d3319ec8fbd558b2667c"}, 0x1015, 0x2) [ 1355.677423][ T2897] binder: 2888:2897 got transaction with invalid parent offset or type [ 1355.693112][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1355.699953][ T2910] binder: BINDER_SET_CONTEXT_MGR already set [ 1355.718498][ T2906] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1355.734535][ T2897] binder: 2888:2897 transaction failed 29201/-22, size 64-16 line 3389 [ 1355.747791][ T2910] binder: 2909:2910 ioctl 40046207 0 returned -16 [ 1355.762181][ T2915] binder: 2909:2915 got transaction with invalid offset (117440512, min 0 max 24) or object. [ 1355.766121][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1355.790201][ T2906] CR3 = 0x0000000000000000 [ 1355.791222][ T2915] binder: 2909:2915 transaction failed 29201/-22, size 24-16 line 3242 [ 1355.815948][ T2906] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1355.822244][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1355.829775][ T2910] binder: BINDER_SET_CONTEXT_MGR already set [ 1355.842726][ T2910] binder: 2909:2910 ioctl 40046207 0 returned -16 [ 1355.852697][ T2906] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1355.856077][ T2915] binder: 2909:2915 transaction failed 29189/-22, size 24-16 line 2995 [ 1355.879376][ T2906] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1355.899319][ T2906] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1355.919581][T31106] binder: undelivered TRANSACTION_ERROR: 29189 [ 1355.935254][ T2906] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1355.959264][ T2906] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1355.979590][ T2906] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1355.995145][ T2906] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1356.019303][ T2906] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1356.054834][ T2906] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1356.079314][ T2906] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1356.099249][ T2906] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1356.119275][ T2906] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1356.139293][ T2906] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1356.159251][ T2906] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1356.179330][ T2906] Interruptibility = 00000000 ActivityState = 00000000 [ 1356.195109][ T2906] *** Host State *** [ 1356.199543][ T2906] RIP = 0xffffffff811b4980 RSP = 0xffff88805aaef8e0 [ 1356.234853][ T2906] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1356.244942][ T2906] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1356.279319][ T2906] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1356.288824][ T2906] CR0=0000000080050033 CR3=000000009fa57000 CR4=00000000001426f0 [ 1356.329230][ T2906] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1356.336728][ T2906] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1356.359213][ T2906] *** Control State *** [ 1356.363406][ T2906] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1356.389215][ T2906] EntryControls=0000d1ff ExitControls=002fefff [ 1356.395406][ T2906] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1356.419214][ T2906] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1356.426608][ T2906] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1356.459210][ T2906] reason=80000021 qualification=0000000000000000 [ 1356.466245][ T2906] IDTVectoring: info=00000000 errcode=00000000 [ 1356.489205][ T2906] TSC Offset = 0xfffffd2763e2e815 [ 1356.494235][ T2906] TPR Threshold = 0x00 [ 1356.498297][ T2906] EPT pointer = 0x000000008a45b01e 01:56:49 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319b") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x4c00000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:49 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dlm_plock\x00', 0x400, 0x0) ioctl$PPPIOCSMRU(r1, 0x40047452, &(0x7f0000000180)=0xc1) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r2 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x1, 0x4c80) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f00000000c0)={0x5, &(0x7f0000000040)=[{}, {}, {}, {0x0}, {}]}) write$RDMA_USER_CM_CMD_CREATE_ID(r1, &(0x7f0000000200)={0x0, 0x18, 0xfa00, {0x4, &(0x7f00000001c0)={0xffffffffffffffff}, 0x13f}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_IP(r1, &(0x7f0000000240)={0x3, 0x40, 0xfa00, {{0xa, 0x4e21, 0x1f, @mcast1, 0x8}, {0xa, 0x4e21, 0x3a70, @mcast1, 0x100000001}, r4, 0x8}}, 0x48) ioctl$DRM_IOCTL_NEW_CTX(r2, 0x40086425, &(0x7f0000000100)={r3}) 01:56:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x20000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:49 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'ip6erspan0\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/autofs\x00', 0x40, 0x0) setsockopt$inet6_int(r1, 0x29, 0x7a, &(0x7f00000000c0)=0xa2, 0x4) ioctl$sock_inet_SIOCGIFNETMASK(r0, 0x891b, &(0x7f0000000000)={'caif0\x00', {0x2, 0x4e23, @multicast1}}) 01:56:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0xa000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1356.587319][ T2921] binder: 2919:2921 got transaction with invalid parent offset or type [ 1356.598598][ T2924] binder: BINDER_SET_CONTEXT_MGR already set [ 1356.614801][ T2924] binder: 2917:2924 ioctl 40046207 0 returned -16 [ 1356.621630][ T2921] binder: 2919:2921 transaction failed 29201/-22, size 64-16 line 3389 [ 1356.638338][ T2924] binder: 2917:2924 got transaction with invalid offset (167772160, min 0 max 24) or object. [ 1356.655344][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1356.664535][ T2931] binder: 2919:2931 got transaction with invalid parent offset or type [ 1356.669653][T31106] binder: undelivered TRANSACTION_ERROR: 29201 01:56:49 executing program 2: r0 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x400, 0x0) ioctl$VIDIOC_S_SELECTION(r0, 0xc040565f, &(0x7f0000000200)={0xf, 0x103, 0x0, {0x0, 0x7fff, 0x100000001, 0x7}}) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) ioctl$TCSBRK(r0, 0x5409, 0x4) r2 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0x100000000, 0x84000) write$tun(r2, &(0x7f00000000c0)={@void, @void, @ipv4={{0x17, 0x4, 0x0, 0x9, 0x110, 0x65, 0x6, 0x5, 0xff, 0x0, @multicast2, @empty, {[@noop, @rr={0x7, 0x3, 0xffffffff00000000}, @noop, @rr={0x7, 0x2b, 0x5, [@loopback, @multicast2, @rand_addr=0x5, @dev={0xac, 0x14, 0x14, 0x10}, @multicast2, @loopback, @broadcast, @initdev={0xac, 0x1e, 0x1, 0x0}, @remote, @multicast1]}, @ra={0x94, 0x6, 0x4}, @generic={0x0, 0xf, "be21d8a669f94b8bef0cb116de"}]}}, @tipc=@name_distributor={{0xb4, 0x0, 0x0, 0x0, 0x46c, 0xa, 0xb, 0x2, 0x7, 0x0, 0x0, 0x38a, 0x2, 0x2, 0x4e21, 0x4e24, 0x3, 0x0, 0x0, 0x0, 0xffff}, [{0x6, 0x4, 0x1, 0xea9, 0x100000000, 0x8, 0x8df, 0xff}, {0x2, 0x0, 0x8, 0x4, 0x6, 0x7, 0x3ef, 0xfffffffffffffff9}, {0x9, 0x101, 0x2, 0xd5f4, 0x100000001, 0xe0, 0x3, 0x8d}, {0x7, 0x3, 0x4, 0x0, 0x100000000, 0x367f, 0x80000001, 0xffffffffffff62fb}, {0x7d, 0x10000, 0x2081, 0x10000, 0xffffffff, 0x1e, 0x5, 0x1}]}}}, 0x110) sendto$unix(r2, &(0x7f0000000240)="ef864ff8aca2a307507eb6", 0xb, 0x5, &(0x7f0000000280)=@file={0x0, './file0\x00'}, 0x6e) 01:56:49 executing program 0: r0 = socket$inet6_sctp(0xa, 0x7, 0x84) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000040)='TIPCv2\x00') sendmsg$TIPC_NL_NET_GET(r0, &(0x7f0000000200)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f00000001c0)={&(0x7f00000000c0)=ANY=[@ANYBLOB="d8000000", @ANYRES16=r1, @ANYBLOB="000026bd707935c98d250e000000c40001002c0004001400010002004e20ac1e010100000000000000001400020002004e230000000500000000000000002c000200080001000e0000000800010012000000080001000900080000000100160000000800020006000000100001006574683a65727370616e30002c0004001400010002004e21ac1414aa00000000000000001400020002004e21ffffffff000000000000008aff0000001400010002004e20ac1414bb00000000000000eb1300020002004e21ffffffff0000000000000000"], 0xd8}, 0x1, 0x0, 0x0, 0x4000000}, 0x4000) 01:56:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6000000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1356.692210][ T2924] binder: BINDER_SET_CONTEXT_MGR already set [ 1356.711137][ T2932] binder: 2917:2932 got transaction with invalid offset (167772160, min 0 max 24) or object. 01:56:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x28000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1356.773175][ T2929] *** Guest State *** [ 1356.779802][ T2924] binder: 2917:2924 ioctl 40046207 0 returned -16 [ 1356.809598][ T2929] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:56:49 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0x100000000000000, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1356.837963][ T2929] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1356.852072][ T2945] binder: 2942:2945 got transaction with invalid parent offset or type 01:56:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6800000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1356.879679][ T2946] binder: 2942:2946 got transaction with invalid parent offset or type [ 1356.889546][ T2929] CR3 = 0x0000000000000000 [ 1356.894324][ T2929] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1356.919541][ T2929] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1356.958906][ T2929] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1356.985885][ T2929] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1357.032087][ T2929] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1357.053739][ T2929] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1357.069056][ T2929] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1357.078102][ T2929] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1357.093130][ T2929] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1357.104420][ T2929] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1357.117460][ T2929] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1357.128613][ T2929] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1357.143705][ T2929] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1357.153552][ T2929] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1357.165948][ T2929] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1357.176197][ T2929] Interruptibility = 00000000 ActivityState = 00000000 [ 1357.188254][ T2929] *** Host State *** [ 1357.193373][ T2929] RIP = 0xffffffff811b4980 RSP = 0xffff88808f2e78e0 [ 1357.205861][ T2929] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1357.214195][ T2929] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1357.229239][ T2929] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1357.235868][ T2929] CR0=0000000080050033 CR3=00000000a5b4b000 CR4=00000000001426f0 [ 1357.249797][ T2929] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1357.257180][ T2929] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1357.269145][ T2929] *** Control State *** [ 1357.274513][ T2929] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1357.286986][ T2929] EntryControls=0000d1ff ExitControls=002fefff [ 1357.294323][ T2929] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1357.308768][ T2929] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1357.317332][ T2929] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1357.330997][ T2929] reason=80000021 qualification=0000000000000000 [ 1357.338026][ T2929] IDTVectoring: info=00000000 errcode=00000000 [ 1357.348395][ T2929] TSC Offset = 0xfffffd26c42025ed [ 1357.355563][ T2929] TPR Threshold = 0x00 [ 1357.363672][ T2929] EPT pointer = 0x000000008713901e 01:56:50 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd0") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x10000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:50 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x9, 0x4000) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(0xffffffffffffffff, 0x84, 0x77, &(0x7f0000000040)={0x0, 0x0, 0xa, [0x12b, 0x81, 0x9, 0x0, 0x9, 0xfffffffffffffffc, 0x400, 0xfffffffffffff800, 0x0, 0x7a]}, &(0x7f00000000c0)=0x1c) setsockopt$inet_sctp_SCTP_AUTH_KEY(r1, 0x84, 0x17, &(0x7f0000000100)={r2, 0xc2e}, 0x8) 01:56:50 executing program 0: socketpair(0x9, 0x80005, 0x240000000, &(0x7f0000000000)={0xffffffffffffffff}) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f00000000c0)=[@in={0x2, 0x4e21, @initdev={0xac, 0x1e, 0x1, 0x0}}, @in6={0xa, 0x4e21, 0x58, @empty, 0x7fff}, @in6={0xa, 0x4e24, 0xffffffffffffff00, @mcast1, 0x80000001}, @in6={0xa, 0x4e22, 0x8, @initdev={0xfe, 0x88, [], 0x1, 0x0}}], 0x64) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r2 = openat$vimc2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video2\x00', 0x2, 0x0) ioctl$VIDIOC_ENUMSTD(r2, 0xc0485619, &(0x7f0000000140)={0x20000000000000, 0xb000, "0b33533596564e8a42170101d7110723a07199d740bd196b", {0x1000, 0x100000001}, 0x9}) 01:56:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x38000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:50 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x6c00000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1357.470564][ T2959] binder: 2957:2959 got transaction with invalid parent offset or type [ 1357.493336][ T2958] binder: BINDER_SET_CONTEXT_MGR already set 01:56:50 executing program 2: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000400)=@ipv6_newrule={0x34, 0x20, 0x1, 0x0, 0x0, {0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, [@FIB_RULE_POLICY=@FRA_IIFNAME={0x14, 0x18, 'veth1_to_bond\x00'}]}, 0x34}}, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) 01:56:50 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x8c) [ 1357.516782][ T2958] binder: 2956:2958 ioctl 40046207 0 returned -16 [ 1357.530404][ T2969] binder: 2957:2969 got transaction with invalid parent offset or type [ 1357.540415][ T2970] binder: 2956:2970 got transaction with invalid offset (268435456, min 0 max 24) or object. 01:56:50 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x7400000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x3f000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1357.583601][ T2958] binder: BINDER_SET_CONTEXT_MGR already set [ 1357.619902][ T2958] binder: 2956:2958 ioctl 40046207 0 returned -16 01:56:50 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x3b1) 01:56:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x18000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1357.693443][ T2979] *** Guest State *** [ 1357.697499][ T2979] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1357.744219][ T2983] binder: 2980:2983 got transaction with invalid parent offset or type [ 1357.759287][ T2979] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1357.789686][ T2979] CR3 = 0x0000000000000000 [ 1357.801280][ T2987] binder: BINDER_SET_CONTEXT_MGR already set [ 1357.804291][ T2979] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1357.837605][ T2979] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1357.839238][ T2988] binder: 2980:2988 got transaction with invalid parent offset or type [ 1357.855086][ T2987] binder: 2985:2987 ioctl 40046207 0 returned -16 [ 1357.855123][ T2989] binder: 2985:2989 got transaction with invalid offset (402653184, min 0 max 24) or object. [ 1357.889673][ T2979] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1357.913797][ T2979] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1357.930034][ T2989] binder: 2985:2989 got transaction with invalid offset (402653184, min 0 max 24) or object. [ 1357.945980][ T2979] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1357.976001][ T2979] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1357.994967][ T2979] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1358.014853][ T2979] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1358.027998][ T2979] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1358.042989][ T2979] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1358.054327][ T2979] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1358.067537][ T2979] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1358.078538][ T2979] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1358.094462][ T2979] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1358.101962][ T2979] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1358.116211][ T2979] Interruptibility = 00000000 ActivityState = 00000000 [ 1358.123536][ T2979] *** Host State *** [ 1358.127539][ T2979] RIP = 0xffffffff811b4980 RSP = 0xffff888055c8f8e0 [ 1358.140529][ T2979] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1358.147734][ T2979] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1358.162601][ T2979] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1358.171542][ T2979] CR0=0000000080050033 CR3=0000000095d54000 CR4=00000000001426f0 [ 1358.184189][ T2979] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1358.203050][ T2979] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1358.223045][ T2979] *** Control State *** [ 1358.227303][ T2979] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1358.251138][ T2979] EntryControls=0000d1ff ExitControls=002fefff [ 1358.279295][ T2979] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1358.299251][ T2979] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1358.319325][ T2979] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1358.340174][ T2979] reason=80000021 qualification=0000000000000000 [ 1358.349300][ T2979] IDTVectoring: info=00000000 errcode=00000000 [ 1358.372133][ T2979] TSC Offset = 0xfffffd2647a9409f [ 1358.377436][ T2979] TPR Threshold = 0x00 01:56:50 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) socket$can_bcm(0x1d, 0x2, 0x2) 01:56:50 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x7a00000000000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:50 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r0, 0x84, 0x70, &(0x7f00000000c0)={0x0, @in={{0x2, 0x4e21, @empty}}, [0x9, 0x0, 0x1b, 0x1f, 0xe786, 0x2, 0x4281, 0x1ff, 0x7b9f, 0x6, 0xffff, 0x2, 0x1, 0x2, 0x6]}, &(0x7f0000000000)=0x100) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000040)={r1, 0x3f}, &(0x7f00000001c0)=0x8) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x37) r3 = socket$inet(0x2, 0x5, 0x2) getsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r3, 0x84, 0x22, &(0x7f0000000200)={0x7f, 0x0, 0x101, 0x2, r2}, &(0x7f0000000240)=0x10) 01:56:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x40000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1358.389217][ T2979] EPT pointer = 0x00000000958c501e 01:56:51 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd0") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x20000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:51 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = syz_open_dev$audion(&(0x7f00000000c0)='/dev/audio#\x00', 0x1ff, 0x50b200) ioctl$TIOCSIG(r1, 0x40045436, 0x3) getsockname$inet(r0, &(0x7f00000001c0), &(0x7f0000000200)=0x10) fsetxattr$security_evm(r0, &(0x7f0000000040)='security.evm\x00', &(0x7f00000000c0)=ANY=[], 0x0, 0x0) setsockopt$IP_VS_SO_SET_STARTDAEMON(r0, 0x0, 0x48b, &(0x7f0000000000)={0x2, 'gretap0\x00', 0x1}, 0x18) 01:56:51 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0xfdfdffff00000000, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:51 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0x8, 0x10000) getsockopt$inet_sctp6_SCTP_RECVRCVINFO(r1, 0x84, 0x20, &(0x7f0000000100), &(0x7f0000000140)=0x4) write$P9_ROPEN(r1, &(0x7f00000000c0)={0x18, 0x71, 0x2, {{0x20, 0x0, 0x4}, 0xa8}}, 0x18) setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r1, 0x84, 0x16, &(0x7f00000001c0)=ANY=[@ANYBLOB="fd1c4a8121caebd6889130e0575beb2d0d7fdb109f5504153b291a339a2c600c82a60b737700b56df2537ee51416d9ddba10931ade2ebbbcf0c7db6572c537364dec5368add5263d9b0480c8e9202df103065cdd619bb1b0e1cdd1e983b4faabee8b56a6e9f90064a4b47ec1a5953f000000f44c8d8a795a5768ed9b77c9b26517d237636300886e9fffcdf64e86f0836717663433a8e09decc55d307b2dc5b0"], 0xa) syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0xaee, 0x40000) [ 1358.500299][ T3001] binder: 2993:3001 got transaction with invalid parent offset or type [ 1358.509288][ T3002] binder: BINDER_SET_CONTEXT_MGR already set [ 1358.525308][ T3002] binder: 2994:3002 ioctl 40046207 0 returned -16 01:56:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x48000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1358.580395][ T3005] binder: 2994:3005 got transaction with invalid offset (536870912, min 0 max 24) or object. [ 1358.615048][ T3011] *** Guest State *** [ 1358.629621][ T3005] binder: 2994:3005 got transaction with invalid offset (536870912, min 0 max 24) or object. [ 1358.642433][ T3011] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1358.653286][ T3013] IPVS: sync thread started: state = BACKUP, mcast_ifn = gretap0, syncid = 1, id = 0 01:56:51 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x630b, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x28000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1358.690498][ T3011] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1358.702093][ T3018] binder: BINDER_SET_CONTEXT_MGR already set [ 1358.729774][ T3011] CR3 = 0x0000000000000000 [ 1358.734384][ T3011] RSP = 0x0000000000000000 RIP = 0x0000000000000000 01:56:51 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f00000000c0)={&(0x7f0000fff000/0x1000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000fff000/0x1000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000000000)="70a2923841aea6bfb47a5a411b3d2a7a2b5ef8e1b0cd770a24525882e4208b6181ddc0cec1baaae7744b3b64afece2d4aa6df057c8e8728a2d849e8e87446e0354bf7863d90fec2ec8561d0eaf362c6f993e", 0x52, r0}, 0x68) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:51 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) lsetxattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=@random={'osx.', '\'selfposix_acl_accessuser,:\x00'}, &(0x7f00000000c0)=',\x00', 0x2, 0x0) [ 1358.747715][ T3018] binder: 3014:3018 ioctl 40046207 0 returned -16 [ 1358.749454][ T3011] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1358.775332][ T3011] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1358.809577][ T3011] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1358.847777][ T3011] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1358.848691][ T3027] binder: BINDER_SET_CONTEXT_MGR already set [ 1358.863508][ T3011] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1358.872873][ T3021] binder: 3020:3021 ERROR: BC_REGISTER_LOOPER called without request [ 1358.891149][ T3011] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 01:56:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4c000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:51 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = dup2(r0, r0) setsockopt$TIPC_CONN_TIMEOUT(r1, 0x10f, 0x82, &(0x7f0000000000)=0x5, 0x4) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1358.906712][ T3021] binder: 3020:3021 unknown command 0 [ 1358.924504][ T3011] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1358.938262][ T3027] binder: 3022:3027 ioctl 40046207 0 returned -16 [ 1358.949337][ T3011] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1358.958178][ T3021] binder: 3020:3021 ioctl c0306201 20000780 returned -22 [ 1358.990088][ T3011] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1359.001244][ T3028] binder: 3020:3028 ERROR: BC_REGISTER_LOOPER called without request [ 1359.012136][ T3033] binder: BINDER_SET_CONTEXT_MGR already set [ 1359.018138][ T3033] binder: 3032:3033 ioctl 40046207 0 returned -16 [ 1359.025096][ T3011] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1359.046583][ T3011] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1359.069661][ T3011] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1359.078363][ T3011] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1359.079304][ T3028] binder: 3020:3028 unknown command 0 [ 1359.113307][ T3011] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1359.119384][ T3028] binder: 3020:3028 ioctl c0306201 20000780 returned -22 [ 1359.134240][ T3011] Interruptibility = 00000000 ActivityState = 00000000 [ 1359.164370][ T3011] *** Host State *** [ 1359.168414][ T3011] RIP = 0xffffffff811b4980 RSP = 0xffff888059d3f8e0 [ 1359.195606][ T3011] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1359.207292][ T3011] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1359.218955][ T3011] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1359.234349][ T3011] CR0=0000000080050033 CR3=00000000a8c93000 CR4=00000000001426f0 [ 1359.242981][ T3011] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1359.265111][ T3011] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1359.277641][ T3011] *** Control State *** [ 1359.282026][ T3011] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1359.317919][ T3011] EntryControls=0000d1ff ExitControls=002fefff [ 1359.339304][ T3011] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1359.359323][ T3011] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1359.379434][ T3011] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1359.409296][ T3011] reason=80000021 qualification=0000000000000000 [ 1359.416338][ T3011] IDTVectoring: info=00000000 errcode=00000000 [ 1359.449214][ T3011] TSC Offset = 0xfffffd25c7d26cb8 [ 1359.454255][ T3011] TPR Threshold = 0x00 [ 1359.458318][ T3011] EPT pointer = 0x000000008a47501e 01:56:52 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd0") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:52 executing program 0: openat$dlm_plock(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm_plock\x00', 0x501800, 0x0) r0 = socket$inet6_sctp(0xa, 0x1, 0x84) getsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r0, 0x84, 0xc, &(0x7f0000000000), &(0x7f0000000040)=0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x3f000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x50000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:52 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x630c, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1359.557501][ T3040] binder: 3039:3040 got transaction with invalid offset (1056964608, min 0 max 24) or object. [ 1359.569817][ T3043] binder: BINDER_SET_CONTEXT_MGR already set [ 1359.575823][ T3043] binder: 3042:3043 ioctl 40046207 0 returned -16 [ 1359.588225][ T3047] binder: 3044:3047 unknown command 0 [ 1359.594652][ T3040] binder_transaction: 22 callbacks suppressed 01:56:52 executing program 2: r0 = syz_open_dev$mouse(&(0x7f0000000140)='/dev/input/mouse#\x00', 0x8ca1, 0x40000) getsockopt$nfc_llcp(r0, 0x118, 0x6, &(0x7f0000000180)=""/217, 0xd9) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0xfffffffffffffffe, 'Wlm\x00\x01\x00\x00\x80\x00'}, 0x164) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) r2 = syz_open_dev$usbmon(&(0x7f0000000040)='/dev/usbmon#\x00', 0x0, 0x8000) getsockname$unix(r2, &(0x7f0000000080), &(0x7f0000000100)=0x6e) [ 1359.594669][ T3040] binder: 3039:3040 transaction failed 29201/-22, size 24-16 line 3242 [ 1359.616606][ T3056] binder: 3042:3056 transaction failed 29201/-22, size 64-16 line 3389 [ 1359.627396][ T3047] binder: 3044:3047 ioctl c0306201 20000780 returned -22 01:56:52 executing program 0: r0 = syz_open_procfs(0x0, &(0x7f0000000080)='net/mcfilter6\x00') getsockopt$inet_sctp6_SCTP_ASSOCINFO(0xffffffffffffff9c, 0x84, 0x1, &(0x7f00000000c0)={0x0, 0x0, 0x400, 0x0, 0x8, 0x3}, &(0x7f0000000100)=0x14) setsockopt$inet_sctp6_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000140)={r1, 0x1f}, 0x8) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r2, 0x84, 0x1c, 0x0, &(0x7f0000000200)) r3 = pkey_alloc(0x0, 0x2) pkey_free(r3) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) sendto(r2, &(0x7f0000000240)="14f058dc2c6a2ea3084463c2719acb69f7cfc9a2cd8b95fad9376eb87d3e4f3848f7b69dbc38484b0b74dfee2ab66d3002548788ca5fe90bc9a72cc7b9584e42962a26170f6ff117f6af03aaa10e558232182905c38776d2122accbd8a09c738e10f4e92ce10d7697e4693b6541af86f81135963857a0c9e0e0b9a79e43ce989e2d52183524b98b66dee3f526809fa7d4d1d56a0f61390404fc7e11b4ca406f07619d1d804b47804fd1fe056ef7565aa52178150c3ebfd5a6145db3c43930a78cf46d1c21c3a5460763ac4cb370ce532388689cd65ca9400954c7c11605f833f43a329ed3bb29d77cfe13786e626a4a5", 0xf0, 0x80, &(0x7f0000000000)=@pppoe={0x18, 0x0, {0x4, @empty, 'gre0\x00'}}, 0x80) r4 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000340)='TIPCv2\x00') sendmsg$TIPC_NL_MON_PEER_GET(r0, &(0x7f00000005c0)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x80}, 0xc, &(0x7f0000000580)={&(0x7f0000000380)={0x200, r4, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_MEDIA={0x38, 0x5, [@TIPC_NLA_MEDIA_PROP={0x34, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xe0a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x74a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x42a}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffffffff29f}]}]}, @TIPC_NLA_MON={0x4c, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x3}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x5}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x9}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x8}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x8001}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x1}]}, @TIPC_NLA_LINK={0x88, 0x4, [@TIPC_NLA_LINK_PROP={0x1c, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x80000001}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x4}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, [@TIPC_NLA_PROP_WIN={0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1c}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1000}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1f}]}, @TIPC_NLA_LINK_PROP={0xc, 0x7, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x5}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}]}, @TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2f1}]}]}, @TIPC_NLA_BEARER={0xb0, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz1\x00'}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xfff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x38, 0x4, {{0x14, 0x1, @in={0x2, 0x4e23, @multicast2}}, {0x20, 0x2, @in6={0xa, 0x4e23, 0x3, @rand_addr="229dcb79b54a5aa00241db387216120e", 0x3}}}}, @TIPC_NLA_BEARER_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x8b5993e}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x200}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x100}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xa}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}]}, @TIPC_NLA_LINK={0x30, 0x4, [@TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80}]}, @TIPC_NLA_LINK_PROP={0xc, 0x7, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x4}]}]}]}, 0x200}, 0x1, 0x0, 0x0, 0x8044}, 0x20000800) openat$md(0xffffffffffffff9c, &(0x7f0000000180)='/dev/md0\x00', 0x4000, 0x0) [ 1359.660505][ T3043] binder: BINDER_SET_CONTEXT_MGR already set [ 1359.666580][ T3043] binder: 3042:3043 ioctl 40046207 0 returned -16 [ 1359.679647][ T3058] binder: 3039:3058 transaction failed 29201/-22, size 24-16 line 3242 [ 1359.688300][ T3059] binder: 3044:3059 unknown command 0 [ 1359.689131][T19558] binder_release_work: 21 callbacks suppressed [ 1359.689146][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1359.710159][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1359.719395][ T3059] binder: 3044:3059 ioctl c0306201 20000780 returned -22 [ 1359.729473][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:56:52 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x630d, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:52 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffff9c, &(0x7f0000000040)={0x0, 0x18, 0xfa00, {0x2, &(0x7f0000000000)={0xffffffffffffffff}, 0x13f, 0x1}}, 0x20) write$RDMA_USER_CM_CMD_ACCEPT(r0, &(0x7f00000000c0)={0x8, 0x120, 0xfa00, {0x0, {0x3, 0x3, "34bf129e99f72dae4b6f16c5a2b87602ba78ae9686593ae9c3380723ce62ec6565762904d420427ea09b1956a422f148eef66208c2267b94f832dc79639edcdfb84da5d531e3427fb034ef43dcd153d20a1db7cbbb58fa80e3767d62294987865ebf516bcc741c78171eeb2a8543d762188b32c8d4ba17dc0f1dcc6f372ddd00b3cc727cce3f3f6b14aedf1a218b83c4d873849c1ae388c43cf4a39ca3636ba21f4dc95a8c9cd0ebb206976a594446c80e9c1056b7936ba94f10b7f1fbb8936c64f5d5804d2efb2b44fd2b775300532b862a341f9e4c2382f0f20c60942a32cd45c28255312498e5185217225995ee7223824e7495681c456dbf066d661c9f8d", 0x41, 0x1, 0x7, 0x6e67c5e1, 0x4, 0x3, 0x1000000000000}, r1}}, 0x128) 01:56:52 executing program 0: r0 = socket$inet6_sctp(0xa, 0x1, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x60000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1359.799877][ T3054] *** Guest State *** [ 1359.803914][ T3054] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1359.859563][ T3073] binder: 3072:3073 unknown command 0 [ 1359.859724][ T3054] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1359.885558][ T3073] binder: 3072:3073 ioctl c0306201 20000780 returned -22 [ 1359.919407][ T3054] CR3 = 0x0000000000000000 [ 1359.932552][ T3077] binder: 3074:3077 transaction failed 29201/-22, size 64-16 line 3389 [ 1359.934357][ T3054] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1359.942117][ T3078] binder: 3072:3078 unknown command 0 [ 1359.959323][ T3054] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1359.979514][ T3054] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1359.980025][ T3078] binder: 3072:3078 ioctl c0306201 20000780 returned -22 [ 1359.987026][ T3054] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1359.995832][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1360.025002][ T3077] binder: BINDER_SET_CONTEXT_MGR already set [ 1360.025022][ T3079] binder_alloc: 3074: binder_alloc_buf, no vma [ 1360.031286][ T3077] binder: 3074:3077 ioctl 40046207 0 returned -16 [ 1360.037348][ T3054] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1360.072215][ T3054] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1360.094589][ T3054] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1360.103862][ T3079] binder: 3074:3079 transaction failed 29189/-3, size 64-16 line 3148 [ 1360.135088][ T3054] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1360.152695][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1360.154717][ T3054] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1360.195111][ T3054] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1360.215191][ T3054] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1360.229319][ T3054] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1360.279229][ T3054] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1360.288209][ T3054] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1360.329230][ T3054] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1360.337429][ T3054] Interruptibility = 00000000 ActivityState = 00000000 [ 1360.379206][ T3054] *** Host State *** [ 1360.383133][ T3054] RIP = 0xffffffff811b4980 RSP = 0xffff888056e8f8e0 [ 1360.409242][ T3054] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1360.416385][ T3054] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1360.450089][ T3054] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1360.456716][ T3054] CR0=0000000080050033 CR3=0000000091cad000 CR4=00000000001426f0 [ 1360.479213][ T3054] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1360.486601][ T3054] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1360.509214][ T3054] *** Control State *** [ 1360.513394][ T3054] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1360.534302][ T3054] EntryControls=0000d1ff ExitControls=002fefff [ 1360.554142][ T3054] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1360.569305][ T3054] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1360.576689][ T3054] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1360.600374][ T3054] reason=80000021 qualification=0000000000000000 [ 1360.607535][ T3054] IDTVectoring: info=00000000 errcode=00000000 [ 1360.635089][ T3054] TSC Offset = 0xfffffd251ffe89c3 01:56:53 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x48000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:53 executing program 2: r0 = dup(0xffffffffffffff9c) write$apparmor_current(r0, &(0x7f0000000000)=@profile={'stack ', 'veth0_to_bridge\x00'}, 0x16) getsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000000040)=@assoc_value, &(0x7f00000000c0)=0x8) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) ioctl$sock_rose_SIOCRSCLRRT(r0, 0x89e4) 01:56:53 executing program 0: init_module(&(0x7f0000000000)='[\'/\'\x00', 0x5, &(0x7f0000000040)='wlan0GPLposix_acl_accessselfselinux\x00') r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000200)) r1 = openat$cgroup_ro(r0, &(0x7f00000000c0)='cgroup.events\x00', 0x0, 0x0) ioctl$SG_SET_DEBUG(r1, 0x227e, &(0x7f0000000140)=0x1) 01:56:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40046302, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x68000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1360.649306][ T3054] TPR Threshold = 0x00 [ 1360.653390][ T3054] EPT pointer = 0x000000006728401e [ 1360.740253][ T3086] binder: BC_ACQUIRE_RESULT not supported [ 1360.745384][ T3088] binder_transaction: 1 callbacks suppressed [ 1360.745400][ T3088] binder: 3083:3088 got transaction with invalid offset (1207959552, min 0 max 24) or object. [ 1360.746030][ T3086] binder: 3080:3086 ioctl c0306201 20000780 returned -22 [ 1360.768226][ T3088] binder: 3083:3088 transaction failed 29201/-22, size 24-16 line 3242 [ 1360.778994][ T3084] binder: BINDER_SET_CONTEXT_MGR already set 01:56:53 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000040)) [ 1360.787365][ T3084] binder: 3082:3084 ioctl 40046207 0 returned -16 [ 1360.789692][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1360.805021][ T3084] binder_fixup_parent: 5 callbacks suppressed [ 1360.805030][ T3084] binder: 3082:3084 got transaction with invalid parent offset or type [ 1360.825979][ T3096] binder: 3083:3096 got transaction with invalid offset (1207959552, min 0 max 24) or object. 01:56:53 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = fcntl$dupfd(r0, 0x406, r0) ioctl$KVM_GET_MSRS(r1, 0xc008ae88, &(0x7f0000000000)={0x1, 0x0, [{}]}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1360.857304][ T3097] binder: BC_ACQUIRE_RESULT not supported [ 1360.880810][ T3096] binder: 3083:3096 transaction failed 29201/-22, size 24-16 line 3242 [ 1360.901059][ T3084] binder: 3082:3084 transaction failed 29201/-22, size 64-16 line 3389 01:56:53 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1360.929763][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1360.940316][ T3097] binder: 3080:3097 ioctl c0306201 20000780 returned -22 [ 1360.950698][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1360.958069][ T3103] binder: BINDER_SET_CONTEXT_MGR already set 01:56:53 executing program 0: r0 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vfio/vfio\x00', 0x1, 0x0) pwrite64(r0, &(0x7f0000000340)="edf15edd9b621cfbc70729a4a7ba3129c0a445c41a63c1b13bcb6487a82ee6b7ac443ec2ee28c3546e69127c536e22746f8996d543e332f62240b0d1819daad33d564ce15ddbf15f673739f05c4e544963e609c2278da11d2b68984b30f5cf0a921426a7ccaafc9a3507ef4ca98fea7ab2e992e18cd0db723bd409da55f4f651ec1d38ad2dc5d4d7ed7dee1c45a5a2ed13af64ae7ff7982740417cd9047ba2da230f31779f3a65cc8cce69ba6a03fdc91a7db2a2b34389615c7feeaa3b8f574f31f9446e09612e2812597385e63ac4fe875512b60646be65dee490eded0139a1e49e8a1a911c91d67adddbf882a68c0c439fde6a8dc107c452d4159f17bd0caaa8ab0422a036e7824b6c0dbd7f62d04954cea621b8892ae473ed4961a5dcc5d72ae89b933b17691bb3b03701075dd5b74751af69c78ad8149205f86b1bd37a0239acef9c32d34658d078a3aa85503fe14777729fb220ccef9900608537bc2e4e4b24e256548cc032e687e4a82ab8e7b3e5f89365d43cd119eb3d02689fc8b32502d9a0be8fb7f13c5b70ae0a113c6e045e2784e02b5c5a19a5a5c9ef469c1ff52989057613eec1f431c044e349adb5d6cfab072e3b2550fc235b7a58bca927e69d3c1eb4854644ffb71e440a8993d14e3028da9049b69c4f8c1f1876d94d51214ff04597e3986da7cc5ec2221fbe9bab37dd93ec2c99e52c2179da7e29b2f3c9323d85ecb4a442f3cfa4412f66528b253789843b8fc4bfc03520151f5fe01daba6c1794cdedd8cd6024ac83c39e250c48cc60ac0ac493b8dd5c84ece8f338fc6b520492d8830499ecf7665f2afa932be22a8788c32ea7348be20fba03d9d1d2dd3a6550d02ce1c93f6c3a5084068e5eef390e8fcba163dfbfe4b0e8cd6107094f723ba828d98914083fdba56d7c23d22ae99aee3a2c2ae137c0c422fa7bc0fac5baa08e2bb1dbbc150de96263d9be583db324b2c04b50ced5cca0b75d918b748ebf553d3d938c0850412a723e7a723d9cf301dab8460b880d3c1f999fe80e5be6b68d608561d8e8acd7b3c5d1b7c3a64d1b49fc58f7cbfaee84938c79ec298bfba68543327926572fb8b334481267c0d46e5df38303e069f72bd4f7cbfbea2bd1f7bf78e9dbdedd119a9a5fc5a23dfa400b9777f929c426bbb9237b63e7284346317e19bdc3e1fb56ab1c0d0741b40d266948bd7ef8ff49b73e4157cafbb54db6a26ca19c3196dbfb4cbdd7a030de772fb79c70e972db38f8140254ae4054010d78f2423142332f1ac354c16eaacc8b7e5a68d810c66ac23467b69d52951c576cf9e36e1b6e91a7e8c1fb6c780e79d5623cd4abb03870c55c2b164cde26ce931a7be89a0b9c4e8f3744072352dc1cc9d407f5a2710aa52abc2067b47ec9bcc25b26fefad63769c14f182cb0ad66d8443e6f0490164b0373330966a83fa3b7263edd62ab3b35070f16f2d2d81755498686bc1979059788e89cd76e3f0eda90c1a496499647f753dbebdb7c7d910910cd2e5f90c41443a0d79f1311f7f49ab452e9546505b1700430fc97eb55675d91dbb12f7040d35c26b412f452fe98268e4730feb80407c3283c340b4147bcf3be18b64ee6259de82daa2dfc9eb3d5b21b98d3374c6a5eb2304b6da4a7c5e2d34cacdd7e24fd16c4fb007b9fa03dc4a79727ed82fd415b255047b99ab6d197f5c10e71f472b68cb2a31d89e88c0f4659e1470fc79da4d891f1b021967baa436c85bddc18fbb43b6f7c0e63e83cd49469d55c3c0fa01e8bfa1ebd5a97c5c530a2abe7bbe6153926f118a192133b273c7e519e0eeeed3051e1f718812c6bda81ee0be4e9639032e68c03ecdbc7aa3069a2d9c835ebe9570c819fd939c7599cb981183dc4a67101ec538f51180b651c659f54f773bbc02625fd3c4daf42e8f3afc831016e3340be0d7d7af2c58024554190e99d824662b2ba09a3467cd638ab110fe762b58ef24b17e83d1f5818f30d33972f800075c7cff16cb54f34b85c546603ac5ba47abf358422d8ebf491100bad1b2692ee4b87e2c0f8c051bb87aca78f88a4bd8126306c4a5a6f17860ae281dd5d3387a0ee961ee8238e9e5a47c03c3014c100feac487717b3caf9c423eb29eaa76d8336ce6b3cf66e8e86d1b8b99b8f60e553a6a4e7c0e4e6cc43151135286a4cfa18d19f5420a7b89901638d7fa335b643c3dad39a9d68c2b75343a7694a0150811650c20d9bdf351b3b20e2fb0d0c766cadc02b8e6a51b1bc5c09a17bd86666437354b39147394614ce6944bc12733de39356884be66139606f5715fb28a756ee7feed0ee7bf3147c91e598583baa8b1760499bbf784a32e2302ddb053775a1c18bf90f153a326bc418ead486840644545defa139ec13a244546256b050ff2a5695b0197060b59853c583dfe687694ef6d7b25e8c6b3ee7bcd3460e7644de1ddfd5bc492a383f6286a322c7529f758b65f9c69704340715cdbc9af90b95ee5bbd94383b06a72957ff389e6bf9de0d37544af15bbb71f1e17efa2681f67e331698c2d693f642e6353e75ddcbf2cd1e3b5b7c0d5445d0d34ac622e9ef9cb60d16fd538b7878633f6a82e8e9bf41bca6870e5d2f5c86390b4b437f135dc78f66e1c2a8bd703a0a54606f06f3df66ac7b124e0f6969fcb83841e7a6e1946bf880c4dbe27243b8add85851f19bb2f07d06a34bd7e37f13c507f6f158698fc8c1ee84435d4c32e2bbf9ea1c2bf78777cec89ddf96327a01019db1bcec145fe0fc236b4bd809afc76fd94ffff3a75b4a6019302bc4d8f0d78dee308b2955a835381842ec792e25014664d23e29a97ea98744b5708554ae9442206c71eecc15d48636a51b766f9e670590bc54f274f75d61999aa7620ef7709aca0243f3c9be77a6e923ca3286893e7c7ac2432a81d32985f6e7c429f90700309d555cb480b04dc01a51b30c5aa3633df461e9207aaa2bdcdace17fbffd3ef90170a64570cc4d92c64141a452b9a897ca789d22527ccf946f05c45794d95311ef120b3742828f7d0f9752b1f9ebd9a9470d1435b345147a1aed488b6c60ce111608fbb9598f50cf1cd97b9ac99e11ae30a1332223b549cd5485b221378da9d446db63615cd735fee251c013449c3b13a47b2802620d062543a070ea2505596289949bf47099273e1c6f7b00aa5b77cca926ac260c1bde3efc33fb32614dd9d5b8957026bf4beb62f391641798479d8c6ade4856cb352a9eada8af2fb17997a8ab7e510c74925484c9bf020577b8f5836232dd7d7d3b045e0f5e00b8c9112e46d6427958938f817f793c6bd7063234f4f9324087f8bd35fc35b704b89a36ed76a43c21e841976400a2898625037067b18f8163302c306a2d663b85f0b90d70c8b6e1683f8a72e4b2c5d892f1c0d43e827542fa681301ae6160c54e13863e48e6ddf37043d4ad11754b8ac28142f4e70108bf3689544dab1a378dbf4e8f9202a162e5d92457ff2e403c70af3ef83b2e4f1b4dccd39f5342fdaf0731b6aae468bf98c3f6961ca8cc8f32905f970e618f36e80eb3b4af9fa1f7a8502cf9389b98c74c193b32bf08a7fd264168cff59079997359572f9e36c7d7ebd08ac73e3858b76886ac099cca44ecd461662fcaaef0943daa7d8c8129385517cb7b50958431d3666be573d8018e85e23d26929b1a269493f92414f07d28f6cbd045c121ef7656fac1512c4955069866866f6bb180a647826a8c4837b66e7e994dffa7147a791451b3c19fcb13abd9c0a2dfae594cf53874da14105dbc0a4420421a318231d74757cb0d427418deaf077cf613bdbd72282dfc8677ee766bdf212d09827f81ede971ae04a755a2e0715c783111073729cc1900072ca126939d4500c744184c4d1d6126840e552ed0519402b92ba2838dafccadf8a9dc3123e77c7b1ccbf8dc73a63ee3c80d44ff6fbed124eaf6984949c8697f3b5ee808d6fb82d962a05d9f64c075d7bbb307d434aa28ace4cf647a4cfc3291880f17a3f0878d444b8c3523107a29d89eee26a86854c592cc25ab0c51dbf91391f18eb63f8ab9dd6f87e075efde29041fe45fdce01b8730e8dd09bf7ce03543181d6173f3b34116b620e5482951c5d47601db8c3b373d9c5377600afddc472f313edacf72ba37c05ba8c08793cb7aee33a7a0de3c84818c1a2063b725d17a98520500aa1513670b349049ab3416654ee4c70f52760d68a7530df2e7327c6ad4de30d8bfd046ade269eb1f78ffe0ae8240919e86d95875d7f2881856cec3605b8f980f03903117e316406aeb6a6ba33cf0cc57eda66e723ffd5fbfe0de7b65756c1d5aef1aa64c907279889beaacae42a4935d1649136c31175bdb8cee800d41aa5a0649d1e4b15a638eb3cc39e4c02828a4b8e3322218eddc5aedc559f988dd8d4e8dc7a011a5f28c05c143d49ef4354651fa36b365cc21ad6517590e63388134be1b27b4cbec12f726166177e566e24cb4e7a660c815a84680ced5dd66fb4260f72a13e15303b9ece8fc91de64472ca20940695554f75d53f6c2e61c27c49f022425c8d40855c64e3b10d90e2092cbc49c5b06427c9ad677e611f0f2b680f1971b7e7ed0105b684e68886bfc84302c74a944839991e98c91c23714b074bbc3939d4ea9cafa9b8f0975baf09e268e6d9e04b1eeb397ad0df6d3fddc13976729b4df43c2ccc79b7bc17ce0adc95029691cc2bf3b61771f7ea17ab1b26804acb56e45b9f1b38e1434762fa729aa50a7924f0089d79b66e66a850511417c0592b8d205d5dbcbaf9e35b9d537606b98dd51ead24efc8671358fe9254e0a0c3e1d30932e5ad032353e2ec10b057c1a833bf4343b924fd1dd78d0e15ca0625ea977eef16357d82ded0d61347ba4df4f073f9a30869f9368a7e5d0df98f54e6cd877d91d30c07ff40f3267e5336bb2c5462be483620005e45c383da357fb8dba4363abe8260f4eba849250f75c2e3a42b78af7f272a8b9b60eadaedfae72864843b3616b4e79b63dd0514534514acbe02a62ee6b337b8a2d4b87b5b06c2cdfc118bee1739eaec6011aa3e29d407f31f279e54bf1c431b9d0356fef89b463132a34250799f48290810e5a8869c1f2b1921686ed460dcc934a296606bd8e8576ec0aac372a5f031908b249fcaaeff07bac2042828529f27c493dee9b9479b616dbd10e4a6e44c268a3d202a80971c039b7bb81c2c3f144a3e39e67568a9d97f4fd28c5e64e3b8464338237db5e9529da471ed19f93a9478afb46dbeabc2241fed9d8e4cde8be4e40a40d9972d5a0dccaec610dbd2a176774e5c030e0cdfd8d7a16fec760a29e89b4d1d06e3063bab972722026b05fd0cc6f16d02cd8d1c6320ca13efaeaee1d86890cb9c79997dc4051ea8f70566babb8cf0b342ea53cf73866f2a5c9651390fc50938211d5f1c1453a0054e3837dcea5f1439bf11ac8af3071e8736a7d676f4202ca2b9dbe5711205f985b6199b1de781b216b9aeb4ba1d5a3254ed9198a94b6968de5b96f7c777e249c7b784a3bdb4db6b0b6bf40d0a8cb04131349f761c9ecbf44e5b9b01874268066053b2b0d2d8023e0c250a422bb24283d6470ef087ce2f832f8d3dd8532c64144a4ba14e6d8121fca1aedbce170d6a5dfdad7a3a469841339997b94c0f383ad97b629ce9f36bbd4b1da9d829824abe8080a91a1eb84e899aa23eff1ebd27aa8fe52f2fc9b34ee5a9149a1508c041d171cea0f1714b7a8fa5d2432605475a68113e0d82b718eb0ee31f28aa7328d2aad2a61688e872b2aacde3d9c13d8a7aafdad1e894dc71396e0accbc0b52cec4e", 0x1000, 0x0) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) rename(&(0x7f0000000040)='./file0\x00', &(0x7f00000000c0)='./file0\x00') setsockopt$inet6_MCAST_LEAVE_GROUP(r1, 0x29, 0x2d, &(0x7f0000000240)={0x7, {{0xa, 0x4e23, 0xffffffff, @local, 0x21}}}, 0x88) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000100)=0x81acdabe9e9fb867) setsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r1, 0x84, 0xc, &(0x7f0000000000)=0x2, 0x4) readlink(&(0x7f0000000080)='./file0\x00', &(0x7f0000000140)=""/224, 0xe0) 01:56:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x4c000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1360.977527][ T3104] binder: 3082:3104 got transaction with invalid parent offset or type 01:56:53 executing program 2: r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000200)='/dev/vsock\x00', 0x202080, 0x0) ioctl$sock_inet_tcp_SIOCOUTQ(r0, 0x5411, &(0x7f0000000240)) r1 = socket$inet_udp(0x2, 0x2, 0x0) fsetxattr$security_smack_transmute(r1, &(0x7f0000000000)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000280)='TRUE', 0x4, 0x9) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) r2 = open(&(0x7f00000000c0)='./file0\x00', 0x4000, 0x10c) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffff9c, 0x84, 0x13, &(0x7f0000000100)={0x0, 0xfffffffffffffff9}, &(0x7f0000000140)=0x8) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f0000000180)={r3, 0x3}, &(0x7f00000001c0)=0x8) 01:56:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40046304, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1361.032564][ T3103] binder: 3082:3103 ioctl 40046207 0 returned -16 [ 1361.056079][ T3104] binder: transaction release 9826 bad handle 1, ret = -22 01:56:53 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1361.100552][ T3115] binder: 3114:3115 got transaction with invalid offset (1275068416, min 0 max 24) or object. [ 1361.111715][ T3104] binder: 3082:3104 transaction failed 29201/-22, size 64-16 line 3389 [ 1361.135375][T17703] binder: undelivered TRANSACTION_ERROR: 29201 01:56:53 executing program 0: r0 = syz_open_dev$amidi(&(0x7f0000000000)='/dev/amidi#\x00', 0xfff, 0x0) setsockopt$inet_udp_int(r0, 0x11, 0x65, &(0x7f0000000080)=0x9, 0x2) socket$inet6_sctp(0xa, 0x5, 0x84) rt_sigreturn() [ 1361.153684][ T3115] binder: 3114:3115 transaction failed 29201/-22, size 24-16 line 3242 01:56:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6c000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:53 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) prctl$PR_SET_NAME(0xf, &(0x7f0000000000)='veth0_to_bridge\x00') setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1361.200988][ T3120] binder: 3117:3120 unknown command 0 [ 1361.207403][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1361.215236][ T3125] binder: 3114:3125 got transaction with invalid offset (1275068416, min 0 max 24) or object. [ 1361.225632][ T3120] binder: 3117:3120 ioctl c0306201 20000780 returned -22 [ 1361.227281][ T3128] binder: 3117:3128 unknown command 0 [ 1361.269271][ T3128] binder: 3117:3128 ioctl c0306201 20000780 returned -22 01:56:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40046307, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:53 executing program 0: syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x3ff, 0x40102) r0 = socket$inet6_sctp(0xa, 0x4, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0xfffffffffffffd83) 01:56:53 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1361.324341][ T3131] binder: 3130:3131 got transaction with invalid parent offset or type [ 1361.362464][ T3138] binder: 3130:3138 got transaction with invalid parent offset or type 01:56:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x60000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:53 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x4, 0x44080) ioctl$SNDRV_RAWMIDI_IOCTL_STATUS(r1, 0xc0385720, &(0x7f0000000040)={0x1, {}, 0x2, 0x8001}) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1361.388766][ T3131] binder: BINDER_SET_CONTEXT_MGR already set [ 1361.412119][ T3131] binder: 3130:3131 ioctl 40046207 0 returned -16 [ 1361.434671][ T3138] binder: transaction release 9837 bad handle 1, ret = -22 [ 1361.446988][ T3143] *** Guest State *** [ 1361.452349][ T3143] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:56:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x74000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1361.481205][ T3145] binder: 3142:3145 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 1361.495551][ T3143] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1361.508974][ T3151] binder: 3144:3151 got transaction with invalid offset (1610612736, min 0 max 24) or object. [ 1361.509827][ T3145] binder: 3142:3145 unknown command 0 [ 1361.525329][ T3143] CR3 = 0x0000000000000000 [ 1361.531376][ T3143] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1361.538652][ T3143] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1361.569095][ T3158] binder: BINDER_SET_CONTEXT_MGR already set 01:56:54 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000040)={0x0, 'veth0_to_bridge\x00', 0x3}, 0x18) ioctl(r0, 0x8, &(0x7f0000000000)="ca078753ffda086fcae1fdfdca58012090e56fe172e383720ed8b0b7a60d54219eaf54473214b5715164e90c66") ioctl(r0, 0x800000000008982, &(0x7f0000000080)) ioctl$DRM_IOCTL_ADD_CTX(r0, 0xc0086420, &(0x7f0000000080)) 01:56:54 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getsockopt$sock_linger(r0, 0x1, 0xd, &(0x7f0000000000), &(0x7f0000000040)=0x8) setxattr$security_capability(&(0x7f00000000c0)='.\x00', &(0x7f0000000100)='security.capability\x00', &(0x7f0000000140)=@v1={0x1000000, [{0x5}]}, 0xc, 0x3) [ 1361.575403][ T3145] binder: 3142:3145 ioctl c0306201 20000780 returned -22 [ 1361.580706][ T3143] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1361.599397][ T3158] binder: 3157:3158 ioctl 40046207 0 returned -16 [ 1361.608356][ T3143] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1361.609819][ T3160] binder: 3144:3160 got transaction with invalid offset (1610612736, min 0 max 24) or object. [ 1361.629685][ T3158] binder: 3157:3158 got transaction with invalid parent offset or type [ 1361.640604][ T3163] binder: 3142:3163 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 1361.650974][ T3143] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1361.663077][ T3143] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1361.672993][ T3163] binder: 3142:3163 unknown command 0 [ 1361.678689][ T3158] binder: BINDER_SET_CONTEXT_MGR already set [ 1361.685378][ T3167] binder: 3157:3167 got transaction with invalid parent offset or type [ 1361.694187][ T3143] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1361.703552][ T3163] binder: 3142:3163 ioctl c0306201 20000780 returned -22 [ 1361.712066][ T3143] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1361.721346][ T3158] binder: 3157:3158 ioctl 40046207 0 returned -16 01:56:54 executing program 2: r0 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x0, 0x2) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000280)={{{@in6=@mcast1, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{}, 0x0, @in6=@remote}}, &(0x7f0000000380)=0xe8) ioctl$sock_inet6_SIOCDIFADDR(r0, 0x8936, &(0x7f00000003c0)={@dev={0xfe, 0x80, [], 0x26}, 0x2b, r1}) r2 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r2, 0x800000000008982, &(0x7f0000000080)) 01:56:54 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40086303, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:54 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getpid() 01:56:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7a000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1361.741202][ T3143] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1361.770263][ T3143] GDTR: limit=0x0000ffff, base=0x0000000000000000 01:56:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x68000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1361.813457][ T3143] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1361.841223][ T3177] binder: 3176:3177 BC_FREE_BUFFER u0000000000000000 no match [ 1361.860795][ T3181] binder: 3179:3181 got transaction with invalid parent offset or type [ 1361.861725][ T3143] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1361.884220][ T3177] binder: 3176:3177 unknown command 0 [ 1361.894564][ T3177] binder: 3176:3177 ioctl c0306201 20000780 returned -22 [ 1361.900843][ T3183] binder: BINDER_SET_CONTEXT_MGR already set 01:56:54 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008985, &(0x7f00000000c0)="35c3c1d704bc1a6e6d4c14f52e4c3b06a2c3740ccf2eeed83a4315f1a0f218c3df8d633caafe6e5caf136621f735f53890110e051db707bd756080df7a102f837e9a6d0204e38fb7be1f7d67df5b4a42240623d4441224976b50b58b7156cccbf75b5a") ioctl$sock_inet_SIOCSIFPFLAGS(r0, 0x8934, &(0x7f0000000000)={'lapb0\x00', 0x8}) [ 1361.902188][ T3143] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1361.918324][ T3143] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1361.926558][ T3186] binder: 3176:3186 BC_FREE_BUFFER u0000000000000000 no match [ 1361.934747][ T3186] binder: 3176:3186 unknown command 0 [ 1361.940635][ T3143] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1361.949064][ T3186] binder: 3176:3186 ioctl c0306201 20000780 returned -22 [ 1361.958275][ T3183] binder: 3182:3183 ioctl 40046207 0 returned -16 [ 1361.962040][ T3143] Interruptibility = 00000000 ActivityState = 00000000 [ 1361.971971][ T3190] binder: 3179:3190 got transaction with invalid parent offset or type [ 1361.977935][ T3192] binder: 3182:3192 got transaction with invalid offset (1744830464, min 0 max 24) or object. [ 1361.990863][ T3143] *** Host State *** [ 1361.998681][ T3143] RIP = 0xffffffff811b4980 RSP = 0xffff88808f2e78e0 [ 1362.014221][ T3143] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1362.031849][ T3143] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1362.046803][ T3143] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1362.054295][ T3143] CR0=0000000080050033 CR3=00000000590df000 CR4=00000000001426f0 [ 1362.063148][ T3192] binder: 3182:3192 got transaction with invalid offset (1744830464, min 0 max 24) or object. [ 1362.079597][ T3143] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1362.092330][ T3143] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1362.100243][ T3143] *** Control State *** [ 1362.104596][ T3143] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1362.112807][ T3143] EntryControls=0000d1ff ExitControls=002fefff [ 1362.119132][ T3143] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1362.127263][ T3143] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1362.136696][ T3143] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1362.149428][ T3143] reason=80000021 qualification=0000000000000000 [ 1362.156620][ T3143] IDTVectoring: info=00000000 errcode=00000000 [ 1362.163227][ T3143] TSC Offset = 0xfffffd243d6ef3ea [ 1362.168373][ T3143] TPR Threshold = 0x00 [ 1362.172914][ T3143] EPT pointer = 0x0000000099d6501e 01:56:54 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:54 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000480)={{{@in6=@empty, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@initdev}, 0x0, @in6=@remote}}, &(0x7f0000000580)=0xe8) ioctl$sock_inet6_SIOCSIFDSTADDR(r0, 0x8918, &(0x7f00000005c0)={@dev={0xfe, 0x80, [], 0x23}, 0x20, r1}) 01:56:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xfdfdffff}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:54 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x4008630a, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:54 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x0, 0x0) setsockopt$inet6_MRT6_DEL_MFC(r1, 0x29, 0xcd, &(0x7f00000000c0)={{0xa, 0x4e22, 0x8, @empty, 0x1}, {0xa, 0x4e23, 0x3, @empty, 0x3ff}, 0x5, [0xfffffffffffffffd, 0x5a79, 0xab, 0x7, 0xdbc, 0x6, 0x8001, 0x4]}, 0x5c) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) readlinkat(r1, &(0x7f0000000040)='./file0\x00', &(0x7f0000000140)=""/225, 0xe1) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6c000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1362.278425][ T3206] binder: 3199:3206 got transaction with invalid parent offset or type [ 1362.283797][ T3208] binder: BINDER_SET_CONTEXT_MGR already set [ 1362.290893][ T3210] binder: BC_ATTEMPT_ACQUIRE not supported [ 1362.313975][ T3208] binder: 3203:3208 ioctl 40046207 0 returned -16 01:56:54 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$FS_IOC_GETFLAGS(r0, 0x80086601, &(0x7f0000000000)) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1362.322296][ T3210] binder: 3198:3210 ioctl c0306201 20000780 returned -22 [ 1362.335971][ T3215] binder: 3203:3215 got transaction with invalid offset (1811939328, min 0 max 24) or object. [ 1362.349131][ T3216] binder: BC_ATTEMPT_ACQUIRE not supported [ 1362.349754][ T3219] binder: 3199:3219 got transaction with invalid parent offset or type 01:56:54 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = socket$tipc(0x1e, 0x2, 0x0) bind$tipc(r1, &(0x7f0000000000), 0x10) bind$tipc(r1, &(0x7f0000000040)=@nameseq={0x1e, 0x1, 0x0, {0x0, 0x0, 0x4}}, 0x10) bind$tipc(r1, 0x0, 0x0) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r2 = syz_open_dev$radio(&(0x7f00000000c0)='/dev/radio#\x00', 0x2, 0x2) r3 = syz_genetlink_get_family_id$team(&(0x7f0000000140)='team\x00') getsockopt$inet_mreqn(0xffffffffffffff9c, 0x0, 0x27, &(0x7f0000000180)={@multicast1, @dev, 0x0}, &(0x7f00000001c0)=0xc) accept4$packet(0xffffffffffffff9c, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000000240)=0x14, 0x80000) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000000280)={{{@in6=@mcast1, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in6=@local}}, &(0x7f0000000380)=0xe8) getsockopt$inet_mreqn(r0, 0x0, 0x24, &(0x7f00000003c0)={@loopback, @multicast2, 0x0}, &(0x7f0000000400)=0xc) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x23, &(0x7f0000000440)={@rand_addr, @rand_addr, 0x0}, &(0x7f0000000480)=0xc) getpeername$packet(0xffffffffffffff9c, &(0x7f00000004c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000500)=0x14) getsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000600)={0x0, @multicast1, @initdev}, &(0x7f0000000640)=0xc) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000000680)={{{@in6=@local, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@initdev}}, &(0x7f0000000780)=0xe8) getsockopt$inet6_mreq(r0, 0x29, 0x1f, &(0x7f0000000800)={@local, 0x0}, &(0x7f0000000840)=0x14) r14 = getgid() write$P9_RGETATTR(r2, &(0x7f0000000540)={0xa0, 0x19, 0x1, {0x1, {0x10, 0x3, 0x4}, 0x108, r12, r14, 0x20, 0x1de3000, 0x9, 0x1000, 0x800, 0x9, 0x1ff, 0x2, 0x9, 0x7, 0x1f, 0x5, 0x2, 0xffffffffffffde78, 0x7f}}, 0xa0) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f00000008c0)={'vcan0\x00', 0x0}) getsockopt$inet6_IPV6_IPSEC_POLICY(r0, 0x29, 0x22, &(0x7f0000000900)={{{@in=@remote, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@mcast1}}, &(0x7f0000000a00)=0xe8) accept$packet(0xffffffffffffffff, &(0x7f0000000b00)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000b40)=0x14) accept4(r1, &(0x7f0000000b80)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000c00)=0x80, 0x80800) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffff9c, 0x8933, &(0x7f0000000c40)={'vcan0\x00', 0x0}) sendmsg$TEAM_CMD_NOOP(r2, &(0x7f0000001340)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x88100}, 0xc, &(0x7f0000001300)={&(0x7f0000000c80)={0x654, r3, 0x312, 0x70bd29, 0x25dfdbfb, {}, [{{0x8, 0x1, r4}, {0x268, 0x2, [{0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x4}}}, {0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8}, {0x8, 0x4, r5}}, {0x8}}}, {0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x10, 0x4, 'broadcast\x00'}}}, {0x3c, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0xc, 0x4, [{0x9b, 0x7, 0x280, 0x7}]}}}, {0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x10, 0x4, 'broadcast\x00'}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x3}}, {0x8, 0x6, r6}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8}, {0x8, 0x4, 0x4}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8, 0x4, 0x1f}}, {0x8, 0x6, r7}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x781}}}, {0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0x10, 0x4, 'loadbalance\x00'}}}]}}, {{0x8, 0x1, r8}, {0x158, 0x2, [{0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8}, {0x8, 0x4, 0xfff}}, {0x8, 0x6, r9}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x3}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x10000}}}, {0x6c, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0x3c, 0x4, [{0x101, 0xffff, 0xeea, 0x7ff}, {0x68f, 0x8, 0x6, 0x101000}, {0x6, 0x0, 0x2, 0xce4}, {0x9, 0x8, 0xffffffffffffffff, 0x800}, {0x2, 0xfffffffffffffffe, 0x10000000000000}, {0x2, 0x401, 0x2, 0xae8}, {0x100000001, 0x643fb22f, 0xfffffffffffffff5, 0x5}]}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r10}}}]}}, {{0x8, 0x1, r11}, {0x78, 0x2, [{0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x9}}}, {0x3c, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8}, {0xc, 0x4, 'random\x00'}}}]}}, {{0x8, 0x1, r13}, {0xe8, 0x2, [{0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x4de}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r15}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x2}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r16}}}]}}, {{0x8, 0x1, r17}, {0xf8, 0x2, [{0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8}, {0x8}}, {0x8, 0x6, r18}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8, 0x4, 0x1}}}, {0x3c, 0x1, @enabled={{{0x24, 0x1, 'enabled\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r19}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x9}}, {0x8}}}]}}]}, 0x654}, 0x1, 0x0, 0x0, 0x4000000}, 0x0) [ 1362.376305][ T3212] *** Guest State *** [ 1362.389764][ T3212] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1362.401137][ T3216] binder: 3198:3216 ioctl c0306201 20000780 returned -22 [ 1362.409943][ T3208] binder: BINDER_SET_CONTEXT_MGR already set [ 1362.432932][ T3215] binder: 3203:3215 got transaction with invalid offset (1811939328, min 0 max 24) or object. [ 1362.444991][ T3212] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1362.459951][ T3208] binder: 3203:3208 ioctl 40046207 0 returned -16 [ 1362.466544][ T3212] CR3 = 0x0000000000000000 01:56:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40086310, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1362.476892][ T3212] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1362.498793][ T3212] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 01:56:55 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) getsockopt$IP_VS_SO_GET_SERVICE(r0, 0x0, 0x483, &(0x7f0000000000), &(0x7f00000000c0)=0x68) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xfffffdfd}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x74000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1362.526163][ T3212] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1362.573382][ T3212] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1362.581734][ T3232] binder: 3225:3232 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 1362.601543][ T3212] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1362.603823][ T3232] binder: 3225:3232 unknown command 0 [ 1362.622635][ T3212] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1362.631980][ T3232] binder: 3225:3232 ioctl c0306201 20000780 returned -22 [ 1362.635137][ T3236] binder: BINDER_SET_CONTEXT_MGR already set [ 1362.650132][ T3212] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1362.660504][ T3236] binder: 3231:3236 ioctl 40046207 0 returned -16 [ 1362.673623][ T3212] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1362.682541][ T3238] binder: 3225:3238 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 1362.695814][ T3241] binder_alloc: 3233: binder_alloc_buf failed to map pages in userspace, no vma [ 1362.697446][ T3212] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1362.718537][ T3238] binder: 3225:3238 unknown command 0 [ 1362.730049][ T3212] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1362.738913][ T3212] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1362.751687][ T3238] binder: 3225:3238 ioctl c0306201 20000780 returned -22 [ 1362.759097][ T3212] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1362.779357][ T3212] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1362.788039][ T3212] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1362.808270][ T3212] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1362.817495][ T3212] Interruptibility = 00000000 ActivityState = 00000000 [ 1362.824937][ T3212] *** Host State *** [ 1362.828966][ T3212] RIP = 0xffffffff811b4980 RSP = 0xffff88808f2e78e0 [ 1362.836102][ T3212] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1362.844084][ T3212] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1362.853063][ T3212] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1362.860026][ T3212] CR0=0000000080050033 CR3=00000000a9379000 CR4=00000000001426f0 [ 1362.867923][ T3212] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1362.875829][ T3212] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1362.883009][ T3212] *** Control State *** [ 1362.887289][ T3212] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1362.895060][ T3212] EntryControls=0000d1ff ExitControls=002fefff [ 1362.901609][ T3212] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1362.909629][ T3212] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1362.917131][ T3212] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1362.924848][ T3212] reason=80000021 qualification=0000000000000000 [ 1362.932242][ T3212] IDTVectoring: info=00000000 errcode=00000000 [ 1362.938569][ T3212] TSC Offset = 0xfffffd23bdc6aef4 [ 1362.944795][ T3212] TPR Threshold = 0x00 [ 1362.948900][ T3212] EPT pointer = 0x000000008ae7801e 01:56:55 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:55 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000040)={0x0, 'veth0_to_bridge\x00', 0x1000000000000}, 0xffffffffffffff10) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:55 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000300)={{{@in6=@mcast1, @in=@broadcast}}, {{@in=@remote}, 0x0, @in=@dev}}, &(0x7f00000001c0)=0x93) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x7a000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x100000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x400c630e, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1363.074260][ T3246] binder: BINDER_SET_CONTEXT_MGR already set [ 1363.079680][ T3259] binder: 3248:3259 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 1363.113236][ T3246] binder: 3244:3246 ioctl 40046207 0 returned -16 01:56:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x200000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:55 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x180, 0x0) accept$alg(r1, 0x0, 0x0) [ 1363.118709][ T3259] binder: 3248:3259 unknown command 0 [ 1363.139286][ T3259] binder: 3248:3259 ioctl c0306201 20000780 returned -22 [ 1363.151927][ T3260] *** Guest State *** 01:56:55 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0x5a) [ 1363.167173][ T3260] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1363.181263][ T3263] binder: 3248:3263 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 1363.197365][ T3260] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:56:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0xfdfdffff, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1363.224064][ T3260] CR3 = 0x0000000000000000 [ 1363.235125][ T3263] binder: 3248:3263 unknown command 0 [ 1363.240276][ T3260] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1363.254789][ T3263] binder: 3248:3263 ioctl c0306201 20000780 returned -22 01:56:55 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) getsockopt$IPT_SO_GET_ENTRIES(r0, 0x0, 0x41, &(0x7f0000000000)={'raw\x00', 0x4f, "07a42a07c0830b4f1d081711acc3a6ea4d24bd48e4416d410edcf0faacc8aa207a4ef2768e6cdf56a04ad0112a391ba7064d2cd8f435b017997d61cf10accc30b3f8c67edd5cd2016fd30594549ca5"}, &(0x7f00000000c0)=0x73) r1 = syz_open_dev$sndctrl(&(0x7f0000000100)='/dev/snd/controlC#\x00', 0x3, 0x40480) ioctl$SNDRV_CTL_IOCTL_ELEM_REMOVE(r1, 0xc0405519, &(0x7f0000000140)={0xa, 0x3, 0x0, 0x5, 'syz0\x00', 0x5f}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x300000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1363.289078][ T3260] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1363.304963][ T3275] binder: BINDER_SET_CONTEXT_MGR already set [ 1363.322337][ T3260] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1363.339261][ T3275] binder: 3274:3275 ioctl 40046207 0 returned -16 [ 1363.344045][ T3260] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1363.396931][ T3260] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1363.407441][ T3279] binder: BINDER_SET_CONTEXT_MGR already set [ 1363.416600][ T3260] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1363.430966][ T3279] binder: 3277:3279 ioctl 40046207 0 returned -16 [ 1363.435194][ T3260] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1363.456666][ T3260] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1363.466035][ T3260] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1363.482032][ T3260] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1363.495005][ T3260] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1363.506317][ T3260] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1363.521628][ T3260] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1363.533801][ T3260] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1363.548703][ T3260] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1363.563562][ T3260] Interruptibility = 00000000 ActivityState = 00000000 [ 1363.571945][ T3260] *** Host State *** [ 1363.575976][ T3260] RIP = 0xffffffff811b4980 RSP = 0xffff88805aaef8e0 [ 1363.588068][ T3260] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1363.596633][ T3260] FSBase=00007f101dc68700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1363.612694][ T3260] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1363.624723][ T3260] CR0=0000000080050033 CR3=00000000a1741000 CR4=00000000001426e0 [ 1363.635868][ T3260] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1363.646701][ T3260] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1363.656842][ T3260] *** Control State *** [ 1363.664496][ T3260] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1363.675235][ T3260] EntryControls=0000d1ff ExitControls=002fefff [ 1363.684760][ T3260] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1363.695904][ T3260] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1363.706741][ T3260] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1363.717547][ T3260] reason=80000021 qualification=0000000000000000 [ 1363.727952][ T3260] IDTVectoring: info=00000000 errcode=00000000 [ 1363.737443][ T3260] TSC Offset = 0xfffffd23537a2e42 [ 1363.746708][ T3260] TPR Threshold = 0x00 [ 1363.754107][ T3260] EPT pointer = 0x00000000a3c5301e 01:56:56 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(0xffffffffffffffff, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:56 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x400c630f, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:56 executing program 0: r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x8000, 0x0) getsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000000040)=@assoc_value={0x0}, &(0x7f00000000c0)=0x8) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000180)={0xfffffffffffffffe, 0x3, 0x0, 0x9, 0x8, 0x200, 0x5, 0x0, r1}, &(0x7f00000001c0)=0x20) setsockopt$inet_sctp_SCTP_AUTH_KEY(r0, 0x84, 0x17, &(0x7f0000000340)=ANY=[@ANYRES32=r2, @ANYBLOB="000004000000bb0900930569c6a50000000000000022e13ceaae7a3a56cd73f1b14918df32f496f464e65207db2eef3f065d0fac8941a2134bd4eae313fbdab738cc7780c95a65309f6718439e0e81483fe686854ccb11d52f87abbcf42eb11be3f236569184db4eab4bc89720386f24ed0a3678ac46254f276251a980dacf13812691f3c8c92f7a5316ad860018c6de5c9c446c84145f9baae8b79a369c3a3ca731c548391976fbb1ecea98aedbece09fd5f82653716c2037bd9a7645cb55aa5459670fe0d46f2a5d7433978bf9484e4145018684732f84579f6b4829f1613d95e897180eacfcd625b56dcef17a2cfd8284de6f0a85c3586e3b7e00000000000000"], 0x25) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x22, &(0x7f0000000100)={0x9, 0x8006, 0x101, 0x7, r1}, &(0x7f0000000140)=0x10) ioctl$sock_SIOCDELDLCI(r0, 0x8981, &(0x7f00000002c0)={'ip6gre0\x00', 0x4}) r3 = socket$inet6_sctp(0xa, 0x7ffffff, 0x84) ioctl$SIOCRSACCEPT(r0, 0x89e3) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r3, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0xac) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000000300)={r2, 0x3}, 0x8) lsetxattr$security_smack_entry(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='security.SMACK64IPOUT\x00', &(0x7f0000000280)='{\'\x00', 0x3, 0x2) 01:56:56 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_open_dev$adsp(&(0x7f00000000c0)='/dev/adsp#\x00', 0x2, 0x2) write$P9_RAUTH(r1, &(0x7f0000000100)={0x14, 0x67, 0x1, {0x2, 0x1, 0x4}}, 0x14) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x204180, 0x0) setsockopt$XDP_RX_RING(r2, 0x11b, 0x2, &(0x7f0000000140)=0x4010, 0x4) ioctl$SG_SET_RESERVED_SIZE(r2, 0x2275, &(0x7f0000000040)=0xffffffffffff2530) 01:56:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0xfffffdfd, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x400000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:56 executing program 0: r0 = socket$inet6_sctp(0xa, 0x1, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000000c0)={0x0, @in={{0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x1b}}}, [0x4299e4c7, 0x100000001, 0x1, 0x7, 0x2, 0x4, 0x80, 0x8001, 0x0, 0x401, 0x1000, 0x7fffffff, 0x81, 0x4, 0xe2]}, &(0x7f0000000040)=0x100) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f00000001c0)={r2, @in={{0x2, 0x4e24, @local}}, 0x7fff, 0x6, 0x6, 0x8f42, 0x40}, 0x98) getpeername$netrom(r1, &(0x7f0000000280)={{}, [@rose, @bcast, @remote, @remote, @bcast, @bcast, @rose, @netrom]}, &(0x7f0000000300)=0x48) [ 1363.877042][ T3292] binder: 3288:3292 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 01:56:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x100000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:56 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_group_source_req(r0, 0x0, 0x2f, &(0x7f00000000c0)={0xfffffffffffffc01, {{0x2, 0x4e22, @dev={0xac, 0x14, 0x14, 0x1f}}}, {{0x2, 0x4e22, @rand_addr=0x4bb0}}}, 0x108) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:56:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x500000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1363.955470][ T3292] binder: 3288:3292 unknown command 0 [ 1363.961528][ T3303] *** Guest State *** [ 1363.965698][ T3303] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1363.989296][ T3292] binder: 3288:3292 ioctl c0306201 20000780 returned -22 [ 1364.009554][ T3303] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1364.009984][ T3307] binder: 3288:3307 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 1364.026656][ T3303] CR3 = 0x0000000000000000 01:56:56 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffff9c, 0x84, 0x0, &(0x7f0000000000)={0x0, 0x2, 0x2, 0x800}, &(0x7f0000000040)=0x10) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x22, &(0x7f00000000c0)={0x1, 0x2, 0x1, 0x41, r1}, &(0x7f0000000100)=0x10) fcntl$setpipe(r0, 0x407, 0xc5c) [ 1364.058870][ T3303] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1364.060679][ T3310] binder: BINDER_SET_CONTEXT_MGR already set [ 1364.086152][ T3303] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1364.088320][ T3310] binder: 3308:3310 ioctl 40046207 0 returned -16 01:56:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x600000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1364.105325][ T3303] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1364.140982][ T3303] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1364.151746][ T3307] binder: 3288:3307 unknown command 0 [ 1364.179267][ T3307] binder: 3288:3307 ioctl c0306201 20000780 returned -22 [ 1364.192634][ T3303] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1364.238831][ T3303] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1364.259390][ T3303] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1364.273679][ T3303] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1364.286212][ T3303] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1364.295166][ T3303] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1364.304048][ T3303] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1364.313976][ T3303] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1364.322857][ T3303] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1364.331763][ T3303] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1364.338975][ T3303] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1364.347315][ T3303] Interruptibility = 00000000 ActivityState = 00000000 [ 1364.354445][ T3303] *** Host State *** [ 1364.358456][ T3303] RIP = 0xffffffff811b4980 RSP = 0xffff888055c8f8e0 [ 1364.365306][ T3303] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1364.372580][ T3303] FSBase=00007f101dc68700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1364.381214][ T3303] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1364.387942][ T3303] CR0=0000000080050033 CR3=000000008e985000 CR4=00000000001426e0 [ 1364.395817][ T3303] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1364.403350][ T3303] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1364.410245][ T3303] *** Control State *** [ 1364.414505][ T3303] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1364.422047][ T3303] EntryControls=0000d1ff ExitControls=002fefff [ 1364.428319][ T3303] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1364.436103][ T3303] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1364.443607][ T3303] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1364.451066][ T3303] reason=80000021 qualification=0000000000000000 [ 1364.458183][ T3303] IDTVectoring: info=00000000 errcode=00000000 [ 1364.464495][ T3303] TSC Offset = 0xfffffd22e7b468f5 [ 1364.469713][ T3303] TPR Threshold = 0x00 [ 1364.473916][ T3303] EPT pointer = 0x000000005edb901e 01:56:57 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(0xffffffffffffffff, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:57 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r0, 0x84, 0x66, &(0x7f0000000000)={0x0, 0x1}, &(0x7f0000000040)=0x8) setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x22, &(0x7f00000000c0)={0x4, 0x4, 0x3, 0x0, r1}, 0x10) 01:56:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x200000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:57 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40106308, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:57 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x100, 0x0) write$P9_RRENAMEAT(r1, &(0x7f00000000c0)={0x4, 0x4b, 0x1}, 0xffffffffffffff41) 01:56:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x700000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1364.590437][ T3337] binder: 3327:3337 BC_INCREFS_DONE u0000000000000000 no match [ 1364.608574][ T3339] binder_transaction: 39 callbacks suppressed [ 1364.608592][ T3339] binder: 3330:3339 transaction failed 29201/-22, size 64-16 line 3389 [ 1364.623814][ T3337] binder: 3327:3337 unknown command 0 [ 1364.624581][ T3331] binder: BINDER_SET_CONTEXT_MGR already set 01:56:57 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000200)='/proc/capi/capi20\x00', 0x83, 0x0) getsockopt$bt_BT_RCVMTU(r1, 0x112, 0xd, &(0x7f0000000040)=0x3, &(0x7f00000000c0)=0x2) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1364.638303][ T3337] binder: 3327:3337 ioctl c0306201 20000780 returned -22 [ 1364.654798][ T3342] binder: 3330:3342 transaction failed 29201/-22, size 64-16 line 3389 [ 1364.672402][ T3344] binder: 3327:3344 BC_INCREFS_DONE u0000000000000000 no match 01:56:57 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x210002, 0x0) bpf$BPF_MAP_LOOKUP_AND_DELETE_ELEM(0x15, &(0x7f0000000040)={r1, &(0x7f00000000c0)="cb14b3672c7fd02ae30d66c03dc2718026cdc90c99afdee9a07eb9c4ea25c0a0626f375a43ec3af37d0403cd54602e24e5fc7d441c698f636791f2d2a9a61278bebed7a84bc54b9e844304a077abfaae49ed4ca7181a63e2e26d4c964921eb29e40b21e83a345c700f70805af200fa6edd4fd309a89fe9877fadac957b545b371523c19bea79b734", &(0x7f0000000180)=""/247}, 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000280)=0x1, 0x4) [ 1364.686407][ T3344] binder: 3327:3344 unknown command 0 [ 1364.698743][ T3344] binder: 3327:3344 ioctl c0306201 20000780 returned -22 [ 1364.699868][ T3331] binder: 3323:3331 ioctl 40046207 0 returned -16 [ 1364.706103][ T3345] binder: 3323:3345 transaction failed 29201/-22, size 24-16 line 3242 [ 1364.733551][T19558] binder_release_work: 40 callbacks suppressed 01:56:57 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40106309, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xa00000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1364.733558][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:56:57 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x8e0, 0x4000) ioctl$SG_GET_TIMEOUT(r1, 0x2202, 0x0) setsockopt$IPT_SO_SET_ADD_COUNTERS(r1, 0x0, 0x41, &(0x7f00000000c0)={'nat\x00', 0x5, [{}, {}, {}, {}, {}]}, 0x78) [ 1364.815804][ T3341] *** Guest State *** [ 1364.842988][ T3341] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1364.853222][ T3353] binder: 3352:3353 BC_ACQUIRE_DONE u0000000000000000 no match [ 1364.864883][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1364.865092][ T3345] binder: 3323:3345 transaction failed 29189/-22, size 24-16 line 2995 01:56:57 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x0, 0x0) ioctl$VIDIOC_DV_TIMINGS_CAP(r1, 0xc0905664, &(0x7f0000000180)={0x0, 0x0, [], @raw_data=[0x3f, 0x6, 0x11af, 0x3, 0x7fffffff, 0x4, 0x5, 0x10, 0x800, 0x2, 0x80, 0x40, 0xfffffffffffffffd, 0x927, 0x9, 0x7fff, 0xf021, 0xffffffffffffffff, 0x400, 0x3, 0x48, 0x4, 0x4, 0x7, 0x8b, 0xffff, 0x3, 0x0, 0x1000, 0x2, 0xcb57, 0x1ff]}) ioctl(r0, 0x7f, &(0x7f00000000c0)="9e55b52377df622505fafe172144efdb01a9dd75e75bf5581c28be389f15048fc7ad33a3c796f12609ff159dd0a7e477da23603fac5dea4b59f5e5b69d3a4ab221fbb0facdbeef86fc68055237e4023956b9f37412f2b1a8529d10d8bb8ac5f4eb5955fbc8ab2eab5c2cfce47c39c6d1170e25ad36ba4c7bd482bd11d338c7ae0ee3b29bd21d70de920a4c4de5e7130e508d7d5e83cce5ac85fb75dcf596821de7808780") [ 1364.887795][ T3357] binder: 3355:3357 transaction failed 29201/-22, size 64-16 line 3389 [ 1364.899064][ T3341] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1364.907777][ T3353] binder: 3352:3353 unknown command 0 [ 1364.924083][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1364.943845][ T3341] CR3 = 0x0000000000000000 [ 1364.944261][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1364.955991][ T3360] binder_alloc: 3355: binder_alloc_buf, no vma [ 1364.959283][ T3353] binder: 3352:3353 ioctl c0306201 20000780 returned -22 [ 1364.968708][ T3341] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1364.992364][ T3360] binder: 3355:3360 transaction failed 29189/-3, size 64-16 line 3148 [ 1365.000203][ T3362] binder: 3352:3362 BC_ACQUIRE_DONE u0000000000000000 no match [ 1365.010038][ T3341] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1365.022136][ T3362] binder: 3352:3362 unknown command 0 [ 1365.035705][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1365.043666][ T3362] binder: 3352:3362 ioctl c0306201 20000780 returned -22 [ 1365.048843][ T3341] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1365.067988][ T3341] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1365.112275][ T3341] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1365.139610][ T3341] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1365.159389][ T3341] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1365.179360][ T3341] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1365.200106][ T3341] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1365.219355][ T3341] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1365.239251][ T3341] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1365.253131][ T3341] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1365.285080][ T3341] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1365.325169][ T3341] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1365.332474][ T3341] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1365.349313][ T3341] Interruptibility = 00000000 ActivityState = 00000000 [ 1365.369251][ T3341] *** Host State *** [ 1365.373253][ T3341] RIP = 0xffffffff811b4980 RSP = 0xffff88808e7cf8e0 [ 1365.389266][ T3341] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1365.409271][ T3341] FSBase=00007f101dc68700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1365.429285][ T3341] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1365.449329][ T3341] CR0=0000000080050033 CR3=0000000095c9c000 CR4=00000000001426e0 [ 1365.485098][ T3341] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1365.492670][ T3341] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1365.525110][ T3341] *** Control State *** [ 1365.529446][ T3341] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1365.549327][ T3341] EntryControls=0000d1ff ExitControls=002fefff [ 1365.555557][ T3341] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1365.589215][ T3341] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1365.596628][ T3341] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1365.629229][ T3341] reason=80000021 qualification=0000000000000000 [ 1365.636291][ T3341] IDTVectoring: info=00000000 errcode=00000000 [ 1365.650368][ T3341] TSC Offset = 0xfffffd2271edfc24 [ 1365.655516][ T3341] TPR Threshold = 0x00 [ 1365.670268][ T3341] EPT pointer = 0x000000005fb7f01e 01:56:58 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(0xffffffffffffffff, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x300000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x1000000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:58 executing program 0: r0 = socket$inet6_sctp(0xa, 0x201, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:58 executing program 2: r0 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x0, 0x101000) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(0xffffffffffffff9c, 0x84, 0x6, &(0x7f0000000100)={0x0, @in6={{0xa, 0x4e20, 0x9, @dev={0xfe, 0x80, [], 0xd}, 0x8}}}, &(0x7f00000001c0)=0x84) setsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000000200)={r1, 0x3}, 0x8) r2 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r2, 0x800000000008982, &(0x7f0000000080)) setsockopt$TIPC_IMPORTANCE(r0, 0x10f, 0x7f, &(0x7f0000000040)=0xff, 0x4) ioctl$VIDIOC_STREAMOFF(r0, 0x40045613, &(0x7f00000000c0)=0x5) 01:56:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40406300, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1365.783763][ T3374] binder: 3367:3374 transaction failed 29189/-22, size 24-0 line 2995 [ 1365.797739][ T3372] binder_transaction: 6 callbacks suppressed [ 1365.797755][ T3372] binder: 3368:3372 got transaction with invalid offset (216172782113783808, min 0 max 24) or object. [ 1365.811222][T17703] binder: undelivered TRANSACTION_ERROR: 29189 [ 1365.816176][ T3370] binder: BINDER_SET_CONTEXT_MGR already set 01:56:58 executing program 0: r0 = socket$inet6_sctp(0xa, 0x1, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1365.832816][ T3370] binder: 3366:3370 ioctl 40046207 0 returned -16 [ 1365.839478][ T3376] binder: 3367:3376 unknown command 0 [ 1365.844931][ T3376] binder: 3367:3376 ioctl c0306201 20000780 returned -22 [ 1365.860686][ T3370] binder_fixup_parent: 13 callbacks suppressed [ 1365.860695][ T3370] binder: 3366:3370 got transaction with invalid parent offset or type 01:56:58 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0x0, 'veth0_to_bridge\x00'}, 0x18) write$P9_RRENAME(0xffffffffffffff9c, &(0x7f0000000040)={0x7, 0x15, 0x2}, 0x7) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1365.879947][ T3372] binder: 3368:3372 transaction failed 29201/-22, size 24-16 line 3242 [ 1365.893685][ T3370] binder: 3366:3370 transaction failed 29201/-22, size 64-16 line 3389 [ 1365.906266][ T3379] binder: 3368:3379 got transaction with invalid offset (216172782113783808, min 0 max 24) or object. [ 1365.917439][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:56:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1365.932911][ T3377] *** Guest State *** [ 1365.938674][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1365.942733][ T3377] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1365.954889][ T3381] binder: 3366:3381 got transaction with invalid parent offset or type [ 1365.966416][T19558] binder: release 3367:3376 transaction 9949 out, still active [ 1365.987042][ T3379] binder: 3368:3379 transaction failed 29201/-22, size 24-16 line 3242 [ 1365.995516][ T3377] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1366.008938][T19558] binder: undelivered TRANSACTION_COMPLETE 01:56:58 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ubi_ctrl\x00', 0x14000, 0x0) setsockopt$packet_buf(r1, 0x107, 0x16, &(0x7f0000000040)="b95a3bd49379a27794221cabe7f951c68ae859e2e30b73eb26de2a4ed07eb1a83d3943d5b3", 0x25) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f00000001c0)={0x0, 0x8}, &(0x7f0000000200)=0x8) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:56:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x2000000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1366.033449][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1366.040288][ T3377] CR3 = 0x0000000000000000 [ 1366.044854][ T3377] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1366.066410][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1366.066908][ T3388] binder: 3385:3388 got reply transaction with no transaction stack 01:56:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x400000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1366.095170][T19558] binder: send failed reply for transaction 9949, target dead [ 1366.099764][ T3377] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1366.139298][ T3377] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1366.155291][ T3377] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1366.166585][ T3393] binder: 3389:3393 got transaction with invalid parent offset or type [ 1366.175592][ T3395] binder: 3385:3395 got reply transaction with no transaction stack [ 1366.176708][ T3377] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1366.203977][ T3396] binder: BINDER_SET_CONTEXT_MGR already set [ 1366.213646][ T3377] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1366.217650][ T3396] binder: 3391:3396 ioctl 40046207 0 returned -16 [ 1366.232714][ T3377] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1366.241693][ T3397] binder: 3389:3397 got transaction with invalid parent offset or type [ 1366.244240][ T3396] binder: 3391:3396 got transaction with invalid offset (288230376151711744, min 0 max 24) or object. [ 1366.261388][ T3377] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1366.286431][ T3377] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1366.302304][ T3377] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1366.317802][ T3399] binder_alloc: 3389: binder_alloc_buf, no vma [ 1366.325841][ T3377] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1366.338424][ T3377] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1366.355238][ T3377] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1366.365513][ T3377] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1366.383861][ T3377] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1366.397006][ T3377] Interruptibility = 00000000 ActivityState = 00000000 [ 1366.405129][ T3377] *** Host State *** [ 1366.409036][ T3377] RIP = 0xffffffff811b4980 RSP = 0xffff88808e7cf8e0 [ 1366.424392][ T3377] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1366.434801][ T3377] FSBase=00007f101dc68700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1366.446329][ T3377] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1366.455965][ T3377] CR0=0000000080050033 CR3=00000000a043b000 CR4=00000000001426e0 [ 1366.466684][ T3377] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1366.477073][ T3377] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1366.486822][ T3377] *** Control State *** [ 1366.493958][ T3377] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1366.505722][ T3377] EntryControls=0000d1ff ExitControls=002fefff [ 1366.516067][ T3377] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1366.526861][ T3377] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1366.537256][ T3377] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1366.547658][ T3377] reason=80000021 qualification=0000000000000000 [ 1366.557861][ T3377] IDTVectoring: info=00000000 errcode=00000000 [ 1366.567029][ T3377] TSC Offset = 0xfffffd21dbf88d80 [ 1366.575059][ T3377] TPR Threshold = 0x00 [ 1366.579139][ T3377] EPT pointer = 0x000000008f7d201e 01:56:59 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, 0x0) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:56:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x500000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:59 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000040)=0x28b) r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x40480, 0x0) getsockopt$ARPT_SO_GET_REVISION_TARGET(r1, 0x0, 0x63, &(0x7f0000000080)={'icmp6\x00'}, &(0x7f00000000c0)=0x1e) close(r1) ioctl$LOOP_CHANGE_FD(r1, 0x4c06, r0) 01:56:59 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000100)={0x0, 'vetL0_to_bridge\x00'}, 0xfffffffffffffd68) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00', 0x2, 0x0) getsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r1, 0x84, 0x12, &(0x7f0000000040), &(0x7f00000000c0)=0x4) 01:56:59 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486309, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:56:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x2800000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1366.693818][ T3406] binder: 3402:3406 unknown command 1078485769 [ 1366.703896][ T3404] binder: 3403:3404 got transaction with invalid parent offset or type [ 1366.710378][ T3408] binder: BINDER_SET_CONTEXT_MGR already set [ 1366.729332][ T3406] binder: 3402:3406 ioctl c0306201 20000780 returned -22 [ 1366.731141][ T3408] binder: 3405:3408 ioctl 40046207 0 returned -16 01:56:59 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x3, 0x0) setsockopt$inet6_tcp_TLS_RX(r1, 0x6, 0x2, &(0x7f0000000480), 0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1366.750308][ T3414] binder: 3403:3414 got transaction with invalid parent offset or type [ 1366.758999][ T3415] binder: 3405:3415 got transaction with invalid offset (360287970189639680, min 0 max 24) or object. [ 1366.770240][ T3416] binder: 3402:3416 unknown command 1078485769 [ 1366.776549][ T3416] binder: 3402:3416 ioctl c0306201 20000780 returned -22 01:56:59 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) getresuid(&(0x7f00000000c0)=0x0, &(0x7f0000000100), &(0x7f0000000140)) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000180)={{{@in=@local, @in6=@ipv4={[], [], @dev}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@multicast1}}, &(0x7f0000000280)=0xe8) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f00000002c0)={{{@in6, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in6=@remote}}, &(0x7f00000003c0)=0xe8) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000400)={0x0, 0x0}, &(0x7f0000000440)=0xc) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000480)={{{@in=@local, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @loopback}}, 0x0, @in=@empty}}, &(0x7f0000000580)=0xe8) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f00000005c0)={{{@in6=@empty, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in6=@initdev}}, &(0x7f00000006c0)=0xe8) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000000700)={{{@in=@broadcast, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@initdev}, 0x0, @in6=@initdev}}, &(0x7f0000000800)=0xe8) lstat(&(0x7f0000000840)='./file0\x00', &(0x7f0000000880)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000900)={0x0, 0x0}, &(0x7f0000000940)=0xc) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000980)={{{@in=@loopback, @in6=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@ipv4={[], [], @local}}}, &(0x7f0000000a80)=0xe8) getgroups(0x3, &(0x7f0000000ac0)=[0xee00, 0xee01, 0xffffffffffffffff]) r12 = getgid() r13 = request_key(&(0x7f0000000d80)='syzkaller\x00', &(0x7f0000000dc0)={'syz', 0x1}, &(0x7f0000000e00)='veth0_to_bridge\x00', 0xfffffffffffffffc) r14 = add_key(&(0x7f0000000e40)='encrypted\x00', &(0x7f0000000e80)={'syz', 0x2}, &(0x7f0000000ec0)="09d92e8d43fb5195b1156a43909e17e06b69a438884dacb041013d0cd9e795b75818037ff41464adfb2d72bf7b8ab8a6ba3ed6f88a4807795161c063528cb4a5055fb6e32052cd10e300ade2adb2b7bd02561584a8b785dc13d7f3d4eba8ad1860ef", 0x62, 0xfffffffffffffff9) keyctl$negate(0xd, r13, 0x1f, r14) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000b00)={0x0, 0x0, 0x0}, &(0x7f0000000b40)=0xc) r16 = getgid() getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000b80)={0x0, 0x0, 0x0}, &(0x7f0000000bc0)=0xc) stat(&(0x7f0000000c00)='./file0\x00', &(0x7f0000000c40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) fsetxattr$system_posix_acl(r0, &(0x7f0000000040)='system.posix_acl_default\x00', &(0x7f0000000cc0)={{}, {0x1, 0x4}, [{0x2, 0x1, r1}, {0x2, 0x4, r2}, {0x2, 0x0, r3}, {0x2, 0x7, r4}, {0x2, 0x1, r5}, {0x2, 0x1, r6}, {0x2, 0x2, r7}, {0x2, 0x6, r8}, {0x2, 0x7, r9}, {0x2, 0x5, r10}], {0x4, 0x5}, [{0x8, 0xe77a44a6dcbe0490, r11}, {0x8, 0x1, r12}, {0x8, 0x3, r15}, {0x8, 0x1, r16}, {0x8, 0x5, r17}, {0x8, 0x4, r18}], {0x10, 0x6}}, 0xa4, 0x3) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r19 = fcntl$dupfd(r0, 0x406, r0) ioctl$SG_GET_RESERVED_SIZE(r19, 0x2272, &(0x7f0000000000)) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1366.804928][ T3408] binder: BINDER_SET_CONTEXT_MGR already set [ 1366.812588][ T3408] binder: 3405:3408 ioctl 40046207 0 returned -16 [ 1366.824236][ T3415] binder: 3405:3415 got transaction with invalid offset (360287970189639680, min 0 max 24) or object. 01:56:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x3800000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:56:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x600000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:56:59 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$bt_BT_CHANNEL_POLICY(r0, 0x112, 0xa, &(0x7f0000000000)=0xfffffffffffffffe, 0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f00000000c0)=0xfffffffffffffead) 01:56:59 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1366.883715][ T3417] *** Guest State *** [ 1366.903142][ T3417] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1366.979295][ T3417] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1367.001258][ T3427] binder: 3422:3427 got transaction with invalid parent offset or type [ 1367.009515][ T3428] binder: BINDER_SET_CONTEXT_MGR already set [ 1367.019403][ T3417] CR3 = 0x0000000000000000 [ 1367.024031][ T3417] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1367.036218][ T3428] binder: 3423:3428 ioctl 40046207 0 returned -16 [ 1367.038896][ T3417] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1367.050728][ T3430] binder: 3425:3430 got reply transaction with no transaction stack [ 1367.063921][ T3417] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1367.077833][ T3434] binder_alloc: 3422: binder_alloc_buf failed to map pages in userspace, no vma [ 1367.095381][ T3435] binder: 3425:3435 got reply transaction with no transaction stack [ 1367.100447][ T3417] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1367.130861][ T3417] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1367.146283][ T3417] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1367.160147][ T3436] binder_alloc: 3423: binder_alloc_buf, no vma [ 1367.163841][ T3417] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1367.177641][ T3417] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1367.193112][ T3417] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1367.205892][ T3417] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1367.221369][ T3417] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1367.241679][ T3417] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1367.254814][ T3417] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1367.265972][ T3417] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1367.277894][ T3417] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1367.288535][ T3417] Interruptibility = 00000000 ActivityState = 00000000 [ 1367.301895][ T3417] *** Host State *** [ 1367.305964][ T3417] RIP = 0xffffffff811b4980 RSP = 0xffff8880565bf8e0 [ 1367.316137][ T3417] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1367.326629][ T3417] FSBase=00007f101dc68700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1367.338503][ T3417] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1367.348429][ T3417] CR0=0000000080050033 CR3=000000008fb68000 CR4=00000000001426e0 [ 1367.362506][ T3417] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1367.372198][ T3417] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1367.378965][ T3417] *** Control State *** [ 1367.387402][ T3417] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1367.397285][ T3417] EntryControls=0000d1ff ExitControls=002fefff [ 1367.407902][ T3417] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1367.417942][ T3417] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1367.431697][ T3417] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1367.439023][ T3417] reason=80000021 qualification=0000000000000000 [ 1367.452686][ T3417] IDTVectoring: info=00000000 errcode=00000000 [ 1367.458875][ T3417] TSC Offset = 0xfffffd21596f5c83 [ 1367.466309][ T3417] TPR Threshold = 0x00 [ 1367.474687][ T3417] EPT pointer = 0x000000008c1fd01e 01:57:00 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, 0x0) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:00 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) listxattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000100)=""/99, 0x63) r1 = openat$vimc0(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/video0\x00', 0x2, 0x0) ioctl$VIDIOC_S_FREQUENCY(r1, 0x402c5639, &(0x7f0000000040)={0x10000, 0x5, 0xd31}) 01:57:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x3f00000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:00 executing program 0: r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x20000, 0x0) write$P9_RMKNOD(r0, &(0x7f0000000040)={0x14, 0x13, 0x1, {0x43, 0x1, 0x5}}, 0x14) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:57:00 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x4048635b, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x700000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1367.582504][ T3443] binder: 3438:3443 got transaction with invalid parent offset or type [ 1367.594585][ T3445] binder: BINDER_SET_CONTEXT_MGR already set [ 1367.602663][ T3448] binder: 3442:3448 unknown command 1078485851 [ 1367.620339][ T3445] binder: 3440:3445 ioctl 40046207 0 returned -16 01:57:00 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = accept(r0, &(0x7f0000000000)=@vsock={0x28, 0x0, 0x0, @my}, &(0x7f00000000c0)=0x80) setsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7, &(0x7f0000000100)={0x1000}, 0x4) getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r1, 0x84, 0x6d, &(0x7f0000000140)={0x0, 0xc7, "fb5511e97ea557ae3111f58055f6111a32b3249e44f6800aaf6a3ee84c376115ea2f71caf176c9f1caf8656058b32f1b096f28c516c3347a538ace13bde6e705f31edd1ce4c8cb1261fd401bb1d98a19eb411966293340fc4d2b099999ce54bdf1ce3ad77173978ac580d2bb4d824d96747350dd725ac420ad89884e8fc837f669c98ba02185581bc37683f89adc9e2472c0fe6b969ec702d44a54f3966ba004d12185362181e59025a112cf33d523a3cb38ddf39577edff659797fa6731f2c2683cbc146e0a9a"}, &(0x7f0000000240)=0xcf) setsockopt$inet_sctp_SCTP_ADD_STREAMS(r1, 0x84, 0x79, &(0x7f0000000280)={r2, 0x0, 0x401}, 0x8) setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r1, 0x84, 0x1f, &(0x7f00000002c0)={r2, @in6={{0xa, 0x4e22, 0xb95, @mcast2, 0x400}}, 0x9, 0x1f}, 0x90) 01:57:00 executing program 2: r0 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x202, 0x0) getsockopt$inet_sctp_SCTP_I_WANT_MAPPED_V4_ADDR(r0, 0x84, 0xc, &(0x7f0000000040), &(0x7f00000000c0)=0x4) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000100)) [ 1367.625500][ T3448] binder: 3442:3448 ioctl c0306201 20000780 returned -22 [ 1367.634667][ T3450] binder: 3438:3450 got transaction with invalid parent offset or type [ 1367.638532][ T3445] binder: 3440:3445 got transaction with invalid offset (504403158265495552, min 0 max 24) or object. [ 1367.691608][ T3453] binder: 3442:3453 unknown command 1078485851 [ 1367.710015][ T3454] binder: 3440:3454 got transaction with invalid offset (504403158265495552, min 0 max 24) or object. [ 1367.710522][ T3445] binder: BINDER_SET_CONTEXT_MGR already set 01:57:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4000000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1367.766080][ T3453] binder: 3442:3453 ioctl c0306201 20000780 returned -22 01:57:00 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x7, &(0x7f0000000200)="e74a5bf149717e805c581488a282f8ca4743c50f461f2653da7961fbfd62b830e4cb00") [ 1367.816633][ T3456] *** Guest State *** 01:57:00 executing program 0: r0 = socket$inet6_sctp(0xa, 0x100000001, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) timer_create(0x7, &(0x7f0000000000)={0x0, 0x2a, 0x1, @tid=0xffffffffffffffff}, &(0x7f0000000040)=0x0) timer_settime(r1, 0x0, &(0x7f00000000c0)={{0x0, 0x989680}}, &(0x7f0000000100)) [ 1367.840513][ T3445] binder: 3440:3445 ioctl 40046207 0 returned -16 [ 1367.847117][ T3456] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1367.866595][ T3461] binder: 3460:3461 got transaction with invalid parent offset or type 01:57:00 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486363, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1367.886365][ T3456] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1367.932778][ T3456] CR3 = 0x0000000000000000 [ 1367.948962][ T3456] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1367.972001][ T3456] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1367.994944][ T3469] binder: 3468:3469 unknown command 1078485859 [ 1367.995917][ T3456] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1368.019550][ T3469] binder: 3468:3469 ioctl c0306201 20000780 returned -22 [ 1368.022407][ T3456] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1368.056113][ T3470] binder: 3468:3470 unknown command 1078485859 [ 1368.066663][ T3470] binder: 3468:3470 ioctl c0306201 20000780 returned -22 [ 1368.068462][ T3456] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1368.119362][ T3456] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1368.133950][ T3456] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1368.149353][ T3456] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1368.174323][ T3456] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1368.194192][ T3456] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1368.219386][ T3456] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1368.240384][ T3456] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1368.274264][ T3456] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1368.315235][ T3456] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1368.335159][ T3456] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1368.355241][ T3456] Interruptibility = 00000000 ActivityState = 00000000 [ 1368.375132][ T3456] *** Host State *** [ 1368.395139][ T3456] RIP = 0xffffffff811b4980 RSP = 0xffff88805fd8f8e0 [ 1368.415141][ T3456] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1368.429300][ T3456] FSBase=00007f101dc47700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1368.439278][ T3456] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1368.445991][ T3456] CR0=0000000080050033 CR3=000000009ed9b000 CR4=00000000001426e0 [ 1368.494199][ T3456] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1368.502714][ T3456] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1368.534188][ T3456] *** Control State *** [ 1368.538403][ T3456] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1368.560219][ T3456] EntryControls=0000d1ff ExitControls=002fefff [ 1368.566416][ T3456] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1368.615073][ T3456] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1368.622581][ T3456] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1368.655103][ T3456] reason=80000021 qualification=0000000000000000 [ 1368.664327][ T3456] IDTVectoring: info=00000000 errcode=00000000 [ 1368.695233][ T3456] TSC Offset = 0xfffffd20db86800f [ 1368.700369][ T3456] TPR Threshold = 0x00 [ 1368.704482][ T3456] EPT pointer = 0x00000000a684701e 01:57:01 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, 0x0) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0xa00000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4800000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:01 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x101000, 0x0) bind$x25(r1, &(0x7f0000000040)={0x9, @null=' \x00'}, 0x12) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:01 executing program 0: prctl$PR_MPX_ENABLE_MANAGEMENT(0x2b) socket$inet6_sctp(0xa, 0x1, 0x84) r0 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x0, 0x100) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f0000000040)={0x0, 0x0, 0x30, 0x5, 0x812}, &(0x7f0000000080)=0x18) getsockopt$inet_sctp_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f00000000c0)={r1, 0x1}, &(0x7f0000000180)=0x6) 01:57:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1368.829933][ T3479] binder: 3474:3479 got transaction to invalid handle [ 1368.837452][ T3480] binder: 3471:3480 got transaction with invalid offset (720575940379279360, min 0 max 24) or object. [ 1368.844537][ T3481] binder: BINDER_SET_CONTEXT_MGR already set 01:57:01 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = socket$can_bcm(0x1d, 0x2, 0x2) getsockname(r1, 0x0, 0x0) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:01 executing program 0: r0 = socket$inet6_sctp(0xa, 0x4000000005, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000200)='/dev/dlm_plock\x00', 0x40001, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x18, 0xfa00, {0x2, &(0x7f0000000240)={0xffffffffffffffff}, 0x13f, 0x8}}, 0x20) write$RDMA_USER_CM_CMD_CONNECT(r1, &(0x7f00000002c0)={0x6, 0x118, 0xfa00, {{0x8, 0x9, "c47a1fdc4ca530540d07274960e08dc3ffa2b3fea0133026e6e1413ff1991c8727feb4852c3c0f0c150c78720e98a37c33af7e91f4d698c9a46c6b8dd64fd72adde219157a77e50b3cdb48fa8a43137819ff0af1934890048e08a669311221c336c8e4449c47d22cf8432c8dcef8f80c820ab1b134a1aa1e74b361a6a8a5c55ca2b2d31c9ef48429f2db1a9e42755c6c9cba7d05ce0828b0e9d45ad5f614f007529ae3ecf9fd76b53c5877ddcab96b19c00685fdb3305edd643e82b47235135d8ae41c87edc3cd8e3fb64837abb6ce583e37592c0cf96c607c4e67a7d974660f7eec2249f64415fc7c2d0fff08e4011d1ad6c548d4473dea9add668c19ffccd0", 0x87, 0x8, 0x78, 0x0, 0x5, 0x5, 0x9, 0x1}, r2}}, 0x120) getsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) setsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f00000000c0)={r3, @in={{0x2, 0x4e20, @empty}}}, 0x84) fsync(r0) r4 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000180)='/dev/hwrng\x00', 0x4000, 0x0) ioctl$VIDIOC_S_HW_FREQ_SEEK(r4, 0x40305652, &(0x7f00000001c0)={0xab3, 0x3, 0x200, 0x300, 0x9483, 0x10000, 0x6}) [ 1368.876910][ T3483] binder: 3474:3483 got transaction to invalid handle [ 1368.893278][ T3481] binder: 3475:3481 ioctl 40046207 0 returned -16 [ 1368.913818][ T3487] binder: 3471:3487 got transaction with invalid offset (720575940379279360, min 0 max 24) or object. 01:57:01 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1368.997227][ T3493] *** Guest State *** 01:57:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x4c00000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x1000000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1369.018464][ T3493] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:57:01 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000500)='/proc/capi/capi20\x00', 0x9a2877f6f8f7f14e, 0x0) setsockopt$TIPC_SRC_DROPPABLE(r1, 0x10f, 0x80, &(0x7f0000000540)=0x100000000, 0x4) getpeername$inet(r0, &(0x7f0000000000)={0x2, 0x0, @dev}, &(0x7f0000000040)=0x10) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x4000000000, 'veth0_to_bridge\x00', 0xfffffffffffffffd}, 0x18) getsockopt$bt_BT_SECURITY(r1, 0x112, 0x4, &(0x7f00000000c0), 0x2) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1369.099568][ T3493] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1369.132359][ T3498] binder: 3494:3498 got transaction to invalid handle [ 1369.132773][ T3493] CR3 = 0x0000000000000000 [ 1369.147265][ T3501] binder: 3497:3501 got transaction with invalid offset (1152921504606846976, min 0 max 24) or object. [ 1369.158983][ T3493] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1369.160193][ T3500] binder: BINDER_SET_CONTEXT_MGR already set [ 1369.172923][ T3493] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1369.189118][ T3502] binder: 3494:3502 got transaction to invalid handle [ 1369.197648][ T3493] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1369.204428][ T3500] binder: 3496:3500 ioctl 40046207 0 returned -16 [ 1369.227212][ T3493] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1369.235481][ T3505] binder_alloc: 3497: binder_alloc_buf, no vma [ 1369.262283][ T3493] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1369.275179][ T3500] binder: BINDER_SET_CONTEXT_MGR already set [ 1369.294463][ T3505] binder_alloc: 3497: binder_alloc_buf, no vma [ 1369.297933][ T3493] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1369.332371][ T3500] binder: 3496:3500 ioctl 40046207 0 returned -16 [ 1369.349666][ T3493] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1369.369289][ T3493] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1369.389643][ T3493] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1369.409295][ T3493] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1369.429295][ T3493] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1369.449284][ T3493] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1369.469273][ T3493] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1369.489254][ T3493] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1369.505319][ T3493] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1369.545180][ T3493] Interruptibility = 00000000 ActivityState = 00000000 [ 1369.552329][ T3493] *** Host State *** [ 1369.556385][ T3493] RIP = 0xffffffff811b4980 RSP = 0xffff88805c4cf8e0 [ 1369.585000][ T3493] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1369.605205][ T3493] FSBase=00007f101dc46700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1369.629309][ T3493] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1369.649267][ T3493] CR0=0000000080050033 CR3=0000000091874000 CR4=00000000001426e0 [ 1369.669282][ T3493] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1369.689266][ T3493] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1369.696166][ T3493] *** Control State *** [ 1369.715946][ T3493] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1369.735052][ T3493] EntryControls=0000d1ff ExitControls=002fefff [ 1369.755187][ T3493] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1369.783520][ T3493] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1369.815213][ T3493] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1369.829311][ T3493] reason=80000021 qualification=0000000000000000 [ 1369.836379][ T3493] IDTVectoring: info=00000000 errcode=00000000 [ 1369.869222][ T3493] TSC Offset = 0xfffffd203851141e [ 1369.874301][ T3493] TPR Threshold = 0x00 [ 1369.878389][ T3493] EPT pointer = 0x0000000098baa01e 01:57:02 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x0, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:02 executing program 0: r0 = socket$inet6_sctp(0xa, 0x1, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:57:02 executing program 2: r0 = epoll_create(0x7) prctl$PR_GET_FPEMU(0x9, &(0x7f00000001c0)) ioctl$FITRIM(r0, 0xc0185879, &(0x7f0000000180)={0x8, 0x5, 0x7}) r1 = socket$inet_udp(0x2, 0x2, 0x0) accept(r1, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @initdev}}}, &(0x7f00000000c0)=0x80) getsockopt$inet6_mtu(r2, 0x29, 0x17, &(0x7f0000000100), &(0x7f0000000140)=0x4) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) r3 = dup3(r0, r1, 0x0) ioctl$KVM_SMI(r3, 0xaeb7) 01:57:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x1800000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x5000000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1370.006312][ T3513] binder_transaction: 35 callbacks suppressed [ 1370.006328][ T3513] binder: 3509:3513 transaction failed 29201/-22, size 64-16 line 3389 [ 1370.022012][ T3517] binder: BINDER_SET_CONTEXT_MGR already set [ 1370.028156][ T3517] binder: 3511:3517 ioctl 40046207 0 returned -16 [ 1370.036266][ T3515] binder: 3510:3515 got transaction to invalid handle 01:57:02 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r2 = accept$inet(r1, &(0x7f0000000000)={0x2, 0x0, @empty}, &(0x7f0000000040)=0x10) getsockopt$inet_sctp_SCTP_I_WANT_MAPPED_V4_ADDR(r2, 0x84, 0xc, &(0x7f00000000c0), &(0x7f0000000100)=0x4) r3 = openat$full(0xffffffffffffff9c, &(0x7f0000000140)='/dev/full\x00', 0x101000, 0x0) execveat(r3, &(0x7f0000000180)='./file0\x00', &(0x7f00000002c0)=[&(0x7f00000001c0)='veth0_to_bridge\x00', &(0x7f0000000200)='veth0_to_bridge\x00', &(0x7f0000000240)='veth0_to_bridge\x00', &(0x7f0000000280)='veth0_to_bridge\x00'], &(0x7f0000000480)=[&(0x7f0000000300)='/]wlan0lo\x00', &(0x7f0000000340)='veth0_to_bridge\x00', &(0x7f0000000380)='veth0_to_bridge\x00', &(0x7f00000003c0)='*/)(\x00', &(0x7f0000000400)=']-\x00', &(0x7f0000000440)='wlan0systemem1\x00'], 0x100) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:02 executing program 0: r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x101000, 0x0) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000140)=@mangle={'mangle\x00', 0x1f, 0x6, 0x718, 0x500, 0x138, 0x3e8, 0x0, 0x500, 0x648, 0x648, 0x648, 0x648, 0x648, 0x6, &(0x7f00000000c0), {[{{@ipv6={@dev={0xfe, 0x80, [], 0x1a}, @initdev={0xfe, 0x88, [], 0x1, 0x0}, [0xff, 0xffffffff, 0xffffff00, 0xff000000], [0xffffffff, 0xff000000, 0xffffffff, 0xffffffff], 'eql\x00', 'bond0\x00', {0xff}, {}, 0xff, 0x8, 0x2, 0x48}, 0x0, 0xf0, 0x138, 0x0, {}, [@inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x2}}]}, @DNPT={0x48, 'DNPT\x00', 0x0, {@ipv6=@remote, @ipv4=@rand_addr=0x3, 0x33, 0x8, 0x8}}}, {{@ipv6={@empty, @rand_addr="758ccedd554e90514e49bdc2ac7e8196", [0xff000000, 0xffffffff, 0x0, 0xff], [0xffffffff, 0x0, 0xffffff00], 'bond_slave_0\x00', 'sit0\x00', {0xff}, {0xff}, 0x67, 0x1, 0x4, 0x40}, 0x0, 0xf0, 0x138, 0x0, {}, [@inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x9}}]}, @SNPT={0x48, 'SNPT\x00', 0x0, {@ipv6=@dev={0xfe, 0x80, [], 0x21}, @ipv4=@loopback, 0x4, 0x32, 0x8}}}, {{@uncond, 0x0, 0x138, 0x178, 0x0, {}, [@common=@dst={0x48, 'dst\x00', 0x0, {0xfffffffffffffffc, 0x4, 0x1, [0x20, 0x5, 0x5, 0x4ee0000000000, 0x1, 0x3, 0x40, 0x39, 0xfffffffffffffff8, 0x4, 0x8, 0x7fff, 0x2, 0x1, 0x8001, 0x4b59], 0x1}}, @inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x2}}]}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0xff, 0x9, @ipv4=@remote, 0x4e22}}}, {{@uncond, 0x0, 0xf0, 0x118, 0x0, {}, [@inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x2}}]}, @HL={0x28, 'HL\x00', 0x0, {0x0, 0x2}}}, {{@uncond, 0x0, 0x120, 0x148, 0x0, {}, [@common=@ah={0x30, 'ah\x00', 0x0, {0x4d5, 0x4d2, 0xf3, 0x6, 0x2}}, @inet=@rpfilter={0x28, 'rpfilter\x00', 0x0, {0x4de5dc685e9a2b9b}}]}, @inet=@TOS={0x28, 'TOS\x00', 0x0, {0x5, 0x3ff}}}], {{[], 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x778) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1370.051901][T19558] binder_release_work: 34 callbacks suppressed [ 1370.051908][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1370.061838][ T3513] binder: BINDER_SET_CONTEXT_MGR already set [ 1370.073354][ T3520] binder: 3511:3520 transaction failed 29189/-22, size 24-16 line 2995 [ 1370.082280][ T3519] binder: 3509:3519 transaction failed 29189/-22, size 64-16 line 2995 [ 1370.092435][T19558] binder: undelivered TRANSACTION_ERROR: 29189 [ 1370.100272][ T3515] binder: 3510:3515 transaction failed 29201/-22, size 24-0 line 2995 [ 1370.115190][ T3517] binder: 3511:3517 transaction failed 29201/-22, size 24-16 line 3242 [ 1370.124768][ T3513] binder: 3509:3513 ioctl 40046207 0 returned -16 [ 1370.133528][ T3524] binder: 3510:3524 got transaction to invalid handle [ 1370.140655][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1370.152531][T19558] binder: undelivered TRANSACTION_ERROR: 29189 01:57:02 executing program 2: r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x2000, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x18) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0x2, &(0x7f0000000040)=0xf, 0x4) 01:57:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6000000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1370.178943][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1370.179304][ T3524] binder: 3510:3524 transaction failed 29201/-22, size 24-0 line 2995 01:57:02 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x0, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2000000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1370.224259][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:57:02 executing program 0: r0 = syz_open_dev$cec(&(0x7f0000000280)='/dev/cec#\x00', 0x2, 0x2) ioctl$RTC_WKALM_SET(r0, 0x4028700f, &(0x7f00000002c0)={0x0, 0x1, {0x22, 0x16, 0xe, 0xe, 0x9, 0x80, 0x5, 0xcd, 0x1}}) r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x0, 0x0) bpf$BPF_GET_BTF_INFO(0xf, &(0x7f00000001c0)={0xffffffffffffff9c, 0x10, &(0x7f0000000180)={&(0x7f0000000040)=""/28, 0x1c, 0x0}}, 0x10) bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000240)={r1, 0x10, &(0x7f0000000200)={&(0x7f00000000c0)=""/165, 0xa5, r2}}, 0x10) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r3, 0x84, 0x1c, 0x0, &(0x7f0000000300)) [ 1370.304417][ T3531] binder: 3529:3531 transaction failed 29201/-22, size 64-16 line 3389 01:57:02 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x3, &(0x7f0000000080)) [ 1370.362940][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1370.370810][ T3537] binder: BINDER_SET_CONTEXT_MGR already set [ 1370.381651][ T3540] binder: 3536:3540 got transaction to invalid handle [ 1370.409435][ T3531] binder: BINDER_SET_CONTEXT_MGR already set [ 1370.415699][ T3537] binder: 3534:3537 ioctl 40046207 0 returned -16 [ 1370.423033][ T3540] binder: 3536:3540 transaction failed 29201/-22, size 24-0 line 2995 [ 1370.437880][ T3531] binder: 3529:3531 ioctl 40046207 0 returned -16 [ 1370.438190][ T3542] binder: 3529:3542 transaction failed 29189/-22, size 64-16 line 2995 [ 1370.452670][ T3544] *** Guest State *** 01:57:03 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) ioctl$FS_IOC_FSSETXATTR(r0, 0x401c5820, &(0x7f0000000000)={0x10001, 0x5, 0x81000, 0xff, 0xffffffffffffff22}) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1370.457766][ T3537] binder: 3534:3537 transaction failed 29189/-22, size 24-16 line 2995 [ 1370.462828][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1370.474103][ T3544] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1370.485232][ T3547] binder: 3536:3547 got transaction to invalid handle 01:57:03 executing program 2: r0 = msgget(0x0, 0x104) msgsnd(r0, &(0x7f0000000000)={0x0, "190929144fedbaf9d52991d1cd9f74d4247f3773fed327b3de32a3a76bbdc1f4f1cab29b2f426a8178e51be720"}, 0x35, 0x800) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) [ 1370.514937][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1370.526125][ T3544] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1370.536286][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1370.557787][ T3544] CR3 = 0x0000000000000000 01:57:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1370.563836][ T3544] RSP = 0x0000000000000000 RIP = 0x0000000000000000 01:57:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2800000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6800000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:03 executing program 0: r0 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/capi/capi20ncci\x00', 0x200000, 0x0) ioctl$EVIOCGKEY(r0, 0x80404518, &(0x7f0000000400)=""/219) r1 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x10000) io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000000300)=""/240, 0xf0}, {&(0x7f0000000040)=""/50, 0x32}, {&(0x7f00000001c0)=""/229, 0xe5}], 0x3) r2 = socket$inet6_sctp(0xa, 0x40000000000005, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r2, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1370.585905][ T3544] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1370.612343][ T3553] binder: 3552:3553 got transaction to invalid handle [ 1370.620657][ T3544] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1370.657414][ T3559] binder: 3552:3559 got transaction to invalid handle [ 1370.659388][ T3544] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 01:57:03 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) socket$inet_tcp(0x2, 0x1, 0x0) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f0000000000)=0x0) get_robust_list(r1, &(0x7f00000001c0)=&(0x7f0000000180)={&(0x7f00000000c0)={&(0x7f0000000040)}, 0x0, &(0x7f0000000140)={&(0x7f0000000100)}}, &(0x7f0000000200)=0x18) [ 1370.701238][ T3544] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1370.723236][ T3565] binder: BINDER_SET_CONTEXT_MGR already set [ 1370.738542][ T3544] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1370.758055][ T3565] binder: 3561:3565 ioctl 40046207 0 returned -16 [ 1370.796054][ T3544] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1370.839561][ T3544] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1370.848788][ T3544] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1370.864418][ T3544] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1370.874530][ T3544] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1370.884311][ T3544] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1370.893440][ T3544] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1370.902914][ T3544] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1370.910554][ T3544] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1370.918825][ T3544] Interruptibility = 00000000 ActivityState = 00000000 [ 1370.926402][ T3544] *** Host State *** [ 1370.930825][ T3544] RIP = 0xffffffff811b4980 RSP = 0xffff88808e7cf8e0 [ 1370.937667][ T3544] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1370.946839][ T3544] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1370.955890][ T3544] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1370.962917][ T3544] CR0=0000000080050033 CR3=00000000a8268000 CR4=00000000001426f0 [ 1370.971094][ T3544] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1370.978620][ T3544] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1370.985939][ T3544] *** Control State *** [ 1370.990444][ T3544] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1370.997977][ T3544] EntryControls=0000d1ff ExitControls=002fefff [ 1371.004649][ T3544] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1371.012754][ T3544] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1371.020543][ T3544] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1371.027960][ T3544] reason=80000021 qualification=0000000000000000 01:57:03 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x0, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1371.035606][ T3544] IDTVectoring: info=00000000 errcode=00000000 [ 1371.042160][ T3544] TSC Offset = 0xfffffd1f71a3c873 [ 1371.047296][ T3544] TPR Threshold = 0x00 [ 1371.051823][ T3544] EPT pointer = 0x0000000097c5b01e 01:57:03 executing program 0: r0 = socket$inet6_sctp(0xa, 0x2, 0x84) getsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000), &(0x7f0000000040)=0x8) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:57:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x3f00000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6c00000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:03 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x0, 0x0) [ 1371.150876][ T3575] binder_transaction: 5 callbacks suppressed [ 1371.150892][ T3575] binder: 3572:3575 got transaction with invalid offset (4539628424389459968, min 0 max 24) or object. 01:57:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1371.195605][ T3583] binder: BINDER_SET_CONTEXT_MGR already set [ 1371.216070][ T3583] binder: 3570:3583 ioctl 40046207 0 returned -16 [ 1371.235431][ T3583] binder_fixup_parent: 7 callbacks suppressed 01:57:03 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, '}eth5_to\xdfN\xd1\x10dge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1371.235440][ T3583] binder: 3570:3583 got transaction with invalid parent offset or type [ 1371.261432][ T3575] binder: BINDER_SET_CONTEXT_MGR already set [ 1371.267763][ T3575] binder: 3572:3575 ioctl 40046207 0 returned -16 [ 1371.315417][ T3583] binder: transaction release 10064 bad handle 1, ret = -22 [ 1371.334043][ T3594] *** Guest State *** [ 1371.338215][ T3594] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:57:03 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x0, 0x0) ioctl$VIDIOC_S_OUTPUT(r1, 0xc004562f, &(0x7f0000000040)=0xfffdffffffffffd1) 01:57:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x4800000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1371.370697][ T3597] binder: 3570:3597 got transaction with invalid parent offset or type [ 1371.405374][ T3594] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:57:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7400000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:04 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x26c0000, &(0x7f0000000000)) [ 1371.449405][ T3594] CR3 = 0x0000000000000000 [ 1371.453873][ T3594] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1371.514335][ T3603] binder: 3601:3603 got transaction with invalid offset (5188146770730811392, min 0 max 24) or object. [ 1371.535297][ T3594] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1371.568783][ T3607] binder: 3605:3607 got transaction with invalid parent offset or type [ 1371.578150][ T3594] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1371.578983][ T3603] binder: BINDER_SET_CONTEXT_MGR already set [ 1371.613615][ T3611] binder: 3605:3611 got transaction with invalid parent offset or type [ 1371.614998][ T3594] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1371.625645][ T3608] binder: 3601:3608 got transaction with invalid offset (5188146770730811392, min 0 max 24) or object. [ 1371.683720][ T3603] binder: 3601:3603 ioctl 40046207 0 returned -16 [ 1371.688205][ T3594] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1371.703879][ T3594] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1371.727645][ T3594] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1371.754418][ T3594] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1371.773097][ T3594] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1371.793920][ T3594] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1371.805259][ T3594] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1371.818957][ T3594] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1371.834239][ T3594] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1371.843536][ T3594] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1371.856873][ T3594] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1371.865616][ T3594] Interruptibility = 00000000 ActivityState = 00000000 [ 1371.882952][ T3594] *** Host State *** [ 1371.887049][ T3594] RIP = 0xffffffff811b4980 RSP = 0xffff88809c8e78e0 [ 1371.896191][ T3594] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1371.907964][ T3594] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1371.918951][ T3594] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1371.931995][ T3594] CR0=0000000080050033 CR3=0000000097c5b000 CR4=00000000001426f0 [ 1371.943614][ T3594] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1371.954763][ T3594] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1371.965332][ T3594] *** Control State *** [ 1371.972964][ T3594] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1371.994587][ T3594] EntryControls=0000d1ff ExitControls=002fefff [ 1372.009359][ T3594] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1372.017191][ T3594] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1372.042287][ T3594] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1372.062125][ T3594] reason=80000021 qualification=0000000000000000 [ 1372.079329][ T3594] IDTVectoring: info=00000000 errcode=00000000 [ 1372.085805][ T3594] TSC Offset = 0xfffffd1ef807c0c9 01:57:04 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:04 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0xfffffffffffffffd, 0x0) ioctl$DRM_IOCTL_ADD_CTX(0xffffffffffffff9c, 0xc0086420, &(0x7f0000000040)={0x0}) ioctl$DRM_IOCTL_NEW_CTX(r1, 0x40086425, &(0x7f00000000c0)={r2, 0x2}) 01:57:04 executing program 0: r0 = socket$key(0xf, 0x3, 0x2) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER(r1, 0xc0605345, &(0x7f00000001c0)={0x0, 0x0, {0x0, 0x3, 0x3, 0x3, 0x80000000}}) getsockname(0xffffffffffffff9c, &(0x7f0000000440)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000004c0)=0x80) recvfrom(r0, &(0x7f0000000040)=""/16, 0x10, 0x0, &(0x7f0000000500)=@ll={0x11, 0x1, r2, 0x1, 0x7fff, 0x6, @random="899966d5754d"}, 0x80) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r3, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r4 = getuid() syz_mount_image$msdos(&(0x7f0000000240)='msdos\x00', &(0x7f0000000280)='./file0\x00', 0x3, 0x5, &(0x7f0000000640)=[{&(0x7f00000002c0)="9bcf4f4086194f244efec746946584dd74543a01ad5fed154892650566ada18271337bc9a79463a5af730d", 0x2b, 0xa86d}, {&(0x7f0000000300)="67e35deec7d86cd472fbebbbc43b94ad967027415181696cf0df37e987e0d18ef3d33dadb44ea96e80a5075192ee8ada53587eb8ed4f2a5a2989bc8f83c25c045ac5ac4d7e9c9664fcc3fb90381a91b3e69ec62a83e57a335f9018b74062151ade5f4d65eb3daeb47fa40156668ce8e9cc565beffbd7b7141b5bf644dde301aadd786a0f5651b64c2afa5fe9a4d4e3ed354fadab546e45f710edcb19e3061ea496a05ef14679ac4a6e79963a54ad1a355bfce95bd7bdfbf1ed859d901d43c48d1d1c91", 0xc3, 0x78b39531}, {&(0x7f0000000400), 0x0, 0x1}, {&(0x7f0000000580)="fea1a5f5834a2d030b316b4181b023e4dd0a5491ca0631ac9526afdadba42abd5b83c2b0c8ee6c4a553ea0a04eb46d2572b976c1679302b363a109ef419de3f398127e6c22dbfd", 0x47, 0x8afe}, {&(0x7f0000000600)='[{V\v', 0x4, 0x9}], 0x8000, &(0x7f00000006c0)={[{@nodots='nodots'}, {@nodots='nodots'}, {@fat=@codepage={'codepage', 0x3d, '865'}}, {@fat=@flush='flush'}, {@nodots='nodots'}, {@fat=@tz_utc='tz=UTC'}, {@nodots='nodots'}, {@dots='dots'}], [{@euid_gt={'euid>', r4}}]}) r5 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x3569, 0x5868afc7bb3089ff) getdents(r5, &(0x7f00000000c0)=""/162, 0xa2) 01:57:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x7a00000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x4c00000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1372.109214][ T3594] TPR Threshold = 0x00 [ 1372.113364][ T3594] EPT pointer = 0x0000000094f6201e [ 1372.215984][ T3621] binder: BINDER_SET_CONTEXT_MGR already set [ 1372.215992][ T3617] binder: 3616:3617 got transaction with invalid parent offset or type 01:57:04 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x14, 0x80000) stat(&(0x7f0000000040)='./file0\x00', &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getresgid(&(0x7f0000000140), &(0x7f0000000180), &(0x7f00000001c0)=0x0) write$FUSE_ATTR(r1, &(0x7f0000000200)={0x78, 0xfffffffffffffff5, 0x1, {0x3, 0x8, 0x0, {0x0, 0x4, 0x0, 0x2, 0xa674, 0x4, 0x100, 0x100, 0x0, 0x13ac6011, 0x1db, r2, r3, 0x5, 0xffffffff}}}, 0x78) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x4c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:04 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f0000000000)=0xdf26, 0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1372.308225][ T3621] binder: 3613:3621 ioctl 40046207 0 returned -16 [ 1372.308859][ T3623] binder: 3616:3623 got transaction with invalid parent offset or type [ 1372.329696][ T3625] binder: 3613:3625 got transaction with invalid offset (5476377146882523136, min 0 max 24) or object. 01:57:04 executing program 2: r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x8040, 0x0) ioctl$IMGETDEVINFO(r0, 0x80044944, &(0x7f00000000c0)={0x1ff}) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) fsetxattr$security_smack_entry(r0, &(0x7f0000000040)='security.SMACK64MMAP\x00', &(0x7f0000000140)='/dev/sequencer2\x00', 0x10, 0x3) [ 1372.384687][ T3632] binder: 3613:3632 got transaction with invalid offset (5476377146882523136, min 0 max 24) or object. 01:57:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x8000000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:05 executing program 0: syz_open_dev$sndpcmp(&(0x7f0000000400)='/dev/snd/pcmC#D#p\x00', 0x82c7, 0x400) r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/dlm-monitor\x00', 0x12800, 0x0) getsockopt$bt_sco_SCO_CONNINFO(r0, 0x11, 0x2, &(0x7f0000000300)=""/185, &(0x7f00000003c0)=0xb9) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(0xffffffffffffffff, 0x84, 0x6c, &(0x7f0000000100)=ANY=[@ANYRES32=0x0, @ANYBLOB="2a000000a17c60184afc0e8683c48f3fd6b0aa8761863aa7713017aaaff8eeefb30c82b1eb263582ec02f4bd58d3fe3dfd4c81edad6a96eb0eb81968e5aca1acb070c3df9f7aaacd19b2a07bbac4480a3a10702af208aff9a63d9260ec341bcf1a64002a21b742a472203d0e90c2714f188d785674fbc3f4"], &(0x7f0000000040)=0x32) r3 = socket$inet_sctp(0x2, 0x5, 0x84) getsockname$inet(r3, &(0x7f00000001c0)={0x2, 0x0, @loopback}, &(0x7f0000000200)=0x10) setsockopt$inet6_MRT6_ADD_MFC_PROXY(r1, 0x29, 0xd2, &(0x7f0000000240)={{0xa, 0x4e22, 0x8, @ipv4={[], [], @remote}, 0xf3}, {0xa, 0x4e23, 0x4, @mcast1, 0x10001}, 0x5668796c, [0xffffffffffff8828, 0xd1, 0x2, 0x400, 0x7, 0x1000000000, 0x8, 0x4000]}, 0x5c) setsockopt$inet_sctp6_SCTP_RESET_ASSOC(r1, 0x84, 0x78, &(0x7f00000000c0)=r2, 0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getsockopt$inet_sctp6_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f0000000000), &(0x7f0000000180)=0x4) [ 1372.448267][ T3626] *** Guest State *** [ 1372.470802][ T3626] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1372.515532][ T3626] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1372.528091][ T3626] CR3 = 0x0000000000000000 [ 1372.538581][ T3626] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1372.547726][ T3626] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1372.563529][ T3626] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1372.574233][ T3642] binder: 3639:3642 got transaction with invalid parent offset or type [ 1372.594064][ T3626] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1372.604192][ T3626] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1372.618890][ T3626] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1372.629347][ T3642] binder: BINDER_SET_CONTEXT_MGR already set [ 1372.635466][ T3642] binder: 3639:3642 ioctl 40046207 0 returned -16 [ 1372.636419][ T3626] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1372.657616][ T3626] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1372.666839][ T3626] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1372.683023][ T3626] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1372.695274][ T3626] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1372.715166][ T3626] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1372.727264][ T3626] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1372.742631][ T3626] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1372.753137][ T3626] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1372.765241][ T3626] Interruptibility = 00000000 ActivityState = 00000000 [ 1372.775691][ T3626] *** Host State *** [ 1372.782926][ T3626] RIP = 0xffffffff811b4980 RSP = 0xffff8880565bf8e0 [ 1372.792973][ T3626] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1372.803372][ T3626] FSBase=00007f101dc68700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1372.816072][ T3626] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1372.825966][ T3626] CR0=0000000080050033 CR3=00000000a7b0a000 CR4=00000000001426e0 [ 1372.836941][ T3626] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1372.847606][ T3626] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1372.857629][ T3626] *** Control State *** [ 1372.865268][ T3626] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1372.875835][ T3626] EntryControls=0000d1ff ExitControls=002fefff [ 1372.885353][ T3626] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1372.896382][ T3626] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1372.914611][ T3626] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1372.922380][ T3626] reason=80000021 qualification=0000000000000000 [ 1372.935840][ T3626] IDTVectoring: info=00000000 errcode=00000000 [ 1372.943151][ T3626] TSC Offset = 0xfffffd1e61b69d83 [ 1372.948362][ T3626] TPR Threshold = 0x00 [ 1372.958791][ T3626] EPT pointer = 0x0000000097fa201e 01:57:05 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x60, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:05 executing program 0: r0 = syz_open_dev$cec(&(0x7f0000000000)='/dev/cec#\x00', 0x2, 0x2) ioctl$TIOCSERGETLSR(r0, 0x5459, &(0x7f0000000040)) setsockopt$CAIFSO_LINK_SELECT(r0, 0x116, 0x7f, &(0x7f00000000c0)=0xa216, 0x4) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r1, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:57:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6000000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:05 executing program 2: r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x7, 0x82000) fdatasync(r0) ioctl$SNDRV_RAWMIDI_IOCTL_INFO(r0, 0x810c5701, &(0x7f0000000140)) ioctl$UI_SET_PHYS(r0, 0x4008556c, &(0x7f0000000040)='syz0\x00') socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = open(&(0x7f00000000c0)='./file0\x00', 0x440000, 0x200000014) ioctl$SIOCGIFMTU(r1, 0x8921, &(0x7f0000000100)) 01:57:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xfdfdffff00000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1373.082615][ T3649] binder: 3646:3649 got transaction with invalid offset (6917529027641081856, min 0 max 24) or object. [ 1373.104780][ T3652] binder: BINDER_SET_CONTEXT_MGR already set 01:57:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x68, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:05 executing program 0: getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(0xffffffffffffffff, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1373.134932][ T3652] binder: 3648:3652 ioctl 40046207 0 returned -16 [ 1373.162083][ T3659] binder: 3646:3659 got transaction with invalid offset (6917529027641081856, min 0 max 24) or object. [ 1373.177017][ T3652] binder: 3648:3652 got transaction with invalid parent offset or type 01:57:05 executing program 2: arch_prctl$ARCH_MAP_VDSO_X32(0x2001, 0x4) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) getpeername(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @multicast1}}}, &(0x7f00000000c0)=0x80) setsockopt$llc_int(r1, 0x10c, 0xf, &(0x7f0000000100), 0x4) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6800000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1373.232278][ T3652] binder: BINDER_SET_CONTEXT_MGR already set [ 1373.244081][ T3663] *** Guest State *** [ 1373.248119][ T3663] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1373.281690][ T3652] binder: 3648:3652 ioctl 40046207 0 returned -16 [ 1373.309681][ T3661] binder_alloc: 3646: binder_alloc_buf, no vma [ 1373.318367][ T3663] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:57:05 executing program 0: r0 = socket$inet6_sctp(0xa, 0x9, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0xfc) 01:57:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1373.331205][ T3669] binder: 3665:3669 got transaction with invalid offset (7493989779944505344, min 0 max 24) or object. [ 1373.389622][ T3663] CR3 = 0x0000000000000000 [ 1373.394355][ T3663] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1373.404002][ T3672] binder: 3665:3672 got transaction with invalid offset (7493989779944505344, min 0 max 24) or object. [ 1373.425217][ T3663] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1373.453360][ T3663] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1373.498879][ T3663] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1373.528428][ T3663] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1373.557138][ T3663] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1373.582986][ T3663] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1373.609270][ T3663] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1373.623191][ T3663] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1373.652296][ T3663] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1373.682148][ T3663] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1373.712130][ T3663] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1373.742125][ T3663] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1373.759318][ T3663] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1373.779283][ T3663] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1373.799280][ T3663] Interruptibility = 00000000 ActivityState = 00000000 [ 1373.819256][ T3663] *** Host State *** [ 1373.823376][ T3663] RIP = 0xffffffff811b4980 RSP = 0xffff888063ec78e0 [ 1373.839276][ T3663] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1373.859263][ T3663] FSBase=00007f101dc46700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1373.879290][ T3663] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1373.886078][ T3663] CR0=0000000080050033 CR3=000000009f4ed000 CR4=00000000001426f0 [ 1373.909281][ T3663] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1373.929277][ T3663] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1373.936190][ T3663] *** Control State *** [ 1373.949275][ T3663] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1373.959480][ T3663] EntryControls=0000d1ff ExitControls=002fefff [ 1373.965710][ T3663] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1374.015060][ T3663] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1374.034914][ T3663] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1374.054913][ T3663] reason=80000021 qualification=0000000000000000 01:57:06 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xffffffff00000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:06 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x7, &(0x7f0000000080)) 01:57:06 executing program 0: r0 = socket$inet6_sctp(0xa, 0x9, 0x84) bpf$OBJ_GET_PROG(0x7, &(0x7f0000000040)={&(0x7f0000000000)='./file0\x00', 0x0, 0x10}, 0x10) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = syz_open_procfs(0x0, &(0x7f00000001c0)='attr\x00') getsockopt$inet6_dccp_int(r1, 0x21, 0x11, &(0x7f0000000200), &(0x7f0000000240)=0x4) r2 = syz_open_dev$vcsn(&(0x7f0000000140)='/dev/vcs#\x00', 0x8, 0x1) ioctl$ASHMEM_SET_NAME(r2, 0x41007701, &(0x7f0000000180)='+eth0wlan0keyring{selinuxselinuxeth1lo\x00') setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f00000000c0)=[@in={0x2, 0x4e21, @multicast2}, @in6={0xa, 0x4e22, 0x401, @mcast1, 0xb0a7}, @in={0x2, 0x4e20, @loopback}, @in6={0xa, 0x4e24, 0x80000000, @empty, 0x1}, @in6={0xa, 0x4e22, 0x5, @ipv4={[], [], @multicast1}, 0x9}], 0x74) 01:57:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x6c00000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x74, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1374.089404][ T3663] IDTVectoring: info=00000000 errcode=00000000 [ 1374.095928][ T3663] TSC Offset = 0xfffffd1df23035ec [ 1374.109275][ T3663] TPR Threshold = 0x00 [ 1374.113484][ T3663] EPT pointer = 0x00000000a026f01e [ 1374.205851][ T3688] binder: 3687:3688 got transaction with invalid parent offset or type [ 1374.209677][ T3693] binder_transaction: 14 callbacks suppressed [ 1374.209686][ T3693] binder: 3690:3693 got transaction to invalid handle [ 1374.234721][ T3702] binder: 3687:3702 got transaction with invalid parent offset or type [ 1374.249416][ T3697] binder: BINDER_SET_CONTEXT_MGR already set 01:57:06 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/dev_snmp6\x00') ioctl$TIOCMBIC(r1, 0x5417, &(0x7f0000000100)=0x4) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r2 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x200, 0x0) ioctl$SIOCRSGCAUSE(r2, 0x89e0, &(0x7f0000000040)) [ 1374.272009][ T3697] binder: 3689:3697 ioctl 40046207 0 returned -16 [ 1374.290257][ T3705] binder: 3690:3705 got transaction to invalid handle 01:57:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x66642a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1374.331317][ T3708] binder: 3689:3708 got transaction with invalid offset (7782220156096217088, min 0 max 24) or object. [ 1374.344036][ T3709] *** Guest State *** [ 1374.348054][ T3709] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:57:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x7a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:07 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000000)='/dev/uinput\x00', 0x10000000000, 0x0) ioctl$UI_SET_SNDBIT(r1, 0x4004556a, 0x5) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:57:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x7400000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1374.431366][ T3709] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1374.462313][ T3716] binder: 3715:3716 got transaction with fd, 0, but target does not allow fds 01:57:07 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00', 0x1}, 0xe) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1374.489331][ T3709] CR3 = 0x0000000000000000 [ 1374.493880][ T3709] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1374.531838][ T3721] binder: 3715:3721 got transaction with fd, 0, but target does not allow fds [ 1374.543102][ T3720] binder: BINDER_SET_CONTEXT_MGR already set [ 1374.549115][ T3720] binder: 3717:3720 ioctl 40046207 0 returned -16 [ 1374.567374][ T3709] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1374.583312][ T3724] binder: 3718:3724 got transaction to invalid handle [ 1374.604507][ T3709] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1374.616691][ T3727] binder: 3718:3727 got transaction to invalid handle [ 1374.629785][ T3709] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1374.659634][ T3709] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1374.689267][ T3709] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1374.709321][ T3709] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1374.729716][ T3709] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1374.749652][ T3709] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1374.759474][ T3709] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1374.794896][ T3709] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1374.814942][ T3709] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1374.829344][ T3709] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1374.849285][ T3709] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1374.869267][ T3709] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1374.889267][ T3709] Interruptibility = 00000000 ActivityState = 00000000 [ 1374.896322][ T3709] *** Host State *** [ 1374.909280][ T3709] RIP = 0xffffffff811b4980 RSP = 0xffff88805c4cf8e0 [ 1374.929287][ T3709] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1374.949277][ T3709] FSBase=00007f101dc46700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1374.957907][ T3709] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1374.969380][ T3709] CR0=0000000080050033 CR3=0000000057d90000 CR4=00000000001426e0 [ 1375.004809][ T3709] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1375.024949][ T3709] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1375.044870][ T3709] *** Control State *** [ 1375.049217][ T3709] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1375.088130][ T3709] EntryControls=0000d1ff ExitControls=002fefff [ 1375.099302][ T3709] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1375.107066][ T3709] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1375.129317][ T3709] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1375.139592][ T3709] reason=80000021 qualification=0000000000000000 [ 1375.159270][ T3709] IDTVectoring: info=00000000 errcode=00000000 [ 1375.165566][ T3709] TSC Offset = 0xfffffd1d5cb25801 [ 1375.179266][ T3709] TPR Threshold = 0x00 [ 1375.189589][ T3709] EPT pointer = 0x000000008a37c01e 01:57:07 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x0, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:07 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x66646185, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:07 executing program 0: modify_ldt$write2(0x11, &(0x7f0000000040)={0x5, 0x20100000, 0xffffffffffffffff, 0xed, 0x401, 0x4, 0x1, 0x0, 0x5, 0x47}, 0x10) r0 = socket$inet6_sctp(0xa, 0x7703cf9d248e2df, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) syz_genetlink_get_family_id$team(&(0x7f0000000000)='team\x00') 01:57:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x300, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:07 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x2800, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f00000000c0)={{{@in, @in6=@initdev}}, {{@in6=@ipv4={[], [], @empty}}, 0x0, @in6=@ipv4={[], [], @local}}}, &(0x7f00000001c0)=0xe8) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000002440)={0x0, @multicast1}, &(0x7f0000002480)=0xc) sendmsg$nl_route(r1, &(0x7f0000002580)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x424003fd}, 0xc, &(0x7f0000001240)={&(0x7f0000000200)=@ipmr_delroute={0x1040, 0x19, 0x0, 0x70bd27, 0x25dfdbfd, {0x80, 0x0, 0x0, 0x3, 0xfd, 0x2, 0xff, 0x1, 0xe00}, [@RTA_ENCAP_TYPE={0x8, 0x15, 0x3}, @RTA_METRICS={0x1004, 0x8, "565ff1fed3395746a2e6ad9935fffad2a82034e65b9af533412d225f22e4bbebdbc33793e6098bca786d8e49362c506ce1086a15f7b73e171fedcb8b4357cff3860111f5ce12a95bdeafcc8cfd2cd06dbaeb2a2c47c18761233199a7b8f4faf4929ae8f3ee64b3a36f9ae7e7f00bf3823949d7704ed8be6c9833fd9d4f038338176ac76d5e017541118455ec98908f7898bd9efdbc96f8518c9f547ece7e4be7f9dcbaab9ce78c1f3d6c4ff5c35c69978fe1bfd5b49d47469fdeef4662001fd87e476a48de8782406b3d791225f7a051dc5d73d038827efa1b31e0bca53e43a35d0db9ff049359ad0acef3b351b7d2f30d78182c224c0e29e5b8abc0a540bbd9a71fe2a68e2c562adb8870c4173581dc891def2fc1ef8395eaad11160e0123c3c8bd13e009e4dc34e348d8e92e16ca6efa7b94e29695d15e6f35b7ad8c5179599d862f8933d03aed2bf5d40d1d0ca928d4dbc22a24c0972099d942398ea76072caa23cbb56c8d0327093913a5800edae75139dde4642624095ef9be3164b236b553f9f613181674072f2faa69b3b69907014f545ce1c106b4d801d0598d9efa8597c3c9981f9b74b3157c6f6322903d6a698b8553851efa6caf7bc978faa90243c5a1209304878fa963fe630ddee89ad37c8a544dd4de37f48d9d368f6921a464467ecaef784da21f71fb1caaeb391984f04252a37048b994cb011b12f6a71f27c3cae02f283cb54c6219188855151e7275d09386c83c3fff9acac18f45d45c78dc50e7f4fc1ed564f8d0a457e39177f0a9c3042f815573f8d99270747acde98b6a142a18d0b50d4323aaedf2a30f6be73e92f5f269bfbf7c203b8e7aecbeb0088c5d996637b063a0746727739897a0892fe8997564bfb116092f3b31f14ecc971ada784e7d10ddbae2338d11066b70574c05597196f99862e3e7d3dfd6a2ef091820ac3577878ee1b1a0c1b316946a99383a8845a085bdb7ccbfe7fea2d1d96708f8ca6baebf55e41b2deaca3822cc96e14ca60e1eeb5112e94dc35346126a018ff350346538ff5039ec56cf9860ab304e364a844efd666c04c9d7f48fa9a8a7409afc112c323c9069ca5d50e990101d43b12639f3aca6a33b567f388a52ad02f91a6e8c0efc32e3c72bed10f95ae212401954601cebb08872f49b083c2dc748cc39c34d652c3620e804c79bf1a9fec11cece65ee9c35358dddfa541fe6099edd5690be8c7dc5d67f32c8d01c2fa7741e77f49b85e711f1e8185d81785c4c42c5a6df927c327fdf5a387c21cae983e744058f3d19b9307d1165d1c52389bf558ba3498968545dc57c034c9a4aa79203cc54ac2f84ef9911c75d549bc291db114ccf3ffe4c2a3bcc6e0d06567fd8db93a90e6dd3e81d2b8a4ddc96f5f7c6ed81090d76fbe2492f2803283b77709df197b50d44042056bedc7521a35e45e82e632f407ce5a2fb3a08bd8642d0a94cd141232d5ee713016aeec1c234347f9ebd3e5be64542ab183461aa19e644e111536298d4d68335a36e0c0710dbb4632adbf38911af8ccadbf0b32839f9f863155a2b78b2eed33862ec101320327ce4300d1c28c0d1c1e8b9f1fb561e6680a670cd31fce78ffd41507cbf822b4abc2e61f735392cf7445c733d617ef25ddbba8fdb57dff5e9d8a8d4720c788140c3cea882398887a71d49698d62b7c044fbf51948333ebb037025634b1fc835eafa6635a81ac8a6ea10aa8b29a0583ad58d243d9a6e0fd567954a483c9b5e62c1256b6ba24d41519355a5f6f8d9ae86ada65bafcb61425fa48f6a7cd05d66816539e19f8d8319c0d09c7d9845daf7823cd5c78c91c1e7d8c4d6eefdd6b6d3bb052dfdc6e241d0afd319d20860aba09f6fd7b7ac682b5225472631602a62f5864e1aa508b26b62ced81cd7c49972aacd7cd43a6edde0d6edb9f37ca141b0ffc6b941f3fea0cf34287401965c2bf3acb9f54016e632e1583a2370fbb32424b1bd11ee25d140fdc3a2cf4fec057fb93141fc5a51dd831c36cf72f813187bc590c7a3e19d9604681b7b2ac02a6b36818cc5fbffdd6d94940856ec95b97f9f1a40b21463e1ffb72589ce7a90edeb39ca519006072a0ea9c692bd416ff8bc7c12b8b5bb4ee9717f6014ee68e3c7c92796d3da848b0eee53e753d08fad0ed5730a3e7f4cd0301b0457058be90ce3c7414c60b21cb0e073a25ad7c6ef558b16a90d374b1eff66a29ddd9126d711012aca45c4d9128506d85a8c503e82bc36fe93ae873695679ea42e7239c8202a7061882e8a31febfb7979f6778a6d3f87395a10e934d2bc2bc68d10c2052d35befb6a9ff374296628dc43fc3fc930f8703014aecb6e1ed75ded3248dc89d7dce892f14ce3d9702f3007933d9d1992504f35a1287ca0cf660842dd00c2de65c3dd403cba4fe8ac007f6f8c27c1a0a4e6322167c49a1bf42e030eb8abd54d917d54eaa7bf538a633bbd4af30b30c18cbbce06aaabcf59c4d34692243e3f389019de3361dfa04169176dec5c85f56fec611b83ad5a018139e52349128db6efaeed8179b382aca837a41ea784e431208fb0e6f2ee70a824bad82e5898d6b00c1d79ae0b5b602470dd9423d0110adb3f8bb21593ec528a886fe7df1a8269bdde39328b22fd8413435ddf0166a0670d1dd578ba640beefaff06adf5f451ab92749435090b96f9891d022f34e4d2ab9e5e529c259c56d7dba3d6f942970061073cface29063aceb8c25b9a52247ff77b210c3af2fb3920a558cb1a8fbb2e495a7aab6fdc98cccbc5447e130ce610da7fae7d9d8de16b4cb6bb7ccb30597c7f7a48e0be5bf4d0a280297ff58c662cce2f8774a138872cf2cb34a95598c14acf455dc68b7c15f23dcfef2f69f11ec3e7ab3658114b55ffbaec2a8f72f0ce22de3da80bef17deebb626514137cc0c92531325a8fa858b6b679dddfe65c41a29ed7118c99e9f9a9f8389b8853d7908f501f284131cf565cc76fb8035bc3b4bc62259b1cdc83ea81d599032c110d6c448f796c6c91a2fd253917c181060e0c1bc10bfcbbea3b52e88d1fa2cba04b53029ff180169ecf673ac6a7e4afd08995ec2bbce0bcf72bec230b3257cdc2756d83fc564ef68be3e023123422228c574a50b9393fd23a3410b8e11d3b534b693f9a195d3c7ba22a926b9b600a80099d99a06e2eface42c88f8815eb0d011a5a78445ac38ab4160ee60a3ac00af00dde2ceaef947f7646d3439d410cc3b63d96d2bfee7d8d7be15b12d3e7ede9f4537bcde2f86c6010a256188103fa3883afee27cf5f47ed29e4e008f9385d21a7f444674a86790b4a30de53d3acee20109aba0b7256abf0dd487953a466eed5e9bdbcfad47343a82ade14057457cc8549793a887c1cb824622d94bec021eeada17e469e9420fd735a45a83e3650049a3cc2f1875a5ed314f8c95a6939f30f6b4f4e86d4e16d9fb257b07f841d3c0eb5bdf20d8ba699deb49cdd516ab24cb3b8564bb41e931fda3ae11e3d12b965476a0013a3c250c08b17975de174cfa8910da632abaf5a5441a77fcb32e302042d312d7358ebc45a531424909b8efc06d0287d9643ca7e54cd933796a67293f6c7e5c3962f252b62a2a543257687d5a89698755e3849b75595274479aae8df903b35ca2422dcdb8af2533ae8816ccc4c6eb20536b585eec604d6f90fa32e12223bf52000baa7332c7ff1555eb85122006038b56926cfb766ac8758950ad9778064e1cc89cea8384f27a82a3e947301221a757d78861cb560f639e354aa837a228602c11e3e0fc4c6525803029e5ff4af2de3819804932532705fade1c30462728f98be27df16240196e1e32607db4c8df4111080a6caedcc35fa911fc8d23f4c4fe0ca63b7f8ad0c8b46cb841c634cd026c8700e1fbf835cbd4601d3b0ca01ef4a5caef186ad4e4bd457454e326da9a9e8dc01b6094516803a100c507dbf9a2e5d9debf303c6c7d5a3c41f1b77ca85c718e9721be07fde64a275df77362f68f3e3e9e4de9ed362149211ca6e0b15833f9abc3f68bec24b0a84c09503770a82b85a70cc5faefae0b251b9ed07f6ae69d22c2c02ff2ca597c8abf53729a156922ec416764c3be6bd35f32868b4a7ddc0646a59344756b1a1a5b0374b81571576fc5b9d246c9f557cfd4d1f1dc45ca3bcd7432ef7058589963dd19d88e255710be3d03d7e3ba476e9d0224ea72734686a514879557b21b38a68a9c0bff72c7b3319133e8b4b0923e6a5f1972726de88f42ef9f15e10024c18ab7fe58c74c252b3506a638b6195791e5671b5105c3deabe115b9aab35c6671beefe2b08c5d350aab85fa6cf0f42b0def535d6ed5dba300b4de7b3e89f1196e6a10f84e25c2e302fcc3119fd16dd3140697c39d3c1eb05d7f9008a1c8f8ef827a3bb12dcfd510e1ab071c7309753821d9e1fa9513191741052e0d8060f292d4eae458950937a89a431b8f0c331245808396def1badb077fe28c63975ae95f33c535d38a1129c876efc9a347d5624323b93f8eb20cded2462e5ae60d3d9f18e1b80d4472ec1f36ec5f8cc642eb2acb9b5152e27fb413377716c1c85a7a50b5bdc95577be3b101abe9cf32140224235a03b111d4ff546a2d9e4d8e91b61167be83dddfd4ebd2aa58aa7b30ba0f9d1fc6126b0483e82ad3b602e034ebfb8ff5bbac8fb61e96d4609f5d4da91ac28a4beb68b1cfe1520fa120de9eca702675d92f7c13efc6f6b630fa7c5b2eb117a097bfa271e8db09ffc07a015694a2271cd6608dfdaf7d0d848cedf52256af7ba23cdc44fbfb01610f6afbb8028d727e39dd6a0257ae2bf9cff12ba36df0cccb0ad6f102f27264a4c75eff51bd1b2b0ba3b102bdaaae4d6651dc196ae211aa181481f707ce6427a6ac2820c709b9d99c3c196f3cbf548eee97d870dcbc567abf82d4d2406d39c14e246f5d41f225cf635b584381610b66509c97c5a5358292d1e38bc990d0bec02f8b8fc1105328665b59d5c500b4e85d555669e12afaeab2fd5667e3bcd1fcfd9948756630eea928bf9527b504e4088d653d9cde9ad31eb327a005de8bcfdd5e46cb3ccbf1a5c7fe95e43ed55312718fd97e8bd439f1dd55bb3098c0d56eab17edd53e2428754c8cc119edb06a2257744fcb5273ca6cba2004bd96f4b7ffb2c0d94a6e4afe50bc02e4410957cb422703c6346014b417a85c82c0e9bb5f382e9c89b4fffc798a20d96bdda0bc92127755c1d2f88ecc83d61842e9d4f16c39e4820f5257b4126b6c2d3aa60da89bc3e04124f8bb42d038d1e971f0bf360d5b68a6c07f0ce8c2bd945d8ae9b0228086f68955c9ae148efae2e80087b3607def502613011496ed6c6ff84067d6c71ced085fd3cc12febeab87a6bc7f8b1058f89f082a437accc7d85abe8cefe4836490182bbe8cb73b5ffd52d8da6c4edccb330b04ce98b50d4ab658c55833fbe174e34ac0104777259a23bac923b93e428764e770e344ac2921c783936722ef1c9db44297e9972de99f59305c2ae1e0001b6fa63f9e22825553ff58b6aff97842836e1d499439eacb98a76a7f8c302c72089b24791268543eb37e87cfd25cf066cf4fff2553b9ae7c57a73c3779039c432d7bed8054814dfae56026fd34184a62ef1cb6f1069b3f4cd6691ae7cf768351a497c542508ff373455eab4f224e5ac28ebc866275b1abb055b289606761dbb215f2ea9b51b3c8ffd1aa26ee8bb18a700a2c3db778f01a7e78ff17870cc25fdd968115ae0cfbecda07778424e3d6efc7d0ad878da002b357891d531a4060c124f09d5267502ee9f82d84ccb63433b0d03ed699"}, @RTA_SRC={0x8, 0x2, @multicast1}, @RTA_PREFSRC={0x8, 0x7, @local}, @RTA_PRIORITY={0x8, 0x6, 0x53}]}, 0x1040}, 0x1, 0x0, 0x0, 0x10}, 0x40000) 01:57:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x7a00000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1375.274867][ T3734] binder: 3732:3734 got transaction to invalid handle [ 1375.285781][ T3736] binder: 3730:3736 got transaction with invalid parent offset or type [ 1375.294729][ T3738] binder: BINDER_SET_CONTEXT_MGR already set [ 1375.311838][ T3734] binder_transaction: 53 callbacks suppressed [ 1375.311865][ T3734] binder: 3732:3734 transaction failed 29201/-22, size 24-0 line 2995 [ 1375.323551][ T3736] binder: 3730:3736 transaction failed 29201/-22, size 64-16 line 3318 [ 1375.327865][ T3738] binder: 3731:3738 ioctl 40046207 0 returned -16 01:57:07 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x9, 0x4, 0x1ff}, 0x8) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) [ 1375.370049][ T3744] binder: 3731:3744 transaction failed 29201/-22, size 24-16 line 3242 [ 1375.386545][T19558] binder_release_work: 53 callbacks suppressed [ 1375.386553][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1375.401040][ T3745] binder: 3732:3745 got transaction to invalid handle 01:57:08 executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) fremovexattr(r0, &(0x7f0000000000)=@known='security.apparmor\x00') setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x3c) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1375.416108][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1375.420257][ T3746] *** Guest State *** [ 1375.423845][ T3738] binder: BINDER_SET_CONTEXT_MGR already set [ 1375.433304][ T3746] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1375.434320][ T3745] binder: 3732:3745 transaction failed 29201/-22, size 24-0 line 2995 [ 1375.453979][ T3747] binder_alloc: 3730: binder_alloc_buf, no vma [ 1375.469625][ T3738] binder: 3731:3738 ioctl 40046207 0 returned -16 [ 1375.476242][ T3736] binder: BINDER_SET_CONTEXT_MGR already set [ 1375.501830][ T3746] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1375.504616][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1375.511916][ T3747] binder: 3730:3747 transaction failed 29189/-3, size 64-16 line 3148 [ 1375.517762][ T3744] binder: 3731:3744 transaction failed 29189/-22, size 24-16 line 2995 [ 1375.519521][ T3736] binder: 3730:3736 ioctl 40046207 0 returned -16 [ 1375.542076][T19558] binder: undelivered TRANSACTION_ERROR: 29189 [ 1375.560834][ T3746] CR3 = 0x0000000000000000 01:57:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x8000000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x500, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:08 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:57:08 executing program 2: r0 = syz_open_dev$evdev(&(0x7f00000000c0)='/dev/input/event#\x00', 0x0, 0x101002) write$evdev(r0, &(0x7f0000000000)=[{{0x0, 0x7530}}], 0xfe72) [ 1375.569087][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1375.574470][ T3746] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1375.613833][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1375.623656][ T3755] binder: 3754:3755 transaction failed 29201/-22, size 24-16 line 3242 [ 1375.635175][ T3755] binder: BINDER_SET_CONTEXT_MGR already set [ 1375.649395][ T3746] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1375.649615][ T3755] binder: 3754:3755 ioctl 40046207 0 returned -16 [ 1375.663951][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1375.677414][ T3746] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1375.684980][ T3756] binder: 3754:3756 transaction failed 29189/-22, size 24-16 line 2995 [ 1375.704115][ T3762] binder: 3759:3762 got transaction to invalid handle [ 1375.718974][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1375.720117][ T3746] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1375.745002][ T3762] binder: 3759:3762 transaction failed 29201/-22, size 24-0 line 2995 [ 1375.765971][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1375.773690][ T3764] binder: 3759:3764 got transaction to invalid handle [ 1375.775199][ T3746] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1375.796647][ T3746] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1375.806717][ T3764] binder: 3759:3764 transaction failed 29201/-22, size 24-0 line 2995 [ 1375.807371][ T3746] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1375.824833][ T3746] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1375.834382][ T3746] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1375.843588][ T3746] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1375.853280][ T3746] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1375.853570][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1375.862486][ T3746] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1375.877574][ T3746] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1375.886769][ T3746] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1375.894359][ T3746] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1375.903087][ T3746] Interruptibility = 00000000 ActivityState = 00000000 [ 1375.915565][ T3746] *** Host State *** [ 1375.919995][ T3746] RIP = 0xffffffff811b4980 RSP = 0xffff8880648df8e0 [ 1375.926807][ T3746] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1375.934479][ T3746] FSBase=00007f101dc46700 GSBase=ffff8880ae900000 TRBase=fffffe0000003000 [ 1375.952593][ T3746] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1375.967212][ T3746] CR0=0000000080050033 CR3=0000000085e6b000 CR4=00000000001426e0 [ 1375.981299][ T3746] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1375.988770][ T3746] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1375.996097][ T3746] *** Control State *** [ 1376.000679][ T3746] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1376.008222][ T3746] EntryControls=0000d1ff ExitControls=002fefff [ 1376.014827][ T3746] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1376.023123][ T3746] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1376.030907][ T3746] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1376.038286][ T3746] reason=80000021 qualification=0000000000000000 [ 1376.045782][ T3746] IDTVectoring: info=00000000 errcode=00000000 [ 1376.052347][ T3746] TSC Offset = 0xfffffd1cc912abbb [ 1376.057459][ T3746] TPR Threshold = 0x00 [ 1376.061952][ T3746] EPT pointer = 0x000000009ed9b01e 01:57:08 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x0, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:08 executing program 0: r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vga_arbiter\x00', 0x131000, 0x0) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f00000000c0)='TIPCv2\x00') sendmsg$TIPC_NL_MEDIA_SET(r0, &(0x7f00000002c0)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000280)={&(0x7f0000000100)={0x154, r1, 0x108, 0x70bd2b, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0x84, 0x1, [@TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x1}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x5}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e22, @local}}, {0x14, 0x2, @in={0x2, 0x4e23, @local}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0x3c34}, @TIPC_NLA_BEARER_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x42e}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x1000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x10000}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}]}]}, @TIPC_NLA_MEDIA={0x94, 0x5, [@TIPC_NLA_MEDIA_PROP={0x24, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x100000000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x44, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x800}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}]}]}, @TIPC_NLA_NET={0x28, 0x7, [@TIPC_NLA_NET_ID={0x8, 0x1, 0xfffffffffffffffd}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x9}, @TIPC_NLA_NET_ADDR={0x8}]}]}, 0x154}, 0x1, 0x0, 0x0, 0x24044810}, 0x40) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r2, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:57:08 executing program 2: 01:57:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x73622a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0xfdfdffff00000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x600, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:08 executing program 2: [ 1376.186203][ T3773] binder_transaction: 4 callbacks suppressed [ 1376.186217][ T3773] binder: 3768:3773 got transaction with invalid offset (-144678142324244480, min 0 max 24) or object. [ 1376.186236][ T3772] binder: 3769:3772 got transaction to invalid handle [ 1376.209987][ T3775] binder: 3768:3775 got transaction with invalid offset (-144678142324244480, min 0 max 24) or object. 01:57:08 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) arch_prctl$ARCH_GET_CPUID(0x1011) [ 1376.240211][ T3774] binder: BINDER_SET_CONTEXT_MGR already set [ 1376.257793][ T3778] binder: 3769:3778 got transaction to invalid handle [ 1376.270461][ T3774] binder: 3770:3774 ioctl 40046207 0 returned -16 01:57:08 executing program 2: 01:57:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0xffffffff00000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x700, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1376.324997][T19060] binder: release 3770:3783 transaction 10166 out, still active [ 1376.335454][ T3774] binder: BINDER_SET_CONTEXT_MGR already set [ 1376.344136][T19060] binder: unexpected work type, 4, not freed [ 1376.358596][ T3783] binder_alloc: 3768: binder_alloc_buf, no vma [ 1376.365552][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:08 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, &(0x7f0000000000), &(0x7f0000000040)=0x4) [ 1376.389352][ T3774] binder: 3770:3774 ioctl 40046207 0 returned -16 [ 1376.391084][T19060] binder: send failed reply for transaction 10166, target dead [ 1376.445603][ T3782] *** Guest State *** [ 1376.456197][ T3788] binder: 3784:3788 got transaction with invalid offset (-4294967296, min 0 max 24) or object. [ 1376.463123][ T3782] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1376.518524][ T3788] binder: BINDER_SET_CONTEXT_MGR already set [ 1376.539375][ T3782] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1376.559916][ T3782] CR3 = 0x0000000000000000 [ 1376.564529][ T3782] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1376.574884][ T3788] binder: 3784:3788 ioctl 40046207 0 returned -16 [ 1376.576248][ T3782] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1376.599603][ T3782] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1376.616234][ T3782] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1376.625377][ T3782] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1376.640434][ T3782] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1376.661161][ T3782] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1376.675149][ T3782] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1376.685272][ T3782] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1376.699672][ T3782] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1376.714859][ T3782] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1376.724004][ T3782] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1376.738695][ T3782] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1376.748915][ T3782] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1376.762233][ T3782] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1376.773793][ T3782] Interruptibility = 00000000 ActivityState = 00000000 [ 1376.784101][ T3782] *** Host State *** [ 1376.788146][ T3782] RIP = 0xffffffff811b4980 RSP = 0xffff88805fd8f8e0 [ 1376.798003][ T3782] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1376.822093][ T3782] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1376.852083][ T3782] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1376.858861][ T3782] CR0=0000000080050033 CR3=0000000092b34000 CR4=00000000001426f0 [ 1376.893036][ T3782] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1376.909541][ T3782] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1376.916324][ T3782] *** Control State *** [ 1376.949224][ T3782] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1376.956632][ T3782] EntryControls=0000d1ff ExitControls=002fefff [ 1376.989230][ T3782] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1376.996905][ T3782] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1377.029224][ T3782] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1377.036543][ T3782] reason=80000021 qualification=0000000000000000 [ 1377.066686][ T3782] IDTVectoring: info=00000000 errcode=00000000 [ 1377.089224][ T3782] TSC Offset = 0xfffffd1c38675e12 [ 1377.094283][ T3782] TPR Threshold = 0x00 [ 1377.098367][ T3782] EPT pointer = 0x0000000063fed01e 01:57:09 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x0, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:09 executing program 2: 01:57:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x73682a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:09 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0xa00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:09 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = syz_open_dev$mice(&(0x7f00000000c0)='/dev/input/mice\x00', 0x0, 0x2) ioctl$DRM_IOCTL_AUTH_MAGIC(r1, 0x40046411, &(0x7f0000000100)=0x656) setsockopt$bt_l2cap_L2CAP_OPTIONS(r1, 0x6, 0x1, &(0x7f0000000140)={0x7f, 0xffffffff80000001, 0x7fff, 0x3ff, 0x4, 0xfa, 0x8}, 0xffffffffffffff6c) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) write$binfmt_misc(r0, &(0x7f0000000000)=ANY=[@ANYBLOB="73797a310b5dc6e9d26fb9b7fe22f643e1b4d0cef292b2c25c8ca87a04b267fedc19438f38684c7537bafdb161f952261a856d1abeae54414c93fd45d3c17dbad3d5d4ce0f42392f1dd0d39a20f6360400dbbffbc5a43ee82be144651aa57a69"], 0x60) r2 = shmget(0x1, 0x1000, 0x54000027, &(0x7f0000fff000/0x1000)=nil) shmctl$SHM_INFO(r2, 0xe, &(0x7f0000000180)=""/22) readlink(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000200)=""/180, 0xb4) 01:57:09 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x2]}}}], 0x0, 0x0, 0x0}) 01:57:09 executing program 2: [ 1377.213286][ T3802] binder: 3795:3802 got transaction with invalid handle, 0 [ 1377.222653][ T3805] binder: BINDER_SET_CONTEXT_MGR already set [ 1377.242746][ T3805] binder: 3796:3805 ioctl 40046207 0 returned -16 [ 1377.252168][ T3807] binder: 3795:3807 got transaction with invalid handle, 0 01:57:09 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x2000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x77622a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1377.302373][ T3805] binder: 3796:3805 got transaction with invalid offset (2, min 24 max 24) or object. 01:57:09 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x400, 0x0) ioctl$KVM_ASSIGN_SET_MSIX_NR(r1, 0x4008ae73, &(0x7f0000000040)={0x1f, 0xc41}) 01:57:09 executing program 2: [ 1377.353124][ T3806] *** Guest State *** [ 1377.357267][ T3805] binder: transaction release 10184 bad handle 1, ret = -22 [ 1377.378643][ T3806] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1377.397170][ T3812] binder: 3796:3812 got transaction with invalid offset (2, min 24 max 24) or object. [ 1377.416829][ T3806] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 [ 1377.438393][ T3817] binder: BINDER_SET_CONTEXT_MGR already set [ 1377.441672][ T3806] CR3 = 0x0000000000000000 01:57:10 executing program 2: [ 1377.451913][ T3806] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1377.466431][ T3806] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1377.490509][ T3806] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1377.502649][ T3806] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1377.508215][ T3817] binder: 3811:3817 ioctl 40046207 0 returned -16 [ 1377.518968][ T3806] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1377.544322][ T3806] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1377.553294][ T3819] binder_alloc: 3811: binder_alloc_buf, no vma [ 1377.562339][ T3806] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1377.575865][ T3806] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1377.597167][ T3806] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1377.616508][ T3806] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1377.626623][ T3806] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1377.635542][ T3806] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1377.644791][ T3806] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1377.653752][ T3806] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1377.661083][ T3806] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1377.669424][ T3806] Interruptibility = 00000000 ActivityState = 00000000 [ 1377.676512][ T3806] *** Host State *** [ 1377.680657][ T3806] RIP = 0xffffffff811b4980 RSP = 0xffff8880648df8e0 [ 1377.687477][ T3806] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1377.694817][ T3806] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000003000 [ 1377.703565][ T3806] GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 [ 1377.710324][ T3806] CR0=0000000080050033 CR3=000000009b91d000 CR4=00000000001426f0 [ 1377.718179][ T3806] Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87201360 [ 1377.725732][ T3806] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1377.732694][ T3806] *** Control State *** [ 1377.736993][ T3806] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1377.744588][ T3806] EntryControls=0000d1ff ExitControls=002fefff [ 1377.750958][ T3806] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1377.758744][ T3806] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1377.766285][ T3806] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1377.773767][ T3806] reason=80000021 qualification=0000000000000000 [ 1377.780966][ T3806] IDTVectoring: info=00000000 errcode=00000000 [ 1377.787254][ T3806] TSC Offset = 0xfffffd1bbccd3bd7 [ 1377.792459][ T3806] TPR Threshold = 0x00 [ 1377.796669][ T3806] EPT pointer = 0x000000005867301e 01:57:10 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:10 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x4800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:10 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x3]}}}], 0x0, 0x0, 0x0}) 01:57:10 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)=0xffffffffffffffac) 01:57:10 executing program 2: 01:57:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x77682a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:10 executing program 2: [ 1377.925437][ T3827] binder: 3825:3827 got transaction with invalid offset (3, min 24 max 24) or object. [ 1377.932841][ T3830] binder: BINDER_SET_CONTEXT_MGR already set [ 1377.958196][ T3830] binder: 3822:3830 ioctl 40046207 0 returned -16 01:57:10 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci\x00', 0xa40, 0x0) ioctl$sock_inet_SIOCGARP(r1, 0x8954, &(0x7f00000000c0)={{0x2, 0x4e23, @empty}, {0x1, @random="3dc54a305500"}, 0x10, {0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1a}}, 'yam0\x00'}) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000080)) 01:57:10 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x4c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1377.981154][ T3833] binder: BINDER_SET_CONTEXT_MGR already set [ 1378.010186][ T3834] binder: 3825:3834 got transaction with invalid offset (3, min 24 max 24) or object. [ 1378.013039][ T3835] binder: 3822:3835 got transaction with invalid handle, 0 [ 1378.063739][ T3833] binder: 3825:3833 ioctl 40046207 0 returned -16 01:57:10 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:10 executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffff9c, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0xa0, &(0x7f00000000c0)=[@in={0x2, 0x4e23, @multicast2}, @in6={0xa, 0x4e21, 0x5, @mcast2, 0x8a}, @in6={0xa, 0x4e23, 0x6, @ipv4={[], [], @broadcast}, 0x5}, @in={0x2, 0x4e20, @local}, @in6={0xa, 0x4e22, 0x2, @dev={0xfe, 0x80, [], 0x26}, 0x9}, @in={0x2, 0x4e24, @multicast2}, @in6={0xa, 0x4e22, 0xffff, @rand_addr="29f9f62ccdb9f709c1332ce48877a100", 0x5}]}, &(0x7f0000000040)=0x10) getsockopt$inet_sctp6_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f0000000180)={r1, 0x3ff, 0x8, 0x1}, &(0x7f00000001c0)=0x10) getsockopt$inet_sctp6_SCTP_GET_ASSOC_NUMBER(r0, 0x84, 0x1c, 0x0, &(0x7f0000000200)=0xad) r2 = syz_open_dev$cec(&(0x7f0000000280)='/dev/cec#\x00', 0x3, 0x2) getsockopt$inet_opts(r2, 0x0, 0xd, &(0x7f00000002c0)=""/13, &(0x7f0000000300)=0xd) r3 = syz_open_dev$midi(&(0x7f0000000080)='/dev/midi#\x00', 0x5, 0x200) setsockopt$inet_sctp_SCTP_AUTO_ASCONF(r3, 0x84, 0x1e, &(0x7f0000000240)=0x2497, 0x4) 01:57:10 executing program 2: 01:57:10 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:10 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x4]}}}], 0x0, 0x0, 0x0}) [ 1378.169679][ T3830] binder: BINDER_SET_CONTEXT_MGR already set [ 1378.175726][ T3830] binder: 3822:3830 ioctl 40046207 0 returned -16 01:57:10 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1378.248665][ T3851] binder: 3850:3851 got transaction with invalid offset (4, min 24 max 24) or object. 01:57:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0x1000000, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:10 executing program 2: 01:57:10 executing program 0: [ 1378.332614][ T3854] binder: 3850:3854 got transaction with invalid offset (4, min 24 max 24) or object. 01:57:11 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:11 executing program 2: 01:57:11 executing program 0: 01:57:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1378.406089][ T3861] binder: BINDER_SET_CONTEXT_MGR already set [ 1378.437383][ T3861] binder: 3859:3861 ioctl 40046207 0 returned -16 01:57:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x5]}}}], 0x0, 0x0, 0x0}) [ 1378.462896][T19558] binder: release 3859:3862 transaction 10223 out, still active [ 1378.476287][ T3861] binder: BINDER_SET_CONTEXT_MGR already set [ 1378.484785][T19558] binder: unexpected work type, 4, not freed 01:57:11 executing program 0: 01:57:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x7400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1378.519486][ T3862] binder_alloc: 3850: binder_alloc_buf, no vma [ 1378.521519][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1378.525797][ T3861] binder: 3859:3861 ioctl 40046207 0 returned -16 [ 1378.556371][T19558] binder: send failed reply for transaction 10223, target dead 01:57:11 executing program 2: 01:57:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x2}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1378.607157][ T3871] binder: 3869:3871 got transaction with invalid offset (5, min 24 max 24) or object. 01:57:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6]}}}], 0x0, 0x0, 0x0}) 01:57:11 executing program 0: 01:57:11 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:11 executing program 2: [ 1378.751510][ T3881] binder: 3879:3881 got transaction with too large buffer 01:57:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x7a00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1378.804624][ T3884] binder: BINDER_SET_CONTEXT_MGR already set [ 1378.824740][ T3886] binder: 3879:3886 got transaction with too large buffer [ 1378.832452][ T3884] binder: 3882:3884 ioctl 40046207 0 returned -16 01:57:11 executing program 0: [ 1378.857647][ T3884] binder: BINDER_SET_CONTEXT_MGR already set [ 1378.875551][ T3884] binder: 3882:3884 ioctl 40046207 0 returned -16 01:57:11 executing program 2: 01:57:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x3}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x7]}}}], 0x0, 0x0, 0x0}) 01:57:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x1000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:11 executing program 2: 01:57:11 executing program 0: 01:57:11 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1379.053115][ T3900] binder: 3897:3900 got transaction with too large buffer [ 1379.070396][ T3901] binder: BINDER_SET_CONTEXT_MGR already set [ 1379.097280][ T3901] binder: 3898:3901 ioctl 40046207 0 returned -16 [ 1379.097410][ T3904] binder: BINDER_SET_CONTEXT_MGR already set 01:57:11 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:11 executing program 0: [ 1379.159577][ T3905] binder: 3897:3905 got transaction with too large buffer [ 1379.183727][ T3904] binder: 3897:3904 ioctl 40046207 0 returned -16 [ 1379.190841][ T3901] binder: BINDER_SET_CONTEXT_MGR already set 01:57:11 executing program 2: [ 1379.222133][ T3901] binder: 3898:3901 ioctl 40046207 0 returned -16 01:57:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:11 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1379.279619][ T3915] binder_transaction: 22 callbacks suppressed [ 1379.279628][ T3915] binder: 3911:3915 got transaction to invalid handle 01:57:11 executing program 0: 01:57:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0xa]}}}], 0x0, 0x0, 0x0}) 01:57:11 executing program 2: [ 1379.384817][ T3919] binder: 3916:3919 got transaction with too large buffer [ 1379.423692][ T3924] binder: 3916:3924 got transaction with too large buffer 01:57:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x3000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1379.431904][ T3923] binder: BINDER_SET_CONTEXT_MGR already set [ 1379.450805][ T3923] binder: 3921:3923 ioctl 40046207 0 returned -16 01:57:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x5}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:12 executing program 0: [ 1379.486333][ T3923] binder: BINDER_SET_CONTEXT_MGR already set [ 1379.503796][ T3923] binder: 3921:3923 ioctl 40046207 0 returned -16 01:57:12 executing program 2: 01:57:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x10]}}}], 0x0, 0x0, 0x0}) [ 1379.583836][ T3931] binder: 3927:3931 got transaction to invalid handle [ 1379.592755][ T3932] binder: 3929:3932 got transaction with too large buffer [ 1379.621532][ T3933] binder: 3927:3933 got transaction to invalid handle 01:57:12 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1379.628681][ T3934] binder: 3929:3934 got transaction with too large buffer 01:57:12 executing program 0: setresgid(0x0, 0xee00, 0x0) r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000100)='/dev/null\x00', 0x80, 0x0) ioctl$FIONREAD(r0, 0x541b, &(0x7f0000000140)) setgroups(0x0, 0x0) prctl$PR_SVE_SET_VL(0x32, 0x11b4e) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f319bd070") ioctl$KVM_GET_API_VERSION(r0, 0xae00, 0x0) setresuid(0x0, 0xfffe, 0xffffffffffffffff) semctl$IPC_RMID(0x0, 0x0, 0x0) 01:57:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:12 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1379.688794][ T3937] binder: BINDER_SET_CONTEXT_MGR already set [ 1379.710640][ T3937] binder: 3936:3937 ioctl 40046207 0 returned -16 01:57:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:12 executing program 0: pipe(&(0x7f0000000180)) ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000240)="b0") perf_event_open(&(0x7f0000000580)={0x2, 0x70, 0x5c65, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) pipe(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) poll(&(0x7f0000000140)=[{r0}, {r0}, {r1}, {r0}], 0x4, 0x0) pipe(&(0x7f00000000c0)) poll(&(0x7f0000000080)=[{r1}, {r1}, {r1}], 0x2000000000000073, 0xffbffffffffffffe) 01:57:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1379.813974][ T3943] binder: BINDER_SET_CONTEXT_MGR already set [ 1379.826636][ T3947] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1379.842594][ T3943] binder: 3942:3943 ioctl 40046207 0 returned -16 [ 1379.885560][ T3949] binder: 3948:3949 got transaction to invalid handle [ 1379.893642][ T3952] binder: 3942:3952 got transaction with too large buffer 01:57:12 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:12 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1379.926314][ T3955] binder: 3948:3955 got transaction to invalid handle [ 1379.936769][ T3953] binder: BINDER_SET_CONTEXT_MGR already set [ 1379.966237][ T3953] binder: 3951:3953 ioctl 40046207 0 returned -16 01:57:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x7}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x5000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x28]}}}], 0x0, 0x0, 0x0}) 01:57:12 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) r1 = socket$inet(0x2, 0x2, 0x0) r2 = dup2(r0, r1) bind(r1, &(0x7f0000000080)=@in={0x2, 0x4e20}, 0x7c) sendto$inet(r0, 0x0, 0x0, 0x0, &(0x7f0000000000)={0x2, 0x8004e20}, 0x10) recvfrom(r2, 0x0, 0x0, 0x0, 0x0, 0x0) [ 1380.018752][ T3960] dlm: dev_write no op 34bde833 b35018ee82ec6180 01:57:12 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1380.094260][ T3963] binder: 3961:3963 got transaction with too large buffer [ 1380.126629][ T3966] binder: 3962:3966 got transaction to invalid handle [ 1380.173465][ T3970] binder: BINDER_SET_CONTEXT_MGR already set [ 1380.189600][ T3970] binder: 3965:3970 ioctl 40046207 0 returned -16 [ 1380.200145][ T3971] binder: 3962:3971 got transaction to invalid handle [ 1380.210998][ T3970] binder: BINDER_SET_CONTEXT_MGR already set 01:57:12 executing program 0: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x74, 0x4) bind$inet(r0, &(0x7f0000000180)={0x2, 0x4e23, @multicast1}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) ioctl$sock_bt_cmtp_CMTPCONNADD(0xffffffffffffffff, 0x400443c8, &(0x7f0000000300)) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000001480)='yeah\x00', 0x3b3) sendto$inet(r0, &(0x7f00000001c0)="1b2f73ad4127595ed5be588b47420fa3c7e37878a0d0edc02c2ddce08c94fddd7ed3f950b971bc2b751c16d885976da648c2c3294c211b7b038db1a5241a5bb38af206c163c270c06cef43cddd846f1bcd822043e190dd1f40e64d998a1e1a6d17297f5b7907f446019b0bb495f8ef97d636318db1eb25a44fdb7d8d14fc6b6f6650e11e2a12be4fab45e5c933da483b6cdf814b92003f5bf7344e80c23e37770853b24b8cb86c923292938961d92811a54b51c2ccf5d6f21f59e84a2d5c939df3c968", 0xc3, 0x0, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000080)=0xda9, 0x4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) write$binfmt_elf64(r0, &(0x7f0000000100)=ANY=[@ANYRES32, @ANYRES16=0x0], 0xff5a) 01:57:12 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xa}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1380.217991][ T3970] binder: 3965:3970 ioctl 40046207 0 returned -16 01:57:12 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1380.284250][ T3977] dlm: dev_write no op 34bde833 b35018ee82ec6180 01:57:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x48]}}}], 0x0, 0x0, 0x0}) 01:57:12 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1380.331988][ T3980] binder: BINDER_SET_CONTEXT_MGR already set [ 1380.359908][ T3980] binder: 3975:3980 ioctl 40046207 0 returned -16 [ 1380.401347][ T3981] binder_transaction: 75 callbacks suppressed [ 1380.401369][ T3981] binder: 3975:3981 transaction failed 29189/-22, size 64-16 line 2995 [ 1380.408439][ T3987] binder: 3982:3987 got transaction to invalid handle [ 1380.443258][ T3988] binder: 3985:3988 transaction failed 29201/-22, size 24-16 line 3242 [ 1380.453177][ T3987] binder: 3982:3987 transaction failed 29201/-22, size 24-0 line 2995 [ 1380.479833][ T3990] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1380.482705][ T3988] binder: BINDER_SET_CONTEXT_MGR already set [ 1380.509294][ T3993] binder: 3982:3993 got transaction to invalid handle [ 1380.516097][ T3993] binder: 3982:3993 transaction failed 29201/-22, size 24-0 line 2995 01:57:13 executing program 2: write$nbd(0xffffffffffffffff, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x10}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:13 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) [ 1380.550063][T31106] binder_release_work: 75 callbacks suppressed [ 1380.550070][T31106] binder: undelivered TRANSACTION_ERROR: 29189 [ 1380.570361][ T3988] binder: 3985:3988 ioctl 40046207 0 returned -16 01:57:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x7000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1380.600234][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1380.606466][T31106] binder: undelivered TRANSACTION_ERROR: 29201 01:57:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x4c]}}}], 0x0, 0x0, 0x0}) [ 1380.679349][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1380.683767][ T4002] binder: 3996:4002 transaction failed 29201/-22, size 64-16 line 3357 01:57:13 executing program 2: write$nbd(0xffffffffffffffff, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1380.723813][ T4003] binder: 4000:4003 got transaction to invalid handle [ 1380.752508][ T4005] binder: BINDER_SET_CONTEXT_MGR already set [ 1380.758964][ T4003] binder: 4000:4003 transaction failed 29201/-22, size 24-0 line 2995 [ 1380.767334][ T4005] binder: 4004:4005 ioctl 40046207 0 returned -16 [ 1380.773261][T17703] binder: undelivered TRANSACTION_ERROR: 29201 [ 1380.778516][ T4005] binder: 4004:4005 transaction failed 29201/-22, size 24-16 line 3242 [ 1380.793219][ T4008] binder: 3996:4008 transaction failed 29201/-22, size 64-16 line 3357 [ 1380.796409][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1380.813093][ T4005] binder: BINDER_SET_CONTEXT_MGR already set [ 1380.825210][ T4011] binder: 4000:4011 transaction failed 29201/-22, size 24-0 line 2995 [ 1380.836052][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1380.845007][ T4009] binder: 4004:4009 transaction failed 29201/-22, size 24-16 line 3242 [ 1380.854775][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1380.883674][ T4005] binder: 4004:4005 ioctl 40046207 0 returned -16 [ 1380.899365][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1380.913575][T17703] binder: undelivered TRANSACTION_ERROR: 29201 01:57:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xa}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:13 executing program 2: write$nbd(0xffffffffffffffff, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:13 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) 01:57:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x60]}}}], 0x0, 0x0, 0x0}) 01:57:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x28}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0xa000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1381.183780][ T4018] binder: BINDER_SET_CONTEXT_MGR already set 01:57:13 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, 0x0, 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1381.234657][ T4018] binder: 4017:4018 ioctl 40046207 0 returned -16 [ 1381.234750][ T4025] binder_transaction: 14 callbacks suppressed [ 1381.234773][ T4025] binder: 4017:4025 got transaction with invalid offset (96, min 24 max 24) or object. [ 1381.247605][ T4021] binder: BINDER_SET_CONTEXT_MGR already set 01:57:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x68]}}}], 0x0, 0x0, 0x0}) 01:57:13 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) 01:57:13 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x48000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1381.335119][ T4024] binder: BINDER_SET_CONTEXT_MGR already set [ 1381.345014][ T4021] binder: 4015:4021 ioctl 40046207 0 returned -16 [ 1381.364754][ T4024] binder: 4022:4024 ioctl 40046207 0 returned -16 [ 1381.364851][ T4027] binder_alloc: 4017: binder_alloc_buf, no vma 01:57:14 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, 0x0, 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1381.411822][ T4038] binder: 4037:4038 got transaction with invalid offset (104, min 24 max 24) or object. [ 1381.424127][ T4028] binder_alloc: 4017: binder_alloc_buf, no vma 01:57:14 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x2}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x38}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1381.484623][ T4043] binder: 4037:4043 got transaction with invalid offset (104, min 24 max 24) or object. 01:57:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x4c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, 0x0, 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1381.569628][ T4047] binder: BINDER_SET_CONTEXT_MGR already set [ 1381.593710][ T4047] binder: 4046:4047 ioctl 40046207 0 returned -16 [ 1381.593733][ T4049] binder: BINDER_SET_CONTEXT_MGR already set 01:57:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6c]}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x73622a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1381.629605][ T4049] binder: 4048:4049 ioctl 40046207 0 returned -16 01:57:14 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x0, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:14 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0x6000000000000000}, @ptr={0x70742a85, 0xffffff7f, 0x0}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x60000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1381.696531][ T4057] binder: 4056:4057 got transaction with invalid offset (108, min 24 max 24) or object. [ 1381.698902][ T4059] binder: BINDER_SET_CONTEXT_MGR already set [ 1381.770136][ T4059] binder: 4058:4059 ioctl 40046207 0 returned -16 [ 1381.777280][ T4057] binder: BINDER_SET_CONTEXT_MGR already set [ 1381.789338][ T4063] binder_alloc: 4048: binder_alloc_buf failed to map pages in userspace, no vma [ 1381.804830][ T4066] binder: BINDER_SET_CONTEXT_MGR already set 01:57:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x48}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x0, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1381.822125][ T4057] binder: 4056:4057 ioctl 40046207 0 returned -16 [ 1381.831022][ T4066] binder: 4064:4066 ioctl 40046207 0 returned -16 01:57:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x68000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x74]}}}], 0x0, 0x0, 0x0}) [ 1381.864249][ T4065] binder_alloc: 4048: binder_alloc_buf, no vma [ 1381.888696][ T4075] binder: 4064:4075 got transaction with invalid parent offset or type 01:57:14 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x0, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4c}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1381.962083][ T4078] binder: BINDER_SET_CONTEXT_MGR already set 01:57:14 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x600000000000000, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 2: openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(0xffffffffffffffff, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1382.009911][ T4078] binder: 4077:4078 ioctl 40046207 0 returned -16 [ 1382.009932][ T4085] binder_alloc: 4071: binder_alloc_buf, no vma 01:57:14 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x3}) ioctl$DRM_IOCTL_RES_CTX(r1, 0xc0106426, &(0x7f0000000140)={0x7, &(0x7f00000000c0)=[{}, {}, {}, {}, {}, {0x0}, {}]}) ioctl$DRM_IOCTL_NEW_CTX(r1, 0x40086425, &(0x7f0000000180)={r2, 0x2}) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/sys/net/ipv4/vs/conntrack\x00', 0x2, 0x0) 01:57:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x50}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1382.078247][ T4088] binder: BINDER_SET_CONTEXT_MGR already set [ 1382.098241][ T4088] binder: 4087:4088 ioctl 40046207 0 returned -16 01:57:14 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x28, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 2: openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(0xffffffffffffffff, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x7a]}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x3}) ioctl$DRM_IOCTL_RES_CTX(r1, 0xc0106426, &(0x7f0000000140)={0x7, &(0x7f00000000c0)=[{}, {}, {}, {}, {}, {0x0}, {}]}) ioctl$DRM_IOCTL_NEW_CTX(r1, 0x40086425, &(0x7f0000000180)={r2, 0x2}) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/sys/net/ipv4/vs/conntrack\x00', 0x2, 0x0) 01:57:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x74000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x60}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1382.218404][ T4102] binder: BINDER_SET_CONTEXT_MGR already set [ 1382.249693][ T4102] binder: 4101:4102 ioctl 40046207 0 returned -16 [ 1382.278872][ T4106] binder: 4104:4106 got transaction with invalid offset (122, min 24 max 24) or object. 01:57:14 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x7a000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1382.331945][ T4111] binder: BINDER_SET_CONTEXT_MGR already set 01:57:14 executing program 2: openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(0xffffffffffffffff, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:14 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(0xffffffffffffffff, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:14 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x3}) ioctl$DRM_IOCTL_RES_CTX(r1, 0xc0106426, &(0x7f0000000140)={0x7, &(0x7f00000000c0)=[{}, {}, {}, {}, {}, {0x0}, {}]}) ioctl$DRM_IOCTL_NEW_CTX(r1, 0x40086425, &(0x7f0000000180)={r2, 0x2}) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/sys/net/ipv4/vs/conntrack\x00', 0x2, 0x0) [ 1382.377463][ T4114] binder: 4104:4114 got transaction with invalid offset (122, min 24 max 24) or object. [ 1382.377592][ T4111] binder: 4108:4111 ioctl 40046207 0 returned -16 01:57:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x300]}}}], 0x0, 0x0, 0x0}) 01:57:15 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, 0x0, 0x0) 01:57:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0xfdfdffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x68}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1382.537198][ T4127] binder: 4126:4127 got transaction with invalid offset (768, min 24 max 24) or object. [ 1382.569115][ T4129] *** Guest State *** 01:57:15 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x3}) ioctl$DRM_IOCTL_RES_CTX(r1, 0xc0106426, &(0x7f0000000140)={0x7, &(0x7f00000000c0)=[{}, {}, {}, {}, {}, {0x0}, {}]}) ioctl$DRM_IOCTL_NEW_CTX(r1, 0x40086425, &(0x7f0000000180)={r2, 0x2}) [ 1382.591517][ T4129] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 [ 1382.602165][ T4133] binder: 4126:4133 got transaction with invalid offset (768, min 24 max 24) or object. [ 1382.629410][ T4129] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:57:15 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, 0x0, 0x0) [ 1382.651293][ T4135] binder: BINDER_SET_CONTEXT_MGR already set [ 1382.684452][ T4135] binder: 4134:4135 ioctl 40046207 0 returned -16 [ 1382.691385][ T4129] CR3 = 0x0000000000000000 01:57:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x500]}}}], 0x0, 0x0, 0x0}) 01:57:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0xfffffdfd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1382.697823][ T4129] RSP = 0x0000000000000000 RIP = 0x0000000000000000 01:57:15 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x3}) ioctl$DRM_IOCTL_RES_CTX(r1, 0xc0106426, &(0x7f0000000140)={0x7, &(0x7f00000000c0)=[{}, {}, {}, {}, {}, {}, {}]}) 01:57:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6c}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1382.740046][ T4129] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1382.751050][ T4144] binder: 4143:4144 got transaction with invalid offset (1280, min 24 max 24) or object. [ 1382.773252][ T4129] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1382.790407][ T4129] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1382.801457][ T4146] binder: 4143:4146 got transaction with invalid offset (1280, min 24 max 24) or object. [ 1382.834406][ T4152] binder: BINDER_SET_CONTEXT_MGR already set [ 1382.839791][ T4129] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1382.869528][ T4129] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1382.874416][ T4152] binder: 4150:4152 ioctl 40046207 0 returned -16 [ 1382.901934][ T4129] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1382.924381][ T4129] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1382.949308][ T4129] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1382.958139][ T4129] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1382.973505][ T4129] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1383.018410][ T4129] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1383.029304][ T4129] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1383.060312][ T4129] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1383.067463][ T4129] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1383.099309][ T4129] Interruptibility = 00000000 ActivityState = 00000000 [ 1383.106405][ T4129] *** Host State *** [ 1383.110790][ T4129] RIP = 0xffffffff811b4980 RSP = 0xffff88806267f8e0 [ 1383.117617][ T4129] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1383.125136][ T4129] FSBase=00007f101dc47700 GSBase=ffff8880ae900000 TRBase=fffffe0000033000 [ 1383.134028][ T4129] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1383.141270][ T4129] CR0=0000000080050033 CR3=00000000a7d4d000 CR4=00000000001426e0 [ 1383.149133][ T4129] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1383.156945][ T4129] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1383.164100][ T4129] *** Control State *** [ 1383.168383][ T4129] PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000c2 [ 1383.176176][ T4129] EntryControls=0000d1ff ExitControls=002fefff [ 1383.182744][ T4129] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1383.190755][ T4129] VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1383.198253][ T4129] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1383.206638][ T4129] reason=80000021 qualification=0000000000000000 [ 1383.214036][ T4129] IDTVectoring: info=00000000 errcode=00000000 [ 1383.221435][ T4129] TSC Offset = 0xfffffd18f5f1934f [ 1383.226600][ T4129] EPT pointer = 0x00000000a79ea01e 01:57:15 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:15 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, 0x0, 0x0) 01:57:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x100000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x600]}}}], 0x0, 0x0, 0x0}) 01:57:15 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x3}) 01:57:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x74}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:15 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000}, 0x10) 01:57:15 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x200000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) [ 1383.360666][T19558] binder: release 4157:4163 transaction 10472 out, still active [ 1383.368333][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1383.375719][ T4164] binder: BINDER_SET_CONTEXT_MGR already set [ 1383.394094][ T4160] binder: BINDER_SET_CONTEXT_MGR already set [ 1383.403965][ T4164] binder: 4154:4164 ioctl 40046207 0 returned -16 [ 1383.443616][ T4160] binder: 4159:4160 ioctl 40046207 0 returned -16 [ 1383.443700][ T4165] binder_alloc: 4159: binder_alloc_buf, no vma [ 1383.455624][T19558] binder: send failed reply for transaction 10472, target dead [ 1383.470546][T19558] binder: release 4170:4171 transaction 10478 out, still active [ 1383.485787][ T4164] binder: BINDER_SET_CONTEXT_MGR already set 01:57:16 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) fcntl$setflags(r0, 0x2, 0x0) [ 1383.500876][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1383.523315][ T4164] binder: 4154:4164 ioctl 40046207 0 returned -16 [ 1383.523666][ T4173] binder_alloc: 4166: binder_alloc_buf, no vma 01:57:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x700]}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x300000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000}, 0x10) [ 1383.559418][T19558] binder: send failed reply for transaction 10478, target dead [ 1383.567015][T19558] binder: send failed reply for transaction 10482 to 4170:4172 01:57:16 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x2, 0x0]}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x7a}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1383.624237][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1383.641015][ T4181] binder: BINDER_SET_CONTEXT_MGR already set [ 1383.657407][ T4181] binder: 4179:4181 ioctl 40046207 0 returned -16 01:57:16 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x18) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1383.706474][ T4193] binder_alloc: 4179: binder_alloc_buf, no vma [ 1383.716646][ T4191] binder: BINDER_SET_CONTEXT_MGR already set 01:57:16 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000}, 0x10) 01:57:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1383.776238][ T4191] binder: 4188:4191 ioctl 40046207 0 returned -16 [ 1383.776242][ T4187] binder: BINDER_SET_CONTEXT_MGR already set [ 1383.776279][ T4187] binder: 4186:4187 ioctl 40046207 0 returned -16 01:57:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0xa00]}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:16 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b3"}, 0x28) 01:57:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x300}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x500000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x600]}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1383.988540][ T4212] binder: BINDER_SET_CONTEXT_MGR already set [ 1384.022230][ T4212] binder: 4209:4212 ioctl 40046207 0 returned -16 [ 1384.023490][T17703] binder: release 4211:4213 transaction 10504 out, still active [ 1384.036873][ T4216] binder: BINDER_SET_CONTEXT_MGR already set 01:57:16 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b3"}, 0x28) 01:57:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x1800]}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x600000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1384.070011][ T4216] binder: 4214:4216 ioctl 40046207 0 returned -16 [ 1384.070143][ T4220] binder_transaction: 15 callbacks suppressed [ 1384.070154][ T4220] binder: 4209:4220 got transaction with too large buffer [ 1384.083022][T17703] binder: undelivered TRANSACTION_COMPLETE [ 1384.089946][ T4221] binder_alloc: 4204: binder_alloc_buf, no vma [ 1384.110684][T17703] binder: send failed reply for transaction 10504, target dead 01:57:16 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1384.136586][T17703] binder: send failed reply for transaction 10505 to 4211:4217 [ 1384.149903][ T4220] binder: transaction release 10506 bad handle 1, ret = -22 [ 1384.178531][ T4226] binder: BINDER_SET_CONTEXT_MGR already set [ 1384.193292][ T4226] binder: 4225:4226 ioctl 40046207 0 returned -16 [ 1384.193383][ T4231] binder_alloc: 4225: binder_alloc_buf, no vma [ 1384.206373][T17703] binder: release 4224:4229 transaction 10514 out, still active [ 1384.212100][ T4212] binder: BINDER_SET_CONTEXT_MGR already set 01:57:16 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b3"}, 0x28) 01:57:16 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1384.227053][T17703] binder: undelivered TRANSACTION_COMPLETE [ 1384.234438][ T4212] binder: 4209:4212 ioctl 40046207 0 returned -16 01:57:16 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x700000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1384.275515][ T4220] binder_alloc: 4225: binder_alloc_buf, no vma [ 1384.275622][T17703] binder: send failed reply for transaction 10514, target dead [ 1384.289853][ T4230] binder_alloc: 4225: binder_alloc_buf, no vma 01:57:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x500}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:16 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85, 0x0, 0x0, 0xfdfdffff00000000}], &(0x7f00000005c0)=[0x0, 0x0]}}}], 0x0, 0x0, 0x0}) [ 1384.323305][T17703] binder: undelivered TRANSACTION_COMPLETE 01:57:16 executing program 0: setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) 01:57:16 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a25898"}, 0x34) 01:57:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x2000]}}}], 0x0, 0x0, 0x0}) 01:57:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0xa00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1384.412739][ T4240] binder: 4238:4240 got transaction with too large buffer [ 1384.445106][ T4243] binder: BINDER_SET_CONTEXT_MGR already set 01:57:17 executing program 0: setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) [ 1384.468144][ T4243] binder: 4242:4243 ioctl 40046207 0 returned -16 [ 1384.478215][ T4245] binder: 4238:4245 got transaction with too large buffer [ 1384.496650][ T4250] binder: BINDER_SET_CONTEXT_MGR already set [ 1384.514605][ T4250] binder: 4249:4250 ioctl 40046207 0 returned -16 [ 1384.538171][T17703] binder: release 4247:4251 transaction 10531 out, still active [ 1384.541865][ T4250] binder: BINDER_SET_CONTEXT_MGR already set 01:57:17 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a25898"}, 0x34) 01:57:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x600}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1384.569305][T17703] binder: undelivered TRANSACTION_COMPLETE [ 1384.574223][ T4250] binder: 4249:4250 ioctl 40046207 0 returned -16 [ 1384.591848][T17703] binder: send failed reply for transaction 10531, target dead 01:57:17 executing program 1 (fault-call:10 fault-nth:0): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1384.615001][T17703] binder: send failed reply for transaction 10535 to 4247:4255 01:57:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x2000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:17 executing program 0: setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) 01:57:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x2800]}}}], 0x0, 0x0, 0x0}) [ 1384.641816][ T4258] binder: 4256:4258 got transaction with too large buffer [ 1384.652928][T17703] binder: undelivered TRANSACTION_COMPLETE 01:57:17 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a25898"}, 0x34) [ 1384.725932][ T4258] binder: BINDER_SET_CONTEXT_MGR already set [ 1384.748642][ T4258] binder: 4256:4258 ioctl 40046207 0 returned -16 01:57:17 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, 0x0, 0x0) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1384.775390][ T4265] binder: 4256:4265 got transaction with too large buffer [ 1384.796880][ T4273] FAULT_INJECTION: forcing a failure. [ 1384.796880][ T4273] name failslab, interval 1, probability 0, space 0, times 0 [ 1384.832745][ T4273] CPU: 1 PID: 4273 Comm: syz-executor.1 Not tainted 5.1.0-rc6+ #85 [ 1384.840680][ T4273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1384.850736][ T4273] Call Trace: [ 1384.854043][ T4273] dump_stack+0x172/0x1f0 [ 1384.858398][ T4273] should_fail.cold+0xa/0x15 [ 1384.863009][ T4273] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 1384.868829][ T4273] ? ___might_sleep+0x163/0x280 [ 1384.873699][ T4273] __should_failslab+0x121/0x190 [ 1384.878645][ T4273] should_failslab+0x9/0x14 [ 1384.883151][ T4273] kmem_cache_alloc+0x2b2/0x6f0 [ 1384.883167][ T4273] ? vcpu_enter_guest+0x17de/0x5ec0 [ 1384.883191][ T4273] mmu_topup_memory_caches+0x97/0x490 [ 1384.883206][ T4273] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1384.883224][ T4273] kvm_mmu_load+0x21/0x1300 [ 1384.883240][ T4273] ? kvm_apic_accept_pic_intr+0xef/0x1a0 [ 1384.883262][ T4273] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1384.893294][ T4273] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1384.893312][ T4273] vcpu_enter_guest+0x3adb/0x5ec0 01:57:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x700}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:17 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda"}, 0x3a) 01:57:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x3f00]}}}], 0x0, 0x0, 0x0}) 01:57:17 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, 0x0, 0x0) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1384.893334][ T4273] ? emulator_read_emulated+0x50/0x50 [ 1384.904921][ T4273] ? lock_acquire+0x16f/0x3f0 [ 1384.904938][ T4273] ? kvm_arch_vcpu_ioctl_run+0x240/0x1750 [ 1384.904959][ T4273] kvm_arch_vcpu_ioctl_run+0x425/0x1750 [ 1384.942555][ T4273] ? kvm_arch_vcpu_ioctl_run+0x425/0x1750 [ 1384.942581][ T4273] kvm_vcpu_ioctl+0x4dc/0xf90 [ 1384.942598][ T4273] ? kvm_set_memory_region+0x50/0x50 [ 1384.942612][ T4273] ? tomoyo_path_number_perm+0x263/0x520 [ 1384.942629][ T4273] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 1384.942655][ T4273] ? __fget+0x35a/0x550 [ 1384.942687][ T4273] ? kvm_set_memory_region+0x50/0x50 [ 1384.959653][ T4273] do_vfs_ioctl+0xd6e/0x1390 [ 1384.959676][ T4273] ? ioctl_preallocate+0x210/0x210 [ 1384.959691][ T4273] ? __fget+0x381/0x550 [ 1384.959712][ T4273] ? ksys_dup3+0x3e0/0x3e0 [ 1384.959735][ T4273] ? tomoyo_file_ioctl+0x23/0x30 [ 1384.959752][ T4273] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1384.959775][ T4273] ? security_file_ioctl+0x93/0xc0 [ 1384.969719][ T4273] ksys_ioctl+0xab/0xd0 01:57:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x4800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:17 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, 0x0, 0x0) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1384.969740][ T4273] __x64_sys_ioctl+0x73/0xb0 [ 1384.969759][ T4273] do_syscall_64+0x103/0x610 [ 1384.969780][ T4273] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1384.969792][ T4273] RIP: 0033:0x458da9 [ 1384.969807][ T4273] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1384.969822][ T4273] RSP: 002b:00007f101dc45c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1384.995235][ T4273] RAX: ffffffffffffffda RBX: 00007f101dc45c90 RCX: 0000000000458da9 [ 1384.995245][ T4273] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006 [ 1384.995254][ T4273] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 1384.995262][ T4273] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f101dc466d4 [ 1384.995278][ T4273] R13: 00000000004c1d42 R14: 00000000004d4550 R15: 0000000000000007 [ 1385.042673][ T4283] binder: 4278:4283 got transaction with too large buffer [ 1385.128176][ T4279] binder: BINDER_SET_CONTEXT_MGR already set [ 1385.148485][ T4279] binder: 4277:4279 ioctl 40046207 0 returned -16 [ 1385.153788][T19558] binder: release 4284:4285 transaction 10560 out, still active [ 1385.174917][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1385.203948][T19558] binder: release 4284:4287 transaction 10561 out, still active [ 1385.212595][ T4283] binder: BINDER_SET_CONTEXT_MGR already set [ 1385.231397][ T4291] binder_alloc: 4278: binder_alloc_buf, no vma [ 1385.245669][ T4283] binder: 4278:4283 ioctl 40046207 0 returned -16 [ 1385.248332][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1385.267617][T19558] binder: send failed reply for transaction 10560, target dead [ 1385.276808][T19558] binder: send failed reply for transaction 10561, target dead 01:57:17 executing program 1 (fault-call:10 fault-nth:1): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:17 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda"}, 0x3a) 01:57:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x4800]}}}], 0x0, 0x0, 0x0}) 01:57:17 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:17 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x4c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xa00}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:18 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda"}, 0x3a) [ 1385.458878][ T4296] binder_transaction: 98 callbacks suppressed [ 1385.458894][ T4296] binder: 4295:4296 transaction failed 29201/-22, size 24-16 line 3242 [ 1385.472572][ T4298] binder: BINDER_SET_CONTEXT_MGR already set [ 1385.525870][ T4301] binder_alloc: 4295: binder_alloc_buf, no vma [ 1385.532621][ T4305] binder: 4297:4305 got transaction with too large buffer [ 1385.532648][ T4304] binder: 4295:4304 transaction failed 29201/-22, size 24-16 line 3242 [ 1385.550273][ T4301] binder: 4294:4301 transaction failed 29189/-3, size 24-0 line 3148 [ 1385.558423][ T4298] binder: 4297:4298 ioctl 40046207 0 returned -16 [ 1385.562386][ T4305] binder: 4297:4305 transaction failed 29201/-22, size 64-16 line 3357 01:57:18 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1385.577968][T19558] binder_release_work: 102 callbacks suppressed [ 1385.577975][T19558] binder: undelivered TRANSACTION_ERROR: 29201 01:57:18 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x4c00]}}}], 0x0, 0x0, 0x0}) 01:57:18 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a8722"}, 0x3d) [ 1385.620075][ T4303] FAULT_INJECTION: forcing a failure. [ 1385.620075][ T4303] name failslab, interval 1, probability 0, space 0, times 0 [ 1385.633091][T19558] binder: release 4294:4309 transaction 10581 out, still active [ 1385.641636][ T4298] binder: BINDER_SET_CONTEXT_MGR already set [ 1385.657444][ T4298] binder: 4297:4298 ioctl 40046207 0 returned -16 01:57:18 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:18 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1385.669375][T19558] binder: send failed reply for transaction 10581, target dead [ 1385.677036][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1385.681914][ T4305] binder: 4297:4305 transaction failed 29189/-22, size 64-16 line 2995 [ 1385.702812][ T4313] binder: 4312:4313 transaction failed 29201/-22, size 24-16 line 3242 [ 1385.719105][T19558] binder: undelivered TRANSACTION_ERROR: 29189 [ 1385.731920][ T4313] binder: BINDER_SET_CONTEXT_MGR already set [ 1385.744159][ T4303] CPU: 1 PID: 4303 Comm: syz-executor.1 Not tainted 5.1.0-rc6+ #85 [ 1385.752061][ T4303] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1385.762112][ T4303] Call Trace: [ 1385.765414][ T4303] dump_stack+0x172/0x1f0 [ 1385.769758][ T4303] should_fail.cold+0xa/0x15 [ 1385.774366][ T4303] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 1385.777585][T19558] binder: undelivered TRANSACTION_ERROR: 29201 [ 1385.780212][ T4303] ? ___might_sleep+0x163/0x280 [ 1385.780234][ T4303] __should_failslab+0x121/0x190 [ 1385.780250][ T4303] should_failslab+0x9/0x14 [ 1385.780267][ T4303] kmem_cache_alloc+0x2b2/0x6f0 [ 1385.780293][ T4303] ? vcpu_enter_guest+0x17de/0x5ec0 [ 1385.786503][T19558] binder: undelivered TRANSACTION_ERROR: 29189 [ 1385.791284][ T4303] mmu_topup_memory_caches+0x97/0x490 [ 1385.791301][ T4303] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1385.791322][ T4303] kvm_mmu_load+0x21/0x1300 [ 1385.796310][ T4316] binder: 4312:4316 transaction failed 29189/-22, size 24-16 line 2995 [ 1385.800735][ T4303] ? kvm_apic_accept_pic_intr+0xef/0x1a0 [ 1385.800751][ T4303] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1385.800768][ T4303] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1385.800785][ T4303] vcpu_enter_guest+0x3adb/0x5ec0 [ 1385.800806][ T4303] ? emulator_read_emulated+0x50/0x50 [ 1385.800825][ T4303] ? lock_acquire+0x16f/0x3f0 [ 1385.800847][ T4303] ? kvm_arch_vcpu_ioctl_run+0x240/0x1750 [ 1385.819597][ T4313] binder: 4312:4313 ioctl 40046207 0 returned -16 [ 1385.822376][ T4303] kvm_arch_vcpu_ioctl_run+0x425/0x1750 [ 1385.822398][ T4303] ? kvm_arch_vcpu_ioctl_run+0x425/0x1750 [ 1385.828709][T19558] binder: undelivered TRANSACTION_ERROR: 29189 [ 1385.833127][ T4303] kvm_vcpu_ioctl+0x4dc/0xf90 [ 1385.833144][ T4303] ? kvm_set_memory_region+0x50/0x50 [ 1385.833158][ T4303] ? tomoyo_path_number_perm+0x263/0x520 [ 1385.833175][ T4303] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 1385.833202][ T4303] ? __fget+0x35a/0x550 [ 1385.886638][ T4303] ? kvm_set_memory_region+0x50/0x50 [ 1385.886659][ T4303] do_vfs_ioctl+0xd6e/0x1390 [ 1385.886680][ T4303] ? ioctl_preallocate+0x210/0x210 [ 1385.914002][ T4303] ? __fget+0x381/0x550 [ 1385.914024][ T4303] ? ksys_dup3+0x3e0/0x3e0 [ 1385.914048][ T4303] ? tomoyo_file_ioctl+0x23/0x30 [ 1385.914073][ T4303] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1385.934916][ T4303] ? security_file_ioctl+0x93/0xc0 [ 1385.934937][ T4303] ksys_ioctl+0xab/0xd0 [ 1385.934958][ T4303] __x64_sys_ioctl+0x73/0xb0 [ 1385.948789][ T4303] do_syscall_64+0x103/0x610 [ 1385.982739][ T4303] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1385.988644][ T4303] RIP: 0033:0x458da9 [ 1385.992539][ T4303] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1386.012152][ T4303] RSP: 002b:00007f101dc67c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1386.020578][ T4303] RAX: ffffffffffffffda RBX: 00007f101dc67c90 RCX: 0000000000458da9 [ 1386.028549][ T4303] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006 [ 1386.036535][ T4303] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 1386.044527][ T4303] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f101dc686d4 [ 1386.052516][ T4303] R13: 00000000004c1d42 R14: 00000000004d4550 R15: 0000000000000007 [ 1386.099427][ T4321] binder: 4319:4321 transaction failed 29189/-22, size 24-0 line 2995 [ 1386.130801][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1386.154261][ T4322] binder: 4319:4322 transaction failed 29189/-22, size 24-0 line 2995 [ 1386.165044][T19558] binder: undelivered TRANSACTION_ERROR: 29189 01:57:18 executing program 1 (fault-call:10 fault-nth:2): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:18 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a8722"}, 0x3d) 01:57:18 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6000]}}}], 0x0, 0x0, 0x0}) 01:57:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x2000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:18 executing program 0: socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) 01:57:18 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1386.271104][ T4326] binder_transaction: 16 callbacks suppressed [ 1386.271120][ T4326] binder: 4324:4326 got transaction with invalid offset (24576, min 24 max 24) or object. [ 1386.297469][ T4330] binder: BINDER_SET_CONTEXT_MGR already set 01:57:18 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a8722"}, 0x3d) 01:57:18 executing program 0: socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) [ 1386.335344][ T4330] binder: 4323:4330 ioctl 40046207 0 returned -16 [ 1386.336514][T19060] binder: release 4327:4331 transaction 10594 out, still active [ 1386.370836][T19060] binder: release 4327:4335 transaction 10595 out, still active 01:57:19 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x6c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1386.384260][ T4326] binder: 4324:4326 transaction failed 29201/-22, size 24-16 line 3242 [ 1386.416051][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1386.424128][ T4336] binder: 4323:4336 got transaction with too large buffer [ 1386.437266][ T4340] binder: 4324:4340 got transaction with invalid offset (24576, min 24 max 24) or object. [ 1386.448672][ T4342] FAULT_INJECTION: forcing a failure. [ 1386.448672][ T4342] name failslab, interval 1, probability 0, space 0, times 0 [ 1386.463486][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1386.467813][ T4330] binder: BINDER_SET_CONTEXT_MGR already set [ 1386.483267][ T4330] binder: 4323:4330 ioctl 40046207 0 returned -16 01:57:19 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7"}, 0x3f) 01:57:19 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6800]}}}], 0x0, 0x0, 0x0}) [ 1386.522554][ T4336] binder: 4323:4336 got transaction with too large buffer [ 1386.528509][ T4342] CPU: 1 PID: 4342 Comm: syz-executor.1 Not tainted 5.1.0-rc6+ #85 [ 1386.537671][ T4342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1386.547726][ T4342] Call Trace: [ 1386.550521][T19558] binder: send failed reply for transaction 10594, target dead [ 1386.551038][ T4342] dump_stack+0x172/0x1f0 [ 1386.562899][ T4342] should_fail.cold+0xa/0x15 [ 1386.563841][ T4336] binder: transaction release 10602 bad handle 1, ret = -22 [ 1386.567507][ T4342] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 1386.567530][ T4342] ? ___might_sleep+0x163/0x280 [ 1386.567550][ T4342] __should_failslab+0x121/0x190 [ 1386.567572][ T4342] should_failslab+0x9/0x14 [ 1386.584213][T19558] binder: send failed reply for transaction 10595, target dead [ 1386.585480][ T4342] kmem_cache_alloc+0x2b2/0x6f0 [ 1386.585506][ T4342] ? vcpu_enter_guest+0x17de/0x5ec0 [ 1386.585536][ T4342] mmu_topup_memory_caches+0x97/0x490 01:57:19 executing program 0: socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) [ 1386.617872][ T4342] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1386.622907][ T4348] binder: 4346:4348 got transaction with invalid offset (26624, min 24 max 24) or object. [ 1386.624121][ T4342] kvm_mmu_load+0x21/0x1300 [ 1386.624141][ T4342] ? kvm_apic_accept_pic_intr+0xef/0x1a0 [ 1386.624158][ T4342] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1386.624175][ T4342] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1386.624196][ T4342] vcpu_enter_guest+0x3adb/0x5ec0 [ 1386.661746][ T4342] ? emulator_read_emulated+0x50/0x50 [ 1386.667129][ T4342] ? lock_acquire+0x16f/0x3f0 [ 1386.671814][ T4342] ? kvm_arch_vcpu_ioctl_run+0x240/0x1750 [ 1386.677549][ T4342] kvm_arch_vcpu_ioctl_run+0x425/0x1750 [ 1386.683107][ T4342] ? kvm_arch_vcpu_ioctl_run+0x425/0x1750 [ 1386.688841][ T4342] kvm_vcpu_ioctl+0x4dc/0xf90 [ 1386.693530][ T4342] ? kvm_set_memory_region+0x50/0x50 [ 1386.693617][ T4348] binder: BINDER_SET_CONTEXT_MGR already set [ 1386.698819][ T4342] ? tomoyo_path_number_perm+0x263/0x520 [ 1386.698838][ T4342] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 1386.698864][ T4342] ? __fget+0x35a/0x550 [ 1386.698890][ T4342] ? kvm_set_memory_region+0x50/0x50 [ 1386.725795][ T4342] do_vfs_ioctl+0xd6e/0x1390 [ 1386.730402][ T4342] ? ioctl_preallocate+0x210/0x210 [ 1386.735524][ T4342] ? __fget+0x381/0x550 [ 1386.735547][ T4342] ? ksys_dup3+0x3e0/0x3e0 [ 1386.735570][ T4342] ? tomoyo_file_ioctl+0x23/0x30 [ 1386.735593][ T4342] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1386.755305][ T4342] ? security_file_ioctl+0x93/0xc0 [ 1386.760426][ T4342] ksys_ioctl+0xab/0xd0 [ 1386.762650][ T4348] binder: 4346:4348 ioctl 40046207 0 returned -16 [ 1386.764587][ T4342] __x64_sys_ioctl+0x73/0xb0 [ 1386.764609][ T4342] do_syscall_64+0x103/0x610 [ 1386.764629][ T4342] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1386.764647][ T4342] RIP: 0033:0x458da9 [ 1386.780245][ T4342] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1386.780254][ T4342] RSP: 002b:00007f101dc45c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1386.780270][ T4342] RAX: ffffffffffffffda RBX: 00007f101dc45c90 RCX: 0000000000458da9 [ 1386.780278][ T4342] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006 [ 1386.780287][ T4342] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 1386.780296][ T4342] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f101dc466d4 [ 1386.780304][ T4342] R13: 00000000004c1d42 R14: 00000000004d4550 R15: 0000000000000007 01:57:19 executing program 1 (fault-call:10 fault-nth:3): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:19 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7"}, 0x3f) 01:57:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x2800}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:19 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6c00]}}}], 0x0, 0x0, 0x0}) 01:57:19 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x0, &(0x7f0000000080)) 01:57:19 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x7400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:19 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7"}, 0x3f) [ 1386.957822][ T4360] binder: 4355:4360 got transaction with too large buffer [ 1386.975992][ T4362] binder: BINDER_SET_CONTEXT_MGR already set [ 1386.997934][ T4362] binder: 4356:4362 ioctl 40046207 0 returned -16 01:57:19 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x0, &(0x7f0000000080)) [ 1387.021721][ T4366] binder: 4356:4366 got transaction with invalid offset (27648, min 24 max 24) or object. 01:57:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x3800}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:19 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x7a00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1387.078501][ T4366] binder: transaction release 10621 bad handle 1, ret = -22 01:57:19 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x0, &(0x7f0000000080)) [ 1387.158317][ T4369] FAULT_INJECTION: forcing a failure. [ 1387.158317][ T4369] name failslab, interval 1, probability 0, space 0, times 0 [ 1387.174013][ T4366] binder: BINDER_SET_CONTEXT_MGR already set [ 1387.206883][ T4366] binder: 4356:4366 ioctl 40046207 0 returned -16 [ 1387.206923][ T4378] binder_alloc: 4372: binder_alloc_buf, no vma [ 1387.230183][ T4376] binder_alloc: 4372: binder_alloc_buf failed to map pages in userspace, no vma [ 1387.241682][ T4369] CPU: 0 PID: 4369 Comm: syz-executor.1 Not tainted 5.1.0-rc6+ #85 [ 1387.249581][ T4369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1387.259634][ T4369] Call Trace: [ 1387.262937][ T4369] dump_stack+0x172/0x1f0 [ 1387.267284][ T4369] should_fail.cold+0xa/0x15 [ 1387.271897][ T4369] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 1387.277714][ T4369] ? ___might_sleep+0x163/0x280 [ 1387.282574][ T4369] __should_failslab+0x121/0x190 [ 1387.287529][ T4369] should_failslab+0x9/0x14 [ 1387.292043][ T4369] kmem_cache_alloc+0x2b2/0x6f0 [ 1387.296901][ T4369] ? vcpu_enter_guest+0x17de/0x5ec0 [ 1387.302111][ T4369] mmu_topup_memory_caches+0x97/0x490 [ 1387.307484][ T4369] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1387.314431][ T4369] kvm_mmu_load+0x21/0x1300 [ 1387.318940][ T4369] ? kvm_apic_accept_pic_intr+0xef/0x1a0 [ 1387.324584][ T4369] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1387.330834][ T4369] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1387.337081][ T4369] vcpu_enter_guest+0x3adb/0x5ec0 [ 1387.342117][ T4369] ? emulator_read_emulated+0x50/0x50 [ 1387.347533][ T4369] ? lock_acquire+0x16f/0x3f0 [ 1387.352227][ T4369] ? kvm_arch_vcpu_ioctl_run+0x240/0x1750 [ 1387.354875][ T4381] binder: BINDER_SET_CONTEXT_MGR already set [ 1387.357958][ T4369] kvm_arch_vcpu_ioctl_run+0x425/0x1750 [ 1387.357975][ T4369] ? kvm_arch_vcpu_ioctl_run+0x425/0x1750 [ 1387.357998][ T4369] kvm_vcpu_ioctl+0x4dc/0xf90 [ 1387.358015][ T4369] ? kvm_set_memory_region+0x50/0x50 [ 1387.358038][ T4369] ? tomoyo_path_number_perm+0x263/0x520 [ 1387.389475][ T4381] binder: 4380:4381 ioctl 40046207 0 returned -16 [ 1387.390793][ T4369] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 1387.390822][ T4369] ? __fget+0x35a/0x550 [ 1387.390843][ T4369] ? kvm_set_memory_region+0x50/0x50 [ 1387.390873][ T4369] do_vfs_ioctl+0xd6e/0x1390 [ 1387.417057][ T4369] ? ioctl_preallocate+0x210/0x210 [ 1387.422173][ T4369] ? __fget+0x381/0x550 [ 1387.426342][ T4369] ? ksys_dup3+0x3e0/0x3e0 [ 1387.430769][ T4369] ? tomoyo_file_ioctl+0x23/0x30 [ 1387.435708][ T4369] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1387.441952][ T4369] ? security_file_ioctl+0x93/0xc0 [ 1387.447068][ T4369] ksys_ioctl+0xab/0xd0 [ 1387.451235][ T4369] __x64_sys_ioctl+0x73/0xb0 [ 1387.455876][ T4369] do_syscall_64+0x103/0x610 [ 1387.460480][ T4369] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1387.466386][ T4369] RIP: 0033:0x458da9 [ 1387.470283][ T4369] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1387.489891][ T4369] RSP: 002b:00007f101dc46c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1387.498309][ T4369] RAX: ffffffffffffffda RBX: 00007f101dc46c90 RCX: 0000000000458da9 01:57:19 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x3f00}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1387.506278][ T4369] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006 [ 1387.514251][ T4369] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 1387.522241][ T4369] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f101dc476d4 [ 1387.530212][ T4369] R13: 00000000004c1d42 R14: 00000000004d4550 R15: 0000000000000007 [ 1387.551510][ T4382] binder_alloc: 4372: binder_alloc_buf, no vma 01:57:20 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x0) 01:57:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:20 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, 0x0) 01:57:20 executing program 2 (fault-call:1 fault-nth:0): r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x7400]}}}], 0x0, 0x0, 0x0}) 01:57:20 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1388.170852][ T4390] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1388.181546][ T4389] binder: 4385:4389 got transaction with invalid offset (29696, min 24 max 24) or object. [ 1388.204207][ T4394] binder: BINDER_SET_CONTEXT_MGR already set 01:57:20 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, 0x0) [ 1388.232799][ T4394] binder: 4391:4394 ioctl 40046207 0 returned -16 01:57:20 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:20 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1388.273274][ T4389] binder: BINDER_SET_CONTEXT_MGR already set [ 1388.320124][ T4389] binder: 4385:4389 ioctl 40046207 0 returned -16 [ 1388.341646][ T4395] *** Guest State *** [ 1388.349330][ T4395] CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 01:57:20 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, 0x0) 01:57:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4800}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1388.367967][ T4406] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1388.376758][ T4395] CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 01:57:21 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1388.429392][ T4395] CR3 = 0x0000000000000000 [ 1388.433852][ T4395] RSP = 0x0000000000000000 RIP = 0x0000000000000000 [ 1388.479997][ T4412] binder: BINDER_SET_CONTEXT_MGR already set [ 1388.501269][ T4412] binder: 4409:4412 ioctl 40046207 0 returned -16 [ 1388.503186][T31106] binder_thread_release: 4 callbacks suppressed [ 1388.503197][T31106] binder: release 4410:4414 transaction 10654 out, still active [ 1388.512381][ T4395] RFLAGS=0xffffffffffffffff DR7 = 0x0000000000000400 [ 1388.526008][T31106] binder_release_work: 7 callbacks suppressed [ 1388.526014][T31106] binder: undelivered TRANSACTION_COMPLETE [ 1388.554971][ T4395] Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 [ 1388.570509][T31106] binder_send_failed_reply: 4 callbacks suppressed [ 1388.570517][T31106] binder: send failed reply for transaction 10654, target dead [ 1388.576785][ T4395] CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 [ 1388.591818][ T4395] DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1388.593532][T31106] binder: send failed reply for transaction 10657 to 4410:4415 [ 1388.608149][ T4395] SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1388.618706][ T4395] ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1388.627677][T31106] binder: undelivered TRANSACTION_COMPLETE [ 1388.634432][ T4395] FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1388.650385][ T4395] GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 [ 1388.659078][ T4395] GDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1388.677509][ T4395] LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 [ 1388.686518][ T4395] IDTR: limit=0x0000ffff, base=0x0000000000000000 [ 1388.701478][ T4395] TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 [ 1388.713332][ T4395] EFER = 0x0000000000000000 PAT = 0x0007040600070406 [ 1388.723636][ T4395] DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 [ 1388.734971][ T4395] Interruptibility = 00000000 ActivityState = 00000000 [ 1388.745118][ T4395] *** Host State *** [ 1388.749027][ T4395] RIP = 0xffffffff811b4980 RSP = 0xffff888095e178e0 [ 1388.762818][ T4395] CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 [ 1388.773180][ T4395] FSBase=00007f101dc68700 GSBase=ffff8880ae800000 TRBase=fffffe0000033000 [ 1388.784947][ T4395] GDTBase=fffffe0000031000 IDTBase=fffffe0000000000 [ 1388.794774][ T4395] CR0=0000000080050033 CR3=0000000093088000 CR4=00000000001426f0 [ 1388.805712][ T4395] Sysenter RSP=fffffe0000032200 CS:RIP=0010:ffffffff87201360 [ 1388.816296][ T4395] EFER = 0x0000000000000d01 PAT = 0x0407050600070106 [ 1388.828537][ T4395] *** Control State *** [ 1388.836063][ T4395] PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000c3 [ 1388.846849][ T4395] EntryControls=0000d1ff ExitControls=002fefff [ 1388.856234][ T4395] ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 [ 1388.867116][ T4395] VMEntry: intr_info=8000030e errcode=00000000 ilen=00000000 [ 1388.878595][ T4395] VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 [ 1388.892444][ T4395] reason=80000021 qualification=0000000000000000 [ 1388.902903][ T4395] IDTVectoring: info=00000000 errcode=00000000 [ 1388.909069][ T4395] TSC Offset = 0xfffffd15de95de9b [ 1388.917434][ T4395] TPR Threshold = 0x00 [ 1388.924955][ T4395] EPT pointer = 0x000000005aaf801e 01:57:21 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x7a00]}}}], 0x0, 0x0, 0x0}) 01:57:21 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x2, 0x0) 01:57:21 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000002, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:21 executing program 0 (fault-call:2 fault-nth:0): r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4c00}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:21 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:21 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1389.049141][ T4425] dlm: plock device version mismatch: kernel (1.2.0), user (33554433.0.0) [ 1389.052411][ T4424] binder: 4421:4424 got transaction with invalid offset (31232, min 24 max 24) or object. [ 1389.065124][ T4420] binder: BINDER_SET_CONTEXT_MGR already set 01:57:21 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:21 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000003, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1389.109581][ T4420] binder: 4419:4420 ioctl 40046207 0 returned -16 [ 1389.127981][ T4429] binder_transaction: 5 callbacks suppressed [ 1389.127991][ T4429] binder: 4419:4429 got transaction with too large buffer [ 1389.173658][ T4431] binder: 4421:4431 got transaction with invalid offset (31232, min 24 max 24) or object. [ 1389.186946][ T4429] binder: transaction release 10664 bad handle 2, ret = -22 [ 1389.201344][T31106] binder: release 4430:4433 transaction 10671 out, still active [ 1389.220999][T31106] binder: undelivered TRANSACTION_COMPLETE 01:57:21 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:21 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000000002, &(0x7f0000000080)) [ 1389.244673][ T4437] dlm: plock device version mismatch: kernel (1.2.0), user (50331649.0.0) [ 1389.254282][T31106] binder: release 4430:4436 transaction 10672 out, still active [ 1389.254746][ T4438] binder: 4419:4438 got transaction with too large buffer [ 1389.284261][T31106] binder: undelivered TRANSACTION_COMPLETE 01:57:21 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x1000000]}}}], 0x0, 0x0, 0x0}) [ 1389.318904][T31106] binder: send failed reply for transaction 10671, target dead [ 1389.334653][T31106] binder: send failed reply for transaction 10672, target dead 01:57:21 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000004, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:21 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x5421, 0x0) 01:57:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x5000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:22 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1389.414410][ T4448] binder: 4446:4448 got transaction with invalid offset (16777216, min 24 max 24) or object. 01:57:22 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000005421, &(0x7f0000000080)) [ 1389.456287][ T4452] binder: BINDER_SET_CONTEXT_MGR already set [ 1389.479279][ T4454] dlm: plock device version mismatch: kernel (1.2.0), user (67108865.0.0) [ 1389.516668][ T4452] binder: 4451:4452 ioctl 40046207 0 returned -16 [ 1389.517094][ T4456] binder: 4446:4456 got transaction with invalid offset (16777216, min 24 max 24) or object. [ 1389.536030][T19060] binder: release 4455:4458 transaction 10687 out, still active 01:57:22 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:22 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000005, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1389.568706][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1389.575175][ T4461] binder: 4451:4461 got transaction with too large buffer [ 1389.599080][T19060] binder: release 4455:4459 transaction 10688 out, still active 01:57:22 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x2000000]}}}], 0x0, 0x0, 0x0}) 01:57:22 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000005450, &(0x7f0000000080)) [ 1389.637431][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1389.657407][ T4466] binder_alloc: 4446: binder_alloc_buf, no vma [ 1389.677300][T19060] binder: send failed reply for transaction 10687, target dead 01:57:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:22 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1389.689834][ T4468] dlm: plock device version mismatch: kernel (1.2.0), user (83886081.0.0) [ 1389.703599][T19060] binder: send failed reply for transaction 10688, target dead 01:57:22 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000006, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1389.764136][ T4475] binder: 4471:4475 got transaction with invalid offset (33554432, min 24 max 24) or object. [ 1389.769961][ T4476] binder: BINDER_SET_CONTEXT_MGR already set 01:57:22 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000005451, &(0x7f0000000080)) [ 1389.820785][ T4476] binder: 4470:4476 ioctl 40046207 0 returned -16 [ 1389.843795][T19060] binder: release 4479:4481 transaction 10703 out, still active [ 1389.854563][ T4480] binder: 4470:4480 got transaction with too large buffer [ 1389.859413][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:22 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x5450, 0x0) 01:57:22 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x4c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:22 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x3000000]}}}], 0x0, 0x0, 0x0}) [ 1389.867542][T19060] binder: release 4479:4484 transaction 10704 out, still active [ 1389.867554][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1389.894851][ T4485] dlm: plock device version mismatch: kernel (1.2.0), user (100663297.0.0) [ 1389.900949][ T4486] binder: 4470:4486 got transaction with too large buffer 01:57:22 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000005452, &(0x7f0000000080)) 01:57:22 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000007, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1389.955085][T19060] binder: send failed reply for transaction 10703, target dead [ 1389.962431][ T4486] binder: transaction release 10707 bad handle 1, ret = -22 [ 1389.994976][T19060] binder: send failed reply for transaction 10704, target dead 01:57:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6800}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1390.015245][ T4493] binder: BINDER_SET_CONTEXT_MGR already set [ 1390.046286][ T4493] binder: 4491:4493 ioctl 40046207 0 returned -16 [ 1390.046327][ T4494] binder_alloc: 4491: binder_alloc_buf, no vma 01:57:22 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000005460, &(0x7f0000000080)) [ 1390.103260][ T4502] dlm: plock device version mismatch: kernel (1.2.0), user (117440513.0.0) 01:57:22 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x4000000]}}}], 0x0, 0x0, 0x0}) 01:57:22 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x60, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:22 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000048, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:22 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x5451, 0x0) 01:57:22 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008901, &(0x7f0000000080)) [ 1390.190877][ T4505] binder: 4504:4505 got transaction with too large buffer [ 1390.262178][ T4515] binder: 4504:4515 got transaction with too large buffer [ 1390.262968][ T4513] binder: BINDER_SET_CONTEXT_MGR already set [ 1390.301242][ T4513] binder: 4508:4513 ioctl 40046207 0 returned -16 [ 1390.307852][T19060] binder: release 4509:4518 transaction 10724 out, still active [ 1390.317337][ T4520] dlm: plock device version mismatch: kernel (1.2.0), user (1207959553.0.0) [ 1390.333774][ T4513] binder: BINDER_SET_CONTEXT_MGR already set [ 1390.354001][ T4513] binder: 4508:4513 ioctl 40046207 0 returned -16 01:57:22 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008902, &(0x7f0000000080)) 01:57:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6c00}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:22 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x68, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1390.357262][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1390.378774][T19060] binder: send failed reply for transaction 10724, target dead [ 1390.407011][T19060] binder: send failed reply for transaction 10728 to 4509:4519 [ 1390.436634][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x5000000]}}}], 0x0, 0x0, 0x0}) 01:57:23 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x100004c, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1390.466605][ T4530] binder_transaction: 50 callbacks suppressed [ 1390.466620][ T4530] binder: 4527:4530 transaction failed 29189/-22, size 24-0 line 2995 [ 1390.503425][ T4532] binder: 4526:4532 got transaction with too large buffer 01:57:23 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008903, &(0x7f0000000080)) [ 1390.524179][ T4532] binder: 4526:4532 transaction failed 29201/-22, size 64-16 line 3357 [ 1390.557319][T19060] binder: release 4527:4536 transaction 10737 out, still active [ 1390.568475][ T4537] dlm: plock device version mismatch: kernel (1.2.0), user (1275068417.0.0) [ 1390.578487][ T4532] binder: BINDER_SET_CONTEXT_MGR already set [ 1390.591963][ T4532] binder: 4526:4532 ioctl 40046207 0 returned -16 [ 1390.598721][ T4535] binder: BINDER_SET_CONTEXT_MGR already set 01:57:23 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1390.627747][ T4535] binder: 4534:4535 ioctl 40046207 0 returned -16 [ 1390.627909][T19060] binder: send failed reply for transaction 10737, target dead [ 1390.642052][ T4538] binder: 4526:4538 transaction failed 29189/-22, size 64-16 line 2995 [ 1390.650989][ T4541] binder: 4534:4541 transaction failed 29189/-22, size 24-16 line 2995 01:57:23 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000060, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:23 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x5452, 0x0) 01:57:23 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008904, &(0x7f0000000080)) [ 1390.695162][T19060] binder_release_work: 52 callbacks suppressed [ 1390.695170][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1390.712805][ T4544] binder: 4543:4544 transaction failed 29189/-22, size 24-0 line 2995 [ 1390.719321][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1390.721364][ T4541] binder: 4534:4541 transaction failed 29201/-22, size 24-16 line 3242 [ 1390.736592][T19060] binder: undelivered TRANSACTION_ERROR: 29189 01:57:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x7400}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1390.772742][T31106] binder: undelivered TRANSACTION_ERROR: 29189 [ 1390.780160][T31106] binder: release 4543:4548 transaction 10745 out, still active [ 1390.795997][ T4549] dlm: plock device version mismatch: kernel (1.2.0), user (1610612737.0.0) [ 1390.812467][T31106] binder: undelivered TRANSACTION_ERROR: 29201 01:57:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6000000]}}}], 0x0, 0x0, 0x0}) 01:57:23 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x74, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1390.879892][T31106] binder: send failed reply for transaction 10745, target dead [ 1390.908835][ T4555] binder: 4553:4555 got transaction with too large buffer 01:57:23 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000068, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1390.929337][ T4555] binder: 4553:4555 transaction failed 29201/-22, size 64-16 line 3357 [ 1390.957381][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1390.967022][ T4555] binder: BINDER_SET_CONTEXT_MGR already set 01:57:23 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008940, &(0x7f0000000080)) [ 1390.985823][ T4560] binder: 4556:4560 transaction failed 29189/-22, size 24-0 line 2995 [ 1391.003814][ T4561] binder: 4557:4561 transaction failed 29201/-22, size 24-16 line 3242 [ 1391.013105][ T4558] binder: 4553:4558 got transaction with too large buffer 01:57:23 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x5460, 0x0) [ 1391.032013][ T4555] binder: 4553:4555 ioctl 40046207 0 returned -16 [ 1391.038629][T31106] binder: undelivered TRANSACTION_ERROR: 29189 [ 1391.048664][ T4565] dlm: plock device version mismatch: kernel (1.2.0), user (1744830465.0.0) [ 1391.062039][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1391.065943][ T4558] binder: 4553:4558 transaction failed 29201/-22, size 64-16 line 3357 [ 1391.077443][ T4561] binder: BINDER_SET_CONTEXT_MGR already set 01:57:23 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008941, &(0x7f0000000080)) 01:57:23 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x7a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:23 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x100006c, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1391.131527][ T4561] binder: 4557:4561 ioctl 40046207 0 returned -16 [ 1391.131629][T19060] binder: undelivered TRANSACTION_ERROR: 29201 01:57:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x7a00}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1391.186460][T19060] binder: undelivered TRANSACTION_ERROR: 29189 01:57:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x7000000]}}}], 0x0, 0x0, 0x0}) 01:57:23 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x80000000000894c, &(0x7f0000000080)) 01:57:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x1000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:23 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x300, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1391.331977][ T4585] binder_transaction: 6 callbacks suppressed [ 1391.331992][ T4585] binder: 4583:4585 got transaction with invalid offset (117440512, min 24 max 24) or object. [ 1391.382367][ T4588] binder: BINDER_SET_CONTEXT_MGR already set 01:57:24 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008980, &(0x7f0000000080)) 01:57:24 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000074, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:24 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae7c, 0x0) [ 1391.424976][ T4588] binder: 4586:4588 ioctl 40046207 0 returned -16 [ 1391.436564][ T4594] binder: 4583:4594 got transaction with invalid offset (117440512, min 24 max 24) or object. 01:57:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x500, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0xa000000]}}}], 0x0, 0x0, 0x0}) [ 1391.486956][ T4588] binder: BINDER_SET_CONTEXT_MGR already set 01:57:24 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008981, &(0x7f0000000080)) [ 1391.539541][ T4588] binder: 4586:4588 ioctl 40046207 0 returned -16 01:57:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x2000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1391.626747][ T4611] dlm: plock device version mismatch: kernel (1.2.0), user (1946157057.0.0) [ 1391.632011][ T4613] binder: 4607:4613 got transaction with invalid offset (167772160, min 24 max 24) or object. 01:57:24 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008983, &(0x7f0000000080)) 01:57:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x600, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:24 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x40049409, 0x0) 01:57:24 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x100007a, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1391.685493][ T4616] binder: 4607:4616 got transaction with invalid offset (167772160, min 24 max 24) or object. [ 1391.714002][ T4617] binder: BINDER_SET_CONTEXT_MGR already set 01:57:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x10000000]}}}], 0x0, 0x0, 0x0}) [ 1391.774963][ T4617] binder: 4615:4617 ioctl 40046207 0 returned -16 01:57:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x700, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x3000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1391.862725][ T4628] dlm: plock device version mismatch: kernel (1.2.0), user (2046820353.0.0) 01:57:24 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x8000000000089a0, &(0x7f0000000080)) 01:57:24 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000300, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1391.924511][ T4631] binder: 4629:4631 got transaction with invalid offset (268435456, min 24 max 24) or object. 01:57:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0xa00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1391.969062][ T4634] binder: BINDER_SET_CONTEXT_MGR already set 01:57:24 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x4004ae8b, 0x0) [ 1392.020629][ T4634] binder: 4633:4634 ioctl 40046207 0 returned -16 [ 1392.020844][ T4642] binder: 4629:4642 got transaction with invalid offset (268435456, min 24 max 24) or object. [ 1392.042268][ T4644] dlm: plock device version mismatch: kernel (1.2.0), user (196609.0.0) 01:57:24 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x8000000000089a1, &(0x7f0000000080)) 01:57:24 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000500, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:24 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x2000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x18000000]}}}], 0x0, 0x0, 0x0}) [ 1392.210803][ T4657] dlm: plock device version mismatch: kernel (1.2.0), user (327681.0.0) [ 1392.234529][ T4659] binder_alloc: 4654: binder_alloc_buf, no vma [ 1392.235163][ T4656] binder: BINDER_SET_CONTEXT_MGR already set [ 1392.267990][ T4656] binder: 4654:4656 ioctl 40046207 0 returned -16 [ 1392.280671][ T4662] binder: 4658:4662 got transaction with invalid offset (402653184, min 24 max 24) or object. 01:57:24 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000600, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:24 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x4800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1392.371106][ T4666] binder: BINDER_SET_CONTEXT_MGR already set [ 1392.380716][ T4666] binder: 4658:4666 ioctl 40046207 0 returned -16 [ 1392.396425][ T4667] binder: 4658:4667 got transaction with invalid offset (402653184, min 24 max 24) or object. 01:57:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x5000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:25 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000040049409, &(0x7f0000000080)) [ 1392.428397][ T4669] dlm: plock device version mismatch: kernel (1.2.0), user (393217.0.0) 01:57:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x20000000]}}}], 0x0, 0x0, 0x0}) 01:57:25 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x4004ae99, 0x0) [ 1392.507152][ T4676] binder: BINDER_SET_CONTEXT_MGR already set [ 1392.530544][ T4676] binder: 4672:4676 ioctl 40046207 0 returned -16 01:57:25 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000700, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x4c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1392.560806][ T4680] binder: 4679:4680 got transaction with invalid offset (536870912, min 24 max 24) or object. [ 1392.582241][ T4676] binder: BINDER_SET_CONTEXT_MGR already set 01:57:25 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x80000004020940d, &(0x7f0000000080)) [ 1392.625417][ T4676] binder: 4672:4676 ioctl 40046207 0 returned -16 [ 1392.629628][ T4684] binder: 4679:4684 got transaction with invalid offset (536870912, min 24 max 24) or object. [ 1392.637353][ T4687] dlm: plock device version mismatch: kernel (1.2.0), user (458753.0.0) 01:57:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x28000000]}}}], 0x0, 0x0, 0x0}) 01:57:25 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0xc0045878, &(0x7f0000000080)) 01:57:25 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1002000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1392.837177][ T4696] binder: BINDER_SET_CONTEXT_MGR already set [ 1392.859640][ T4702] dlm: plock device version mismatch: kernel (1.2.0), user (2097153.0.0) [ 1392.880281][ T4696] binder: 4695:4696 ioctl 40046207 0 returned -16 01:57:25 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x4020940d, 0x0) 01:57:25 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x8000000c0045878, &(0x7f0000000080)) [ 1392.886775][ T4700] binder: BINDER_SET_CONTEXT_MGR already set [ 1392.916701][ T4700] binder: 4694:4700 ioctl 40046207 0 returned -16 01:57:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x7000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:25 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1003f00, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x3f000000]}}}], 0x0, 0x0, 0x0}) [ 1393.027170][ T4716] dlm: plock device version mismatch: kernel (1.2.0), user (4128769.0.0) 01:57:25 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x8000000c0189436, &(0x7f0000000080)) 01:57:25 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1004800, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1393.110228][ T4725] binder: BINDER_SET_CONTEXT_MGR already set [ 1393.131680][ T4725] binder: 4724:4725 ioctl 40046207 0 returned -16 [ 1393.151333][ T4725] binder: BINDER_SET_CONTEXT_MGR already set 01:57:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xa000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1393.159984][ T4725] binder: 4724:4725 ioctl 40046207 0 returned -16 [ 1393.173484][ T4727] dlm: plock device version mismatch: kernel (1.2.0), user (4718593.0.0) 01:57:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x48000000]}}}], 0x0, 0x0, 0x0}) 01:57:25 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1004c00, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:25 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x8000000c020660b, &(0x7f0000000080)) 01:57:25 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x4048ae9b, 0x0) [ 1393.295888][ T4736] binder: BINDER_SET_CONTEXT_MGR already set [ 1393.319795][ T4736] binder: 4732:4736 ioctl 40046207 0 returned -16 [ 1393.337838][ T4739] binder: BINDER_SET_CONTEXT_MGR already set 01:57:25 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x7400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1393.355278][ T4741] dlm: plock device version mismatch: kernel (1.2.0), user (4980737.0.0) [ 1393.357973][ T4739] binder: 4737:4739 ioctl 40046207 0 returned -16 [ 1393.375542][ T4738] binder_alloc: 4732: binder_alloc_buf, no vma 01:57:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x10000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ubi_ctrl\x00', 0x4400, 0x0) r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x101000, 0x0) connect$pptp(r2, &(0x7f00000001c0)={0x18, 0x2, {0x2, @initdev={0xac, 0x1e, 0x1, 0x0}}}, 0x1e) ioctl$TCFLSH(r1, 0x540b, 0x5) ioctl$PIO_SCRNMAP(r1, 0x4b41, &(0x7f00000000c0)="9a713d15d2aab3ec1c5884ad2fde0bd744724a52a12ded9b3ea2e7e3291af63d892307238444eca300aac369907e55f263d5c71a68de711c83477df8a141c412d6deb363e7874c8d3843b22aca1fbea021d0202b545f14367bea623e12d1d207414f270b7de7cbedfc521adc0cd7ab237e40c2a4c2dc8b431f330b87eb8007d9eae0e02b30181258386fd9070f409d339571abf891fb97db2f08f6e0ae6e8deebe") ioctl(r0, 0x800000000008982, &(0x7f0000000080)) ioctl$TIOCGSID(r2, 0x5429, &(0x7f0000000180)) 01:57:26 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1006000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x7a00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x4c000000]}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x4090ae82, 0x0) [ 1393.580728][T19558] binder_thread_release: 20 callbacks suppressed [ 1393.580740][T19558] binder: release 4759:4760 transaction 10898 out, still active [ 1393.611670][ T4765] dlm: plock device version mismatch: kernel (1.2.0), user (6291457.0.0) 01:57:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x20000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008882, &(0x7f00000000c0)="43a497ffd22bd9cc546f4c5da5c7f1df20001bfa07b254c05746df96b322374779b8fbeae8ef08dee963c7237e4595008e6ef68941fed595cfac30a2f279202b51540bf5da15729e92543862217440870fa223") [ 1393.631937][T19558] binder_release_work: 22 callbacks suppressed [ 1393.631943][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1393.653876][ T4766] binder: BINDER_SET_CONTEXT_MGR already set 01:57:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x1000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1006800, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1393.688737][ T4766] binder: 4761:4766 ioctl 40046207 0 returned -16 [ 1393.700032][T19558] binder_send_failed_reply: 20 callbacks suppressed [ 1393.700039][T19558] binder: send failed reply for transaction 10898, target dead [ 1393.753924][T19558] binder: send failed reply for transaction 10899 to 4759:4764 [ 1393.776310][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1393.795180][T19558] binder: release 4769:4779 transaction 10906 out, still active 01:57:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x60000000]}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 0: r0 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x9, 0x80) sendto$rxrpc(r0, &(0x7f0000000100)="ff9506fb47a0238df7468e0d43ccb6dd11c80523f3ce74da89b9b6b2a39bf96048273ce34c0a6497891598e730d4cb84c834f4ebf1ee535a725271a50d823f9004312ccce0956004546b4b497ffe710cf0582a2ce775ea7f031ce7479c37e98ea86680bfa798f882883954ab23da38d16cd2111f31ef480b83a0b68c9f33029bbeb56ef87d0423f46ba25f509a02d9529e72347f7d898820dac6ef664d428a5b6808ab2a43dfd52f4c0efd311007b540168745be12af6cbb61aeaf32efb016e3b860a936695a19ee1f5ea5b9d16c393371d93ec0aef8f56e7f716434b32fe2239bb2ed1e59fe703dfc26dbe174bd0b8e48c050741d0b4e4a1f0a", 0xfa, 0x4000081, &(0x7f0000000040)=@in6={0x21, 0x4, 0x2, 0x1c, {0xa, 0x4e23, 0x6, @remote, 0x2}}, 0x24) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r1, 0x0, 0x48c, &(0x7f00000000c0)={0x1, 'vst\x9d\x1a\xb5}7?\xe7\v\\dge\x00', 0x20000000}, 0xfffffffffffffe72) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) [ 1393.803218][ T4773] binder: BINDER_SET_CONTEXT_MGR already set [ 1393.815604][ T4773] binder: 4771:4773 ioctl 40046207 0 returned -16 [ 1393.822158][ T4781] dlm: plock device version mismatch: kernel (1.2.0), user (6815745.0.0) [ 1393.830818][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1393.842712][T19558] binder: send failed reply for transaction 10905 to 4769:4778 01:57:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x28000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1393.868032][T19558] binder: send failed reply for transaction 10906, target dead [ 1393.899448][T19558] binder: undelivered TRANSACTION_COMPLETE 01:57:26 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1006c00, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1393.919542][ T4787] binder: BINDER_SET_CONTEXT_MGR already set [ 1393.925583][ T4787] binder: 4785:4787 ioctl 40046207 0 returned -16 [ 1393.926721][ T4791] binder_alloc: 4785: binder_alloc_buf, no vma 01:57:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x68000000]}}}], 0x0, 0x0, 0x0}) [ 1394.034172][ T4798] dlm: plock device version mismatch: kernel (1.2.0), user (7077889.0.0) 01:57:26 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0xc5, 0x0) r2 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_MEDIA_NAMES(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x2000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x1c, r2, 0x308, 0x70bd28, 0x25dfdbfb, {}, ["", "", "", "", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x10}, 0x4) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r3 = syz_genetlink_get_family_id$team(&(0x7f0000000200)='team\x00') getpeername$packet(r1, &(0x7f0000000240)={0x11, 0x0, 0x0}, &(0x7f0000000280)=0x14) getsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f00000002c0)={{{@in=@local, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in=@broadcast}}, &(0x7f00000003c0)=0xe8) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000000400)={{{@in=@initdev, @in6=@ipv4={[], [], @remote}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in=@multicast1}}, &(0x7f0000000500)=0xe8) getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000000600)={0x0, @empty, @loopback}, &(0x7f0000000640)=0xc) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000680)={'team0\x00', 0x0}) r9 = accept$packet(r1, &(0x7f0000002080)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000020c0)=0x14) getsockname$packet(r1, &(0x7f0000002100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000002140)=0x14) getsockopt$inet_mreqn(r1, 0x0, 0x23, &(0x7f0000002300)={@remote, @broadcast, 0x0}, &(0x7f0000002340)=0xc) accept4$packet(r1, &(0x7f0000002380)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f00000023c0)=0x14, 0x800) getsockopt$inet6_mreq(r1, 0x29, 0x1f, &(0x7f0000002400)={@loopback, 0x0}, &(0x7f0000002440)=0x14) getsockopt$inet_mreqn(r0, 0x0, 0x24, &(0x7f00000028c0)={@rand_addr, @empty, 0x0}, &(0x7f0000002900)=0xc) getsockopt$inet6_mreq(r1, 0x29, 0x1c, &(0x7f0000002a00)={@initdev, 0x0}, &(0x7f0000002a40)=0x14) getpeername$packet(r1, &(0x7f0000002cc0)={0x11, 0x0, 0x0}, &(0x7f0000002d00)=0x14) accept$packet(r1, &(0x7f0000002d40)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000002d80)=0x14) getsockopt$inet_mreqn(r0, 0x0, 0x27, &(0x7f0000002dc0)={@dev, @dev, 0x0}, &(0x7f0000002e00)=0xc) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000002e40)={'veth0_to_team\x00', 0x0}) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000002e80)={'sit0\x00', 0x0}) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000004480)={'team0\x00', 0x0}) getsockopt$inet6_mreq(r1, 0x29, 0x1f, &(0x7f00000044c0)={@remote, 0x0}, &(0x7f0000004500)=0x14) accept$packet(r9, &(0x7f00000006c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000580)=0x14) accept4$packet(r1, &(0x7f00000045c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000004600)=0x14, 0x800) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000004640)={{{@in6=@mcast1, @in=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@dev}, 0x0, @in=@remote}}, &(0x7f0000004740)=0xe8) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000004780)={{{@in6=@loopback, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@dev}}}, &(0x7f0000004880)=0xe8) accept$packet(r1, &(0x7f00000048c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000004900)=0x14) getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000004980)={{{@in6=@loopback, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@empty}, 0x0, @in6=@mcast2}}, &(0x7f0000004a80)=0xe8) accept$packet(r1, &(0x7f0000005ec0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000005f00)=0x14) getsockname$packet(r1, &(0x7f0000005f40)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000005f80)=0x14) getsockopt$inet_mreqn(r1, 0x0, 0x24, &(0x7f0000005fc0)={@initdev, @loopback, 0x0}, &(0x7f0000006000)=0xc) getsockname$packet(r1, &(0x7f0000006040)={0x11, 0x0, 0x0}, &(0x7f0000006080)=0x14) ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f00000060c0)={'vcan0\x00', 0x0}) getpeername$packet(r1, &(0x7f0000006100)={0x11, 0x0, 0x0}, &(0x7f0000006140)=0x14) getsockname$packet(r1, &(0x7f00000063c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000006400)=0x14) recvmmsg(r1, &(0x7f0000011000)=[{{&(0x7f0000006440)=@ethernet={0x0, @dev}, 0x80, &(0x7f0000007b80)=[{&(0x7f00000064c0)=""/107, 0x6b}, {&(0x7f0000006540)=""/79, 0x4f}, {&(0x7f00000065c0)=""/203, 0xcb}, {&(0x7f00000066c0)=""/30, 0x1e}, {&(0x7f0000006700)=""/237, 0xed}, {&(0x7f0000006800)=""/199, 0xc7}, {&(0x7f0000006900)=""/4096, 0x1000}, {&(0x7f0000007900)=""/195, 0xc3}, {&(0x7f0000007a00)=""/161, 0xa1}, {&(0x7f0000007ac0)=""/131, 0x83}], 0xa, &(0x7f0000007c40)=""/11, 0xb}, 0x7}, {{&(0x7f0000007c80)=@xdp={0x2c, 0x0, 0x0}, 0x80, &(0x7f0000009100)=[{&(0x7f0000007d00)=""/64, 0x40}, {&(0x7f0000007d40)=""/138, 0x8a}, {&(0x7f0000007e00)=""/210, 0xd2}, {&(0x7f0000007f00)=""/166, 0xa6}, {&(0x7f0000007fc0)=""/4096, 0x1000}, {&(0x7f0000008fc0)=""/41, 0x29}, {&(0x7f0000009000)=""/235, 0xeb}], 0x7}, 0x700000000000}, {{&(0x7f0000009180)=@pppoe={0x18, 0x0, {0x0, @dev}}, 0x80, &(0x7f000000a7c0)=[{&(0x7f0000009200)=""/39, 0x27}, {&(0x7f0000009240)=""/206, 0xce}, {&(0x7f0000009340)=""/4096, 0x1000}, {&(0x7f000000a340)=""/26, 0x1a}, {&(0x7f000000a380)=""/83, 0x53}, {&(0x7f000000a400)=""/224, 0xe0}, {&(0x7f000000a500)=""/242, 0xf2}, {&(0x7f000000a600)=""/72, 0x48}, {&(0x7f000000a680)=""/238, 0xee}, {&(0x7f000000a780)=""/36, 0x24}], 0xa, &(0x7f000000a880)=""/39, 0x27}, 0x20}, {{&(0x7f000000a8c0)=@pptp={0x18, 0x2, {0x0, @broadcast}}, 0x80, &(0x7f000000bf00)=[{&(0x7f000000a940)=""/131, 0x83}, {&(0x7f000000aa00)=""/127, 0x7f}, {&(0x7f000000aa80)=""/4096, 0x1000}, {&(0x7f000000ba80)=""/164, 0xa4}, {&(0x7f000000bb40)=""/182, 0xb6}, {&(0x7f000000bc00)=""/52, 0x34}, {&(0x7f000000bc40)=""/180, 0xb4}, {&(0x7f000000bd00)=""/58, 0x3a}, {&(0x7f000000bd40)=""/228, 0xe4}, {&(0x7f000000be40)=""/169, 0xa9}], 0xa}, 0x4}, {{&(0x7f000000bfc0)=@nfc_llcp, 0x80, &(0x7f000000c040), 0x0, &(0x7f000000c080)=""/137, 0x89}, 0x7}, {{&(0x7f000000c140)=@in6={0xa, 0x0, 0x0, @loopback}, 0x80, &(0x7f000000e540)=[{&(0x7f000000c1c0)=""/19, 0x13}, {&(0x7f000000c200)=""/83, 0x53}, {&(0x7f000000c280)=""/208, 0xd0}, {&(0x7f000000c380)=""/233, 0xe9}, {&(0x7f000000c480)=""/4096, 0x1000}, {&(0x7f000000d480)=""/4096, 0x1000}, {&(0x7f000000e480)=""/177, 0xb1}], 0x7, &(0x7f000000e5c0)=""/182, 0xb6}, 0x9d1}, {{&(0x7f000000e680)=@hci, 0x80, &(0x7f000000e7c0)=[{&(0x7f000000e700)=""/161, 0xa1}], 0x1, &(0x7f000000e800)=""/4096, 0x1000}, 0x5}, {{&(0x7f000000f800)=@xdp, 0x80, &(0x7f000000f980)=[{&(0x7f000000f880)=""/238, 0xee}], 0x1, &(0x7f000000f9c0)=""/90, 0x5a}, 0x80}, {{&(0x7f000000fa40)=@generic, 0x80, &(0x7f000000fd80)=[{&(0x7f000000fac0)=""/61, 0x3d}, {&(0x7f000000fb00)=""/67, 0x43}, {&(0x7f000000fb80)=""/98, 0x62}, {&(0x7f000000fc00)}, {&(0x7f000000fc40)=""/62, 0x3e}, {&(0x7f000000fc80)=""/204, 0xcc}], 0x6, &(0x7f000000fe00)=""/157, 0x9d}, 0xd77f}, {{&(0x7f000000fec0)=@nfc, 0x80, &(0x7f000000ffc0)=[{&(0x7f000000ff40)=""/127, 0x7f}], 0x1, &(0x7f0000010000)=""/4096, 0x1000}, 0x9}], 0xa, 0x0, &(0x7f0000011280)={0x77359400}) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000011380)={{{@in=@empty, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in=@dev}}, &(0x7f0000011480)=0xe8) ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000015a40)={'vcan0\x00', 0x0}) accept4$packet(r1, &(0x7f0000015ac0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000015b00)=0x14, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000015b40)={{{@in=@broadcast, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000015c40)=0xe8) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000015d40)={{{@in=@remote, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in=@multicast1}}, &(0x7f0000000540)=0xe8) getsockopt$inet6_mreq(r1, 0x29, 0x1c, &(0x7f0000015f40)={@ipv4={[], [], @multicast2}, 0x0}, &(0x7f0000015f80)=0x14) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000015fc0)={{{@in6=@empty, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in6=@ipv4={[], [], @remote}}}, &(0x7f00000160c0)=0xe8) getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000016100)={{{@in=@local, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in6=@local}}, &(0x7f0000016200)=0xe8) sendmsg$TEAM_CMD_OPTIONS_GET(r1, &(0x7f0000017080)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000017040)={&(0x7f0000002ec0)=ANY=[@ANYBLOB="e00d0000", @ANYRES16=r3, @ANYBLOB="30002dbd7000ffdbdf250200000008000100", @ANYRES32=r4, @ANYBLOB="3c00020038000100240001006e6f746966795f70656572735f696e74657276616c00000000000000000000000800030003000000080004000000000008000100", @ANYRES32=r5, @ANYBLOB="6401020038000100240001006e6f746966795f70656572735f636f756e7400000000000000000000000000000800030003000000080004003f0a000038000100240001006c625f73746174735f726566726573685f696e74657276616c00000000000000080003000300000008000400650000003800010024000100616374697665706f727400000000000000000000000000000000000000000000080003000300000008000400", @ANYRES32=r6, @ANYBLOB="38000100240001006d636173745f72656a6f696e5f696e74657276616c0000000000000000000000080003000300000008000400ffff000040000100240001006c625f706f72745f737461747300000000000000000000000000000000000000080003000b000000080004000300000008000600", @ANYRES32=r7, @ANYBLOB="40000100240001006c625f706f0100000074617400000000000000000000000000000000000000800000000000000008000400030000000800060000", @ANYRES32=r8, @ANYBLOB="08000100", @ANYRES32=r10, @ANYBLOB="2c01020038000100240001006e6f746966795f70656572735f696e74657276616c0000000000000000000000080003000300000008000400050000007c000100240001006270665f686173685f66756e6300000000000000000000000000000000000000080003000b0000004c000400080000f7cf060000070080040000008000000007080000000200810181000000ffff0845a6230000ff7f0260080000000180d1ff090000007f00fb050080000001000100ffffffff38000100240001006e6f746966795f70656572735f636f756e740000000000000000000000000000080003000300000008000400010000003c00010024000100656e61626c65640000000000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r11, @ANYBLOB="08000100f0bb326ee20ca816870163befaf1a0010051d9ba77652920108e35e27e109777dfc60b2ecc4dd7c2a4d54b6f4a3577c5debfe5d84d0050a32083ecdcd687598a3e309d3051c6a0764a9779ecda230f5632c4b981b046d0bbe825d5bbb242ea437c032eef1901a10c0b1865666f9f5f9fd3bf016b4b6cf32f3d5361eaccd9db39253265ab31db535c0f19a8a09cae6f459c8cba22000000", @ANYRES32=r12, @ANYBLOB="3c00020038000100240001006d636173745f72656a6f696e5f696e74657276616c00000000000000000000000800030003000000080004007f00000008000100", @ANYRES32=r13, @ANYBLOB="8000020040000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e000000080004000800000008000600", @ANYRES32=r14, @ANYBLOB="3c00010024000100656e61626c65640000000000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r15, @ANYBLOB="08000100", @ANYRES32=r16, @ANYBLOB="740102003c000100240001006d6f64650000000000000000000000000000000000000000000000000000000008000300050000000c00040072616e646f6d000038000100240001006e6f746966795f70656572735f636f756e7400000000000000000000000000000800030003000000080004005c5800003c00010024000100757365725f6c696e6b7570000000000000000000000000005d1a00000000000008000300060000000400040008000600", @ANYRES32=r17, @ANYBLOB="3c00010024000100656e61626c65640000000000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r18, @ANYBLOB="44000100240001006d6f6465000000000000000000000000000000000000000000000000000000000800030005000000140004006163746976656261636b75700000000040000100240001006c625f74785f686173685f746f5f706f72745f6d617070696e67000000000000080003000300000008000400", @ANYRES32=r19, @ANYBLOB="080007000000000008000100", @ANYRES32=r20, @ANYBLOB="2802020040000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e000000080004000000000008000600", @ANYRES32=r21, @ANYBLOB="400001002400010071756575655f69640000000000000000000000000000000000000000000000000800030003000000080004000800000008000600", @ANYRES32=r22, @ANYBLOB="3c00010024000100757365725f6c696e6b757000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r23, @ANYBLOB="400001002400010071756575655f69640000000000000000000000000000000000000000000000000800030003000000080004000600000008000600", @ANYRES32=r24, @ANYBLOB="6c000100240001006270665f686173685f66756e6300000000000000000000000000000000000000080003000b0000003c000400f5420100170000000000064101000000010000070000000004000106433600000800010d010000007f00080504000000001001040080000040000100240001006d6f646500000000000000000000000000000000000000000000000000000000080003000500000010000400726f756e64726f62696e00003c00010024000100656e61626c65640000000000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r25, @ANYBLOB="42000100240001006c625f686173685f737461747300000000000000000000000000000000000000080003000b80000008000400090000000800070000000000080001001634b677dd17f03131a6e1078793c8f1c1790a379276b10594f4e7800fabc681a0f7999abd0e45f75340436ab7a7dd364db9c9a7d9c572fb941756ceb98404b14f3c82f8e045bcae4cfa41954b0b54a197323f5230e4aa2b5e3764445da49407003f33b1147cb508a4ab98409c52537d85bbe4bf09e0e794bcb2350d70d794b2b15ecf354e8e687adcc3f8a1413ef61b1b106ff89699f53bc6a47433670bd35261cd0aa6da419bdd7542bc287506481482c9558cf582927db5b48b", @ANYRES32=r26, @ANYBLOB="300202003c00010024000100656e61626c65640000000000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r27, @ANYBLOB="400001002400010071756575655f69640000000000000000000000000000000000000000000000000800030003000000080004000080000008000600", @ANYRES32=r28, @ANYBLOB="40000100240001006c625f74785f686173685f746f5f706f72745f6d617070696e67000000000000080003000300000008000400", @ANYRES32=r29, @ANYBLOB="080007000000000038000100240001006e6f746966795f70656572735f636f756e7400000000000000000000000000000800030003000000080004000600000040000100240001006c625f686173685f737461747300000000000000000000000000000000000000080003000b00000008000400f9ffffff0800070000000000400001002400010071756575655f6964000000000000000000000000000000000000000000000000080003000300000008000400a70d000008000600", @ANYRES32=r30, @ANYBLOB="3c000100240001006d6f64650000000000000000000000000000000000000000000000000000000008000300050000000c00040072616e646f6d00003c00010024000100757365725f6c696e6b757000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r31, @ANYBLOB="40000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e00000008000400ff01000008000600", @ANYRES32=r32, @ANYBLOB="08000100", @ANYRES32=r33, @ANYBLOB="3802020040000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e000000080004000300000008000600", @ANYRES32=r34, @ANYBLOB="3c00010024000100757365725f6c696e6b757000000000000000000000000000000000000000000008000300060000000400040008000600", @ANYRES32=r35, @ANYBLOB="40000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e00000008000400ff01000008000600", @ANYRES32=r36, @ANYBLOB="3c00010024000100757365725f6c696e6b75705f656e61626c65640000000000000000000000000008000300060000000400040008000600", @ANYRES32=r37, @ANYBLOB="40000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e000000080004000900000008000600", @ANYRES32=r38, @ANYBLOB="4c000100240001006c625f74785f6d6574686f64000000000000000000000000000000000000000008000300050000001c000400686173685f746f5f706f72745f6d617070696e670000000038000100240001006e6f746966795f70656572735f696e74657276616c00000000000000000000000800030003000000080004000600000038000100240001006c625f73746174735f726566726573685f696e74657276616c000000000000000800030003000000080004003775000040000100240001006c625f706f72745f737461747300000000000000000000000000000000000000080003000b000000080004000100000008000600", @ANYRES32=r39, @ANYBLOB="08000100", @ANYRES32=r40, @ANYBLOB="f001020040000100240001006c625f74785f686173685f746f5f706f72745f6d617070696e67000000000000080003000300000008000400", @ANYRES32=r41, @ANYBLOB="08000700000000003c000100240001006c625f74785f6d6574686f64000000000000000000000000000000000000000008000300050000000c000400686173680000000040000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e000000080004000300000008000600", @ANYRES32=r42, @ANYBLOB="3800010024000100616374697665706f727400000000000000000000000000000000000000000000080003000300000008000400", @ANYRES32=r43, @ANYBLOB="3c00010024000100757365725f6c696e6b75705f656e61626c65640000000000000000000000000008000300060000000400040008000600", @ANYRES32=r44, @ANYBLOB="3800010024000100616374697665706f727400000000000000000000000000000000000000000000080003000300000008000400", @ANYRES32=r45, @ANYBLOB="4c000100240001006c625f74785f6d6574686f64000000000000000000000000000000000000000008000300050000001c000400686173685f746f5f706f72745f6d617070696e670000000038000100240001006d636173745f72656a6f696e5f636f756e74000000000000000000000000000008000300030000000800040027000000"], 0xde0}, 0x1, 0x0, 0x0, 0x84}, 0x8000) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:26 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x4138ae84, 0x0) 01:57:26 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1007400, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x3000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x38000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) write$P9_RSETATTR(r0, &(0x7f0000000000)={0x7, 0x1b, 0x2}, 0x7) [ 1394.193993][ T4808] dlm: plock device version mismatch: kernel (1.2.0), user (7602177.0.0) [ 1394.203902][ T4803] binder: BINDER_SET_CONTEXT_MGR already set [ 1394.240385][ T4813] binder: BINDER_SET_CONTEXT_MGR already set [ 1394.246947][ T4803] binder: 4802:4803 ioctl 40046207 0 returned -16 01:57:26 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1007a00, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1394.303529][ T4813] binder: 4810:4813 ioctl 40046207 0 returned -16 [ 1394.303711][T19558] binder: release 4806:4809 transaction 10930 out, still active [ 1394.329284][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1394.347659][ T4815] binder_transaction: 18 callbacks suppressed 01:57:26 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6c000000]}}}], 0x0, 0x0, 0x0}) [ 1394.347669][ T4815] binder: 4810:4815 got transaction with too large buffer [ 1394.367972][T19558] binder: release 4806:4814 transaction 10933 out, still active [ 1394.419474][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1394.427678][ T4823] binder_alloc: 4802: binder_alloc_buf, no vma [ 1394.427696][T19558] binder: send failed reply for transaction 10930, target dead [ 1394.438623][ T4824] dlm: plock device version mismatch: kernel (1.2.0), user (7995393.0.0) [ 1394.451006][ T4815] binder: transaction release 10934 bad handle 1, ret = -22 01:57:27 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x41a0ae8d, 0x0) 01:57:27 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x0, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x18, 0xfa00, {0x3, &(0x7f0000000040)={0xffffffffffffffff}, 0x106, 0xa}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_ADDR(r1, &(0x7f0000000100)={0x15, 0x110, 0xfa00, {r2, 0x8, 0x0, 0x0, 0x0, @in6={0xa, 0x4e23, 0x401, @mcast1, 0xb93}, @in6={0xa, 0x4e24, 0x7f, @ipv4={[], [], @local}}}}, 0x118) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl$SG_SET_COMMAND_Q(r1, 0x2271, &(0x7f0000000240)=0x1) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1394.469440][T19558] binder: send failed reply for transaction 10933, target dead [ 1394.476272][ T4813] binder: BINDER_SET_CONTEXT_MGR already set [ 1394.503351][ T4825] binder: BINDER_SET_CONTEXT_MGR already set [ 1394.510833][ T4813] binder: 4810:4813 ioctl 40046207 0 returned -16 [ 1394.518625][ T4826] binder_alloc: 4821: binder_alloc_buf, no vma [ 1394.535748][ T4825] binder: 4821:4825 ioctl 40046207 0 returned -16 01:57:27 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x23020000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1394.574577][ T4827] binder_alloc: 4821: binder_alloc_buf, no vma 01:57:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x74000000]}}}], 0x0, 0x0, 0x0}) 01:57:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x3f000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:27 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x880, 0x0) ioctl$TUNSETNOCSUM(r1, 0x400454c8, 0x1) ioctl$TUNGETIFF(r1, 0x800454d2, &(0x7f0000000040)) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x5000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1394.692748][ T4837] dlm: plock device version mismatch: kernel (1.2.0), user (547.0.0) [ 1394.741825][ T4839] binder: 4836:4839 got transaction with too large buffer [ 1394.751581][ T4841] binder: BINDER_SET_CONTEXT_MGR already set [ 1394.770339][T19060] binder: release 4840:4844 transaction 10949 out, still active [ 1394.784015][ T4841] binder: 4834:4841 ioctl 40046207 0 returned -16 01:57:27 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x25000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:27 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x8004ae98, 0x0) 01:57:27 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/capi/capi20\x00', 0x80000, 0x0) write$USERIO_CMD_SET_PORT_TYPE(r1, &(0x7f0000000100)={0x1, 0x6}, 0x2) r2 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2) ioctl$VT_RESIZEX(r2, 0x560a, &(0x7f0000000040)={0x7, 0x6, 0x3, 0xff, 0x7, 0xfffffffffffffffe}) [ 1394.795883][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1394.796701][ T4846] binder_alloc: 4836: binder_alloc_buf, no vma [ 1394.813659][T19060] binder: send failed reply for transaction 10949, target dead 01:57:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1394.838380][ T4847] binder_alloc: 4836: binder_alloc_buf failed to map pages in userspace, no vma [ 1394.851052][T19060] binder: send failed reply for transaction 10950 to 4840:4845 [ 1394.871582][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x40000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:27 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) fcntl$getflags(r0, 0x40b) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000140)='/proc/self/net/pfkey\x00', 0x803, 0x0) ioctl$RNDADDTOENTCNT(r1, 0x40045201, &(0x7f00000001c0)=0x8) setsockopt$netlink_NETLINK_RX_RING(r1, 0x10e, 0x6, &(0x7f0000000180)={0x2, 0x1f, 0x9, 0x2}, 0x10) clock_gettime(0x6, &(0x7f0000000040)) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x40000, 0x0) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL(r2, 0x4058534c, &(0x7f00000000c0)={0x6, 0x8, 0x7, 0x1ff, 0x1ff, 0x6}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) getresuid(&(0x7f00000002c0)=0x0, &(0x7f0000000300), &(0x7f0000000340)) mount$9p_unix(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00', &(0x7f0000000280)='9p\x00', 0x801002, &(0x7f0000000380)={'trans=unix,', {[{@loose='loose'}, {@cachetag={'cachetag', 0x3d, '/dev/autofs\x00'}}, {@access_user='access=user'}, {@mmap='mmap'}, {@uname={'uname', 0x3d, 'veth0_to_bridge\x00'}}], [{@subj_user={'subj_user', 0x3d, ')proc'}}, {@fscontext={'fscontext', 0x3d, 'user_u'}}, {@smackfsfloor={'smackfsfloor', 0x3d, '/dev/autofs\x00'}}, {@smackfshat={'smackfshat', 0x3d, 'veth0_to_bridge\x00'}}, {@fscontext={'fscontext', 0x3d, 'staff_u'}}, {@fowner_eq={'fowner', 0x3d, r3}}, {@subj_user={'subj_user', 0x3d, '/proc/self/net/pfkey\x00'}}, {@smackfsdef={'smackfsdef', 0x3d, '/dev/autofs\x00'}}, {@dont_hash='dont_hash'}]}}) 01:57:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x7a000000]}}}], 0x0, 0x0, 0x0}) 01:57:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x7000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1394.978239][ T4860] dlm: plock device version mismatch: kernel (1.2.0), user (37.0.0) [ 1395.002014][ T4859] binder: 4857:4859 got transaction with too large buffer 01:57:27 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x46000000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1395.056107][ T4859] binder: BINDER_SET_CONTEXT_MGR already set [ 1395.106645][ T4859] binder: 4857:4859 ioctl 40046207 0 returned -16 01:57:27 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={r0}) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000002080)={'team_slave_0\x00', 0x0}) ioctl$sock_inet6_SIOCADDRT(r1, 0x890b, &(0x7f00000020c0)={@initdev={0xfe, 0x88, [], 0x1, 0x0}, @mcast1, @dev={0xfe, 0x80, [], 0x21}, 0x9a3f, 0x3f, 0x5, 0x500, 0xffff, 0x0, r2}) 01:57:27 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x8090ae81, 0x0) 01:57:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0xa000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x48000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1395.155186][ T4872] dlm: plock device version mismatch: kernel (1.2.0), user (70.0.0) 01:57:27 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0xa0030000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0xfdfdffff]}}}], 0x0, 0x0, 0x0}) [ 1395.276164][ T4881] binder: 4877:4881 got transaction with too large buffer [ 1395.311408][ T4884] dlm: plock device version mismatch: kernel (1.2.0), user (928.0.0) 01:57:27 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x8bb6, 0x40200) ioctl$VHOST_VSOCK_SET_RUNNING(r1, 0x4004af61, &(0x7f0000000040)) [ 1395.316566][ T4885] binder: 4877:4885 got transaction with too large buffer [ 1395.345745][T17703] binder: release 4879:4886 transaction 10980 out, still active [ 1395.366447][T17703] binder: undelivered TRANSACTION_COMPLETE 01:57:27 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1395.378016][ T4889] binder: BINDER_SET_CONTEXT_MGR already set [ 1395.417297][T17703] binder: release 4879:4880 transaction 10979 out, still active 01:57:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4c000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:28 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0xb1030000, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1395.426090][ T4889] binder: 4887:4889 ioctl 40046207 0 returned -16 [ 1395.438306][T17703] binder: undelivered TRANSACTION_COMPLETE [ 1395.453436][ T4892] binder_alloc: 4877: binder_alloc_buf, no vma [ 1395.461017][T17703] binder: send failed reply for transaction 10979, target dead 01:57:28 executing program 0: lsetxattr$security_ima(&(0x7f0000000040)='./file0\x00', &(0x7f0000000080)='security.ima\x00', &(0x7f00000000c0)=@md5={0x1, "b934ae54110c09792ecb41866977ee84"}, 0x11, 0x3) r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = accept(r0, &(0x7f0000000100)=@pptp={0x18, 0x2, {0x0, @dev}}, &(0x7f0000000180)=0x80) getpeername$packet(r1, &(0x7f00000001c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000200)=0x14) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0x2, 'gre0\x00', 0x4}, 0xfffffd5f) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1395.479382][ T4894] binder_transaction: 74 callbacks suppressed [ 1395.479399][ T4894] binder: 4893:4894 transaction failed 29189/-22, size 24-0 line 2995 [ 1395.479708][ T4896] binder: 4895:4896 got transaction with too large buffer [ 1395.494413][ T4892] binder: 4887:4892 transaction failed 29189/-3, size 24-16 line 3148 [ 1395.510522][ T4898] dlm: plock device version mismatch: kernel (1.2.0), user (945.0.0) [ 1395.524892][T17703] binder: send failed reply for transaction 10980, target dead [ 1395.539414][T17703] binder: release 4893:4899 transaction 10987 out, still active 01:57:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x48000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:28 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0xf2ffff7f, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:28 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x8138ae83, 0x0) [ 1395.571343][ T4889] binder: BINDER_SET_CONTEXT_MGR already set [ 1395.599327][ T4896] binder: 4895:4896 transaction failed 29201/-22, size 64-16 line 3357 [ 1395.599480][ T4889] binder: 4887:4889 ioctl 40046207 0 returned -16 [ 1395.639590][T19060] binder: release 4903:4904 transaction 10988 out, still active [ 1395.656554][ T4909] binder: 4895:4909 got transaction with too large buffer [ 1395.665343][T19060] binder: release 4903:4907 transaction 10989 out, still active 01:57:28 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) sendto$inet(r0, &(0x7f00000000c0), 0x0, 0x4, &(0x7f0000000100)={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x11}}, 0x10) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000000c0)) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, '\x06\x91\xf1\x97\xecI\xfc\x9c\x80th\xd1\x06ge\x00'}, 0x18) r1 = add_key(&(0x7f0000000140)='user\x00', &(0x7f0000000180)={'syz', 0x2}, 0x0, 0x0, 0xfffffffffffffff9) r2 = add_key(&(0x7f0000000240)='syzkaller\x00', &(0x7f0000000280)={'syz', 0x1}, 0x0, 0x0, 0xfffffffffffffffd) keyctl$search(0xa, r1, &(0x7f00000001c0)='keyring\x00', &(0x7f0000000200)={'syz', 0x1}, r2) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r3 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ubi_ctrl\x00', 0x40, 0x0) ioctl$VIDIOC_QUERYSTD(r3, 0x8008563f, &(0x7f00000002c0)=0x0) ioctl$VIDIOC_S_STD(r3, 0x40085618, &(0x7f0000000300)=r4) bind$isdn_base(r3, &(0x7f0000000040)={0x22, 0xffffffff, 0x1, 0x1, 0x1}, 0x6) 01:57:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0xfffffdfd]}}}], 0x0, 0x0, 0x0}) [ 1395.684142][ T4910] dlm: plock device version mismatch: kernel (1.2.0), user (2147483634.0.0) 01:57:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x4c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1395.717891][T19060] binder_release_work: 78 callbacks suppressed [ 1395.717900][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1395.746231][ T4909] binder: 4895:4909 transaction failed 29201/-22, size 64-16 line 3357 01:57:28 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0xf8ffff7f, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1395.781341][ T4913] binder: BINDER_SET_CONTEXT_MGR already set [ 1395.787473][ T4913] binder: 4912:4913 ioctl 40046207 0 returned -16 [ 1395.794594][T19060] binder: undelivered TRANSACTION_ERROR: 29201 01:57:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x50000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1395.853367][T19060] binder: send failed reply for transaction 10987, target dead [ 1395.863711][ T4922] dlm: plock device version mismatch: kernel (1.2.0), user (2147483640.0.0) [ 1395.882868][T19060] binder: send failed reply for transaction 10988, target dead [ 1395.893712][ T4924] binder: 4912:4924 transaction failed 29189/-22, size 24-16 line 2995 01:57:28 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio\x00', 0x20000, 0x0) write$UHID_INPUT2(r1, &(0x7f00000000c0)={0xc, 0x39, "b581f85e24e4b1c2071cef031bea236d6c5695ab2c913d998b3a2915f53df497d932d241f2e11aa63b970ccacdd1625d28669269b09e46b165"}, 0x3f) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x200, 0x0) 01:57:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x60000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1395.897611][T19060] binder: send failed reply for transaction 10989, target dead [ 1395.933882][ T4925] binder: 4923:4925 got transaction with too large buffer 01:57:28 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0xf9ffff7f, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1395.953944][ T4925] binder: 4923:4925 transaction failed 29201/-22, size 64-16 line 3357 [ 1395.965255][T19060] binder: send failed reply for transaction 10994 to 4918:4921 [ 1395.977692][ T4913] binder: BINDER_SET_CONTEXT_MGR already set 01:57:28 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0x81a0ae8c, 0x0) [ 1396.013030][ T4913] binder: 4912:4913 ioctl 40046207 0 returned -16 [ 1396.013200][ T4924] binder_alloc: 4923: binder_alloc_buf, no vma [ 1396.026686][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1396.035628][ T4932] binder: 4923:4932 got transaction with too large buffer [ 1396.044571][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1396.049348][ T4924] binder: 4912:4924 transaction failed 29189/-3, size 24-16 line 3148 01:57:28 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x8000000000000002, 'bond_slave_1\x00', 0x1}, 0x18) ioctl(r0, 0x800000000009982, &(0x7f0000000040)) r1 = syz_open_dev$admmidi(&(0x7f0000000040)='/dev/admmidi#\x00', 0x6, 0x10000) write$nbd(r1, &(0x7f00000000c0)={0x67446698, 0x0, 0x1, 0x2, 0x4, "b76ae1615cab8e07c8a794ba3626a848feb0761eaab986556a1ea9ef817ccf5dcdfa07d5ed583bd7346aad5d16f372b425080edbfb6ac55e8657538cb207fa27906eb747a186f99912e8c69f54179b9052bde355eb294da5354d1d0845b060f71a67264a31a4576db4201572c413c30073f7f10b3e85eb0fba6bba38813fbfb4d10609a76495dcf86beaf358"}, 0x9c) r2 = openat$md(0xffffffffffffff9c, &(0x7f0000000000)='/dev/md0\x00', 0x22000, 0x0) ioctl$NBD_SET_SIZE(r2, 0xab02, 0x2) [ 1396.059755][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1396.066896][ T4932] binder: 4923:4932 transaction failed 29201/-22, size 64-16 line 3357 [ 1396.085329][ T4928] binder_alloc: 4923: binder_alloc_buf, no vma [ 1396.091749][ T4933] dlm: plock device version mismatch: kernel (1.2.0), user (2147483641.0.0) [ 1396.095817][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1396.105254][ T4928] binder: 4926:4928 transaction failed 29189/-3, size 24-0 line 3148 01:57:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x60000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:28 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0xfeffff7f, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x100000000000000]}}}], 0x0, 0x0, 0x0}) [ 1396.154333][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1396.183763][T19060] binder: send failed reply for transaction 11006 to 4926:4937 01:57:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x68000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1396.204201][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1396.225096][ T4941] binder: 4939:4941 got transaction with too large buffer [ 1396.232587][ T4944] dlm: plock device version mismatch: kernel (1.2.0), user (2147483646.0.0) [ 1396.247085][T19060] binder: undelivered TRANSACTION_ERROR: 29189 01:57:28 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000000)={0x3, 'veth0_to_bridge\x00', 0x1}, 0x18) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000200)='/dev/btrfs-control\x00', 0x0, 0x0) ioctl$TIOCGRS485(r1, 0x542e, &(0x7f0000000240)) ioctl(r0, 0x7, &(0x7f00000000c0)="fc2197d97c613a61937afa7580636d294794a24cbca7ab0e46dd5f1cd1801cd52d96491737fc72633bfce06a2bb1da2ab325075efcb66aa44a038bf69ce1f1a40199fe321b2034c3dfa7cf809f218415888af984df4e055775f41603000977baaacb68073179b569577e67c731f675f2fb881bdbbfdd4589c5cd2cd9a560363f0943f7060d128c946258b94ddc9a3b55cd5e652e605acf19f5ee0dfacb941a4f4ff8f137da914ddfeace1566") r2 = syz_open_dev$usb(&(0x7f0000000040)='/dev/bus/usb/00#/00#\x00', 0x9, 0x101000) getsockopt$inet6_mreq(r2, 0x29, 0x14, &(0x7f0000000280)={@mcast2, 0x0}, &(0x7f00000002c0)=0x14) getresuid(&(0x7f0000000300), &(0x7f0000000340)=0x0, &(0x7f0000000380)) setsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f00000003c0)={{{@in=@dev={0xac, 0x14, 0x14, 0xf}, @in=@initdev={0xac, 0x1e, 0x1, 0x0}, 0x4e24, 0xffffffffffff0e5a, 0x4e21, 0x3, 0xa, 0x80, 0x20, 0x2e, r3, r4}, {0xfffffffffffffffc, 0x6, 0x3, 0x6, 0x80000000, 0xfff, 0x3f, 0x81}, {0x7ff, 0x100000001, 0x7, 0xe4ea}, 0x9, 0x6e6bb7, 0x3, 0x0, 0x2, 0x1}, {{@in=@dev={0xac, 0x14, 0x14, 0x17}, 0x4d5, 0x32}, 0xa, @in6=@remote, 0x3502, 0x2, 0x1, 0x4, 0x9, 0x80000000, 0x1000}}, 0xe8) write$P9_RMKDIR(r2, &(0x7f0000000080)={0x14, 0x49, 0x1, {0x40, 0x3, 0x8}}, 0x14) ioctl$SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION(r2, 0xc0505350, &(0x7f0000000180)={{0x5, 0x7}, {0x6972, 0x28}, 0x200, 0x5, 0x5}) [ 1396.256924][ T4941] binder: 4939:4941 transaction failed 29201/-22, size 64-16 line 3357 [ 1396.267116][ T4946] binder: BINDER_SET_CONTEXT_MGR already set 01:57:28 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1396.297924][ T4946] binder: 4945:4946 ioctl 40046207 0 returned -16 [ 1396.310493][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1396.318900][ T4941] binder: BINDER_SET_CONTEXT_MGR already set 01:57:28 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0xffffff7f, 0x0, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1396.356939][ T4951] binder_transaction: 12 callbacks suppressed [ 1396.356954][ T4951] binder: 4945:4951 got transaction with invalid offset (72057594037927936, min 24 max 24) or object. [ 1396.358379][ T4941] binder: 4939:4941 ioctl 40046207 0 returned -16 01:57:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x200000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:29 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x1, 0x0) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1396.429015][ T4956] dlm: plock device version mismatch: kernel (1.2.0), user (2147483647.0.0) [ 1396.441331][T19060] binder: send failed reply for transaction 11023 to 4957:4958 [ 1396.466572][T19060] binder: send failed reply for transaction 11024 to 4957:4958 01:57:29 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xc0045878, 0x0) 01:57:29 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x2, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x74000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x68000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1396.494394][ T4960] binder: 4959:4960 got transaction with invalid offset (144115188075855872, min 24 max 24) or object. [ 1396.561128][ T4967] binder: 4959:4967 got transaction with invalid offset (144115188075855872, min 24 max 24) or object. [ 1396.601969][ T4972] binder: BINDER_SET_CONTEXT_MGR already set 01:57:29 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x40000, 0x0) ioctl$VHOST_SET_LOG_BASE(r1, 0x4008af04, &(0x7f00000000c0)=&(0x7f0000000040)) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) ioctl(r0, 0x100000001, &(0x7f0000000100)="c072cd97aad852c36a979daafbbd8ee3be4839f45699cd297fe1a5746a0f1569aa9013ca0a45beb2038592df98aadce2fe6a150ef92ddcd7b4de4ea8b3939e7fae5f8d4e1330aa6ae0798b7df53eb7569e0757fba333c4c5cbedcddfe6d07fa677839ff73be56f15292e713178532846055b31d62b0705801ff711ca837852c1020416e2b62e36b0ffa37e13fc5743c88c540643c0adfe90232c6d600809e6f35abb050fa88e528ffdb9276330627dc87850363760507e7a1244fa71c0c4e59ab6a56fa4d980074bbaa03e2efb8d7ea947c455d2bdcac836867bfae628d9b49898a6c1") 01:57:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x7a000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1396.643888][ T4972] binder: 4968:4972 ioctl 40046207 0 returned -16 [ 1396.651763][ T4975] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1396.680211][ T4972] binder: BINDER_SET_CONTEXT_MGR already set 01:57:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x300000000000000]}}}], 0x0, 0x0, 0x0}) [ 1396.690376][ T4978] Unknown ioctl 1074310916 01:57:29 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x3, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1396.714356][ T4980] binder_alloc: 4959: binder_alloc_buf, no vma [ 1396.724256][ T4972] binder: 4968:4972 ioctl 40046207 0 returned -16 [ 1396.732309][ T4984] Unknown ioctl 1074310916 [ 1396.742641][ T4982] binder: 4981:4982 got transaction with invalid offset (216172782113783808, min 24 max 24) or object. 01:57:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0xfdfdffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:29 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpuset.effective_cpus\x00', 0x0, 0x0) ioctl$sock_bt_bnep_BNEPCONNADD(r1, 0x400442c8, &(0x7f0000000040)={r0, 0x40000000000, 0x0, "181dd019f41ef5e0263476424628800a27ee1e93"}) 01:57:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6c000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1396.786179][ T4986] binder: 4981:4986 got transaction with invalid offset (216172782113783808, min 24 max 24) or object. [ 1396.850792][ T4989] dlm: plock device version mismatch: kernel (1.2.0), user (1.3.0) [ 1396.876046][ T4993] binder: BINDER_SET_CONTEXT_MGR already set 01:57:29 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xc0045878, 0x0) 01:57:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x400000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:29 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x9, &(0x7f0000000000)="a27e") [ 1396.903117][ T4993] binder: 4992:4993 ioctl 40046207 0 returned -16 01:57:29 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x4, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1396.978513][ T4999] binder: BINDER_SET_CONTEXT_MGR already set [ 1396.998428][ T4999] binder: 4997:4999 ioctl 40046207 0 returned -16 01:57:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x74000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0xfffffdfd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1397.024722][ T5005] binder_alloc: 4992: binder_alloc_buf, no vma 01:57:29 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vfio/vfio\x00', 0x0, 0x0) ioctl$SG_NEXT_CMD_LEN(r1, 0x2283, &(0x7f00000002c0)=0x89) r2 = openat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x121880, 0x42) getsockopt$inet6_IPV6_IPSEC_POLICY(r0, 0x29, 0x22, &(0x7f00000000c0)={{{@in6, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@empty}, 0x0, @in6=@initdev}}, &(0x7f00000001c0)=0xe8) ioctl$RTC_UIE_ON(r2, 0x7003) ioctl$SIOCAX25DELUID(r2, 0x89e2, &(0x7f0000000200)={0x3, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, r3}) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ustat(0x8000, &(0x7f0000000000)) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r4 = inotify_init() setsockopt$nfc_llcp_NFC_LLCP_MIUX(r2, 0x118, 0x1, &(0x7f0000000240)=0x6, 0x4) write$binfmt_misc(r4, &(0x7f0000002280)=ANY=[@ANYBLOB="73797a318840081ab2931f395dd185c3431a95e9b01962d29790dfd1b12dd92d8f394933718d3ba69cb7b53e9d3424dd06ff1df5123a9a8ef7a81ee2b7a00912501b3b32f728d089d0ab85359a172b3c7e76a11fbd2d5e52135a0e2248b4b9a2fdb19c640ae0c3b912d48cd8299cfc7291ffb27bc7a55b3cb0617a2fc5aaa9c07d1dfd6b410ff972dc0645c398ace5e77bed0000000091e71632946a63eef47914b5d83261d84b29ee1a7d987a2d26493543ae8556ad2f94e8071626ccf73364044f83eb5b4cd2a294ff36526a9889c6e742d246c0fa0a7f7cdc2daecb9bfac6021aa48f4d05ce4812bf6ad73f8c24fa38eef12f4d3928ced7818ade1c199547bc373183fc5bdae535c0f27ecdbcbbe5f72b903e76534a4ed96496a4cc3c692f9f2518fffebf138fae6f44be2059e16ccc0fe8a9c0bfa16c5006972fc91b2962955c9d244d0dddcd52bc730baf9686da92f792bed2ef64b5f8e5d4b4a6cb8f7f64c57cfc519359665894790533133731f4beb4a07bec96f2f0c3d32f563c9854b55a8c06820b65083b4185a69d26b3b2a77077b97051b888c46c03ffebfcdc47654465cf40cfe1e2659045d865d4afb85faf6c7da206b2cc3039d41ed6a929b4c8df8b72da296bf95c1e8d9220b31f0c189de729ac0fea60f1a3b94306a2b61a853d8a5773b1f8aedeb3e430a5cdaca7dcab37bc988170895d2bdd3af133ab1ada5e2267719462a9d9ff6fa8726ef25fb22671344beed11466843bba6e87a8a3aea214a81234f2fd025345907e43aa2a1afa08eedcfaeb57e0cd01c15ca9b5eb9d89908a27b6445f8c978507c95348bdd5cf1f03a999757340efe4bc5c867849bf405a1bfeda0a1648181f32852c8fd399faae2c15b466f0f637652b330c41c76b3ef1252eb69232a9a50171637a1a9e53d24f9f401c995cb059233d47a63804cde2a26fe141da88344aa19e1617385bbe066422fd9f21f43c74b28d8d1e76ac6afb14765e65c0c4a0bc12fdbad21bbbb37a5a531735651c5ad74e533dc9749d2915082839a682c667376752efec893207054722d805980ee0721e471f9a46c15db4dd9994e4aa5fa3dac35768187de05e89e37815a0284ab0ef253c9fa5d3f6ae3612cd801d9166139cd6a552f74d90e681e9d5a21db36eda3002112c780aac44be8955f3ab42fe174aa5ebca7d0282414e81a3edd98eb8ddc450841ce01676a2205e9a043406531b5f847fab34336db279186b6f75507ed06f4928e37adfbdeb6fef5c2ef8b2faadec2843145f3af5858514790dd753e7b1e4cf23e23841d4cb8c8dddaffbf1f79dad1deaec192465d3d4ce81cbfb60a0755e45f7d36e08fe4769a6979d203a02b6b656057988b679e6a1c4506a6a1e9c8f63f457b08774eb68395227d1154080dd5f7d3da05de07deb79f07c1b0da1ce7979f22f47326a36534ecc34ee766dd488f1bae7fd9f254b831cce53a670ca3280a047b0da9878f8990091cc45bfeafbbda2819985693d8246efbfb2eb949660bfdd6b7e8309cde0dd470811d3ce70d85c879bcb9222be60a8ded820e6587c7a22d763359f29f4859775f99b7e4cfcf62a7126f95d1b4fbee81112be4d2ba63b9f0a3199e52f6feddb3a22bb1a1289f8910461462b36c0703c2f1919762901a0d7a7d88023e261fc512e3b00169667de0f68292eaf7abe489d1ed54bb37f1af5a13622912adcfee0c25a4d17410b567c9f50685c40ec8e3b8374f87a3098cf67186a1c47fcb0eee1acf2e28cbba95c43ca46f626005689e54fe354f17ba465dfc1faf8daeefa811dc592b2f44afeb011b0bb547a6391d4094d6a8628f3f4db8fd12812af247151b3d8a2927abda1844191e5610c5197ab75b36c1c4c80bf1a3d13f3079df45cb791bf10635cdc019dbe9a665f31e5ba7120cfcad03a19d81692b0621faaac0440067f42259a7e9b35160f0782c2d97aec4ceeaff3dafa072f750ccb9a70a94d418b5e8ee4096d833e73bcbc9c97ad82061440d387b2a29bfb5f9aaeb8d0205c39d19cb539c65e34b3569482ead6976e88a34ad2d229daa54f45a260ec450fc5f06168fcb9da7fbad3365425b6cec55e49b159dbc5bc8c918a26ebe8784bd61faa79ab72d02772e3927c5341ae31a736a57367c06cf0630f910d289a69d95f422b5472ddc104ec6c9c028cdee4e4f3126055f293137df0aa9f256ff6b228e96c901c72f40124482df79146272e8c38daeb37549df2fde5db3d14a4853d1293c58213af0693ee62c040f89c9030a8fbd5daa20ab08d7f6a7ecf16388c95a76450f1c46e9bfebfb186ad9e836a4a1d49d24fc4224e95cb0a48ceb5b656b85d5b5173864d7f7c3899e403ed178d6420dae7d0887b1e41cf9e03e3fd50273b1fa17b62e45c49e45b81127458e636794af2dfbce1b075d5201edaafd52ef8b78aff8cf42018446e5075d69c79b7c95a4a605f85d9727bbb060626f6724086be9bfe344b25eb7c97e0cf16891b2b4c2fa4829690e6a9c48c4651738369232bc1d1140833f7a2a2c08287caeea07551c918531d8ac9734728758307613d39af700fc1f2f322af3faa548846263e75d852f21477a814906b6f32bc17950ffb636f2a3c26bc982a3629aea6411f085a9aac3e681dabd2f703f70f92c79f01f2956a1fa37cf3a035bca4d77d1a8f80d18d07f939395a3f2ff5c3f1b38c167ec796196e8e9b852866b4c8536d8f895f9b176209f407c626f269ccfcf8b42216e01f2b597d92788f98de7b1dd13bc27d63b05921da139b31ae2d84fd3497a424bb06e0264f32e63c24d50f53bb54f0beddb0bab004ecd8e2cf0b1e6958a54ba944513a0498a1ebe368568529894499b22fdc1d6c1d04498bf8732e397cca7624c9e31c5000bb682d9be38aea7b04ca18ec0d0259409cab7eca75cb9b28d61090016296d8de447ef3c62c21a82f573db662ef7d366d0aa34dfd75fc37e5126c1227ee242811bef153876093e1154f94e951a9941661e29a235996278dbd374f47a3c3730b8094711dafb908e47b2eca2ce0d67a5e3103d2e533483995811c3fff7683b5f065c955cd3431190c1fab1e5ca6f52252497ad3dac559b2ae2eaba32ee4d829f6cf771b762d86582ebd39acbfa711c8262f57348340255ee59ba152fb0af957be72cbd809cdadec3583e135288f052329f89ff7088abaa11a9c8a0aa715950d16e2787225624c44b74d5b936237a97114eb682a6601a926232d6d42eada6bfbbfe77fe9a6d4ddceaf4bf0235d5a432e0e2fbd9d18a27003a9c52bdaf810a49802e535bdc4c239c64171c44fc75a5badf738631df16f813228cf26c97e3c218a7b6bb8308ec99556cb4d6e2e985e5693a7bfa1a59a1813a7e45599b9b715127ba81f95d93dc61a19ae58acd8c5996cdcc7290b5de465d82e8cecdd6b03db51e63b5024268124dd9cc2dba85bb5d8c876ca680ddee539a364d624b5bb19bf15205f780512fe11ee0758ef4eb3fdc831fcdc1eca0a911692137b49127a2495eaf55c3a9f5412306ba322f76a3fe4fcdbff2b21248811f290f7cc0b07fe919fa0c2995ffdbea973b1c57ec75dbd530d0fa925e9a5bf789f021ea99e658f2e483c6c707173816203efa664f8c2457cc7f75eefeba59b338cd6d282b198d459da0347f015de633a697d4115fac2eeb2c4bffdb6eab7a9cb359deebe188ccfe0a21ee6bc6d9418945f459923468547f4aabc6c68d8f95a5a8da880b4442901f8ced296c493f77b7ba6936327ce407ea3fe23e920b1a5c5176cbc45cb13a4b291b54284683dd9282f45bb0ba8fe23118681c9e32a94cef359875346f37224f7201582d548ba82a3fcf0878859616546cc857a25b89e0cc3542b814113296c95387bc5903f9557c13c9d96278599f9cb82091119bf891b76ce70626f75072bb279797ef83f2a97a83d02585a4c993f39189ebf4ce0f606f2e1fbbd2c98588cb770023cba4d54ce7ee96f6f79391fcbebe75d0675192f198549893246dbe838e8a3626399b0eaf59ff3f1ffa1aa8c7f45c08e5ee47c18a5e38664611d381e857c90cd6049075dff4cb6e2171561e37ad81498f079791fa53d8aa84badc389482f6e18d72aae53b264561a7528695b1906d0a81ac3b921ed3aa98ad651004071b1814cc44ec318c1495d1951f1028fd5dd78d32607d42f9734d5277d1e289a6ea543ae5084aca8d0f07ed4f20b76813bb94deb62f103e019d936a3b0292ef37979eeb1da13de70b31f3ffd4a171b50ef86afe6d47168042fc49e03c7a28469fed2fa0ef6ee84c3646c5c0ac08795f72c094f3b552754f5025f1e076a663832d2e29defc27407fab61b124074c33e97697bbfc8f18a6e4b1d5f947b83eac34b9af080d25263b0b8832bb6b52c553e45271de57f618ebad473079184e9ccacb28a11e56151f74479d74f573829dfe596dcd9899f778632ad1c78ecb900c0b4c673a921500460ebeda10740794fafa686cfc5f66676c71554efe6f02cecf7da012f72e0d3ef0ad9988427a327ccec48c32e247641497a387ac18c7ffa08100a8f5fb68096b9e37568482b931ac0a065aee16250001bb95da6032b7d2655a7509f8333881f812684fa5c9580ca07d7f86e721c78119afac58436cb8bfc43162abf03813bf16a3caf412c5f095a0e6fa1a87a845359f1208353b6bdf4af50b4f9b9ee4c1ed2119de1d799ff50a590c4c79e789f6718157b1313be0a47948187ecab2ca1f785593120c50d5afd2ba30883bc171dfa92eb12eccc2e529b1824a25c69f8a1966478a1b8527cb00ae9de3565eceba3afa4ad32ee4b6cb94b1564c238724e4cdbc559c4db012b05e75b3239e080b25b0627c61e8f0473eb9073c02a98de6e72275aff27b20bf3e2d7f0ce96835947f0013eb86c237f7c0b8b0545050bd13fbef2d68a51d737c7786f6af38468734e701033021aa5d3d4dec8832aaede507a282ac90d0f0a5945f24ebe0269a653dca2e33b4871350620561c08186a20f3693c5f5e1387ce94e4ddee45a5009d7b5462f83e6b46760186877937090f4dbe33a4dd9ec954433492e6bbc73634733b3880c3147efbb0cfa201cfbeb840176651422bf3ecc732fe0792ab9dd8dc31db87cbf7c1354f89ab5dc4cd2872818f122bf18070d651388b5c5c9fba99887348ddec8bcc97bbb29bb8744f176738ce89927219b42ca4667ff9bfd8a359a1ed0d15cd50c70ff861bf816a46f5847b71332d598a77d6133029a0bdc8ff70bffb54f289e8bafc25128466c0bc7b490e6b2d515336fde6faced444b5e52a9be8aac95e695dbdfef4b0b4316f57c431672e8ac453d1fb21a321e64c238e6f09f974d5b7f1ef3f1efcf5fb8632ea29c032dc8627cbacbcd4cc99d92dec4368cb468f9635b2b697d9d5144d8fededf8d504b61d120e456da7b3710a1c4628dfe6eb719ebf4f5d3a44cc7fc05be78d0c67b968fb5bb9a7480fda90309aaad8c82d2a5d8f78ec3df1782292bdfa4ba8d65ddb5d6dccf207a60362ae93056c346ed0ed06e36b1d1204c38c0f2c3aac11997387d5911aeec06da330ba0341483817b5e0d836a1a7ee2dc8ebaead147b47c44e8543e5926efe708d1c525eeb2472cab29c986bc5196c77430565cc41c55f2569696092b86a2ba10c79d61c6e44f6226735b21ad2ff85244852b319e9a9781d9ce934868fb72e39bf29fa970f64a83844e3c235b18b716100948fb2590d4e264d786c9b2fb618a24a11decdeb54c96d830822dec5df37cf3b50d825de72f14e390a05816dbf048ecf36e21ec7b92613e3f9859a07a04e83e49f57e17d3d78048e234248874c8646b7b2f0324d1dc6cbd74a507847b7779be8914dd6fa56b2cfc43173ec7964341a7ea43e7d1eab3a8749bcdb5806c1a113f67447cee7c30d12de03086854005d041007f158cd472978cd9bdaf4fae9b640bf181fa18061cbb08a3033bf16c8b022b94ce54c41aec45d468942c87c91c228e17ff9aedcb13d7e4437c25cbe148e91be5c5e5a36bf458debb4b2c8aed2add9c14dd1bf89f74a53df7f3d3120e97b0256592cb3b516f08f3c02477430bd"], 0x1004) [ 1397.079696][ T5008] dlm: plock device version mismatch: kernel (1.2.0), user (1.4.0) [ 1397.090632][ T5012] binder_alloc: 4997: binder_alloc_buf, no vma [ 1397.096985][ T5010] binder_alloc: 4997: binder_alloc_buf, no vma [ 1397.108547][ T5013] binder: BINDER_SET_CONTEXT_MGR already set [ 1397.108566][ T5013] binder: 5009:5013 ioctl 40046207 0 returned -16 01:57:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x500000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:29 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x5, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x100000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:29 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xc0189436, 0x0) 01:57:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x7a000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1397.230472][ T5021] binder: BINDER_SET_CONTEXT_MGR already set [ 1397.239241][ T5021] binder: 5020:5021 ioctl 40046207 0 returned -16 [ 1397.270056][ T5021] binder_alloc: 5009: binder_alloc_buf, no vma 01:57:29 executing program 0: socket$inet_smc(0x2b, 0x1, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f0000000000)='/dev/net/tun\x00', 0x80, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:29 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x200000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1397.277966][ T5026] dlm: plock device version mismatch: kernel (1.2.0), user (1.5.0) [ 1397.318942][ T5030] binder_alloc: 5020: binder_alloc_buf, no vma 01:57:29 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x6, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x600000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) pipe2(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4000) ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f00000003c0)=0x0) getresuid(&(0x7f0000000400), &(0x7f0000000440), &(0x7f0000000480)=0x0) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f00000004c0)={0x0, 0x0, 0x0}, &(0x7f0000000500)=0xc) fcntl$getownex(r0, 0x10, &(0x7f0000000540)={0x0, 0x0}) r6 = geteuid() lstat(&(0x7f0000000580)='./file0\x00', &(0x7f00000005c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) sendmsg$unix(r1, &(0x7f00000006c0)={&(0x7f00000000c0)=@file={0x0, './file0\x00'}, 0x6e, &(0x7f0000000340)=[{&(0x7f0000000140)="dafcfff5cf47762847dc86c950b97d8e9e79048984c937472e090873b62024707e230ec553e239776b6a631b19043c2c7d1765e39a74a86b0be179c8c8c01ff87b5b8ce1b99ea34bb89dc8aaf6", 0x4d}, {&(0x7f00000001c0)="450d3601c00b5670e53059134819371a9478fd818f1959873d4350127d103ec4731079e6bb6a5ea3cb91a68c035db925aea46c664595eb4e66dc8354a250ce51ce9d7bc6303178e8", 0x48}, {&(0x7f0000000240)="5dbda9e058c4aa0c52b9cd0b82397c28975f06375bb5fe53cd92366c7051b1bdf2ef2c1dadfaa2c54dc194a63c7e8dac629e4ba2539079bcc2e38248da44907fa92f11192ff273c666dfbb2dde865ce42e88560d76872e9ca6413f271cb8ce1f14e9850f232334a08eed5a6c4d770f7e21923e7cc2de9c25e074c8f553d985", 0x7f}, {&(0x7f0000000040)}, {&(0x7f00000002c0)="a32d0bc2e5e3246d077396f42768e9d3432bfcd01224a2c36fb6be439a57355c16f819bb3dc7275d82fc70b6ca103550b6abcaaeee7884ec1917c2e0", 0x3c}, {&(0x7f0000000300)="d1de8a9bded1d38844a6596256f066e4423fb154c21e1c503e5ca12e1b908093bd", 0x21}], 0x6, &(0x7f0000000640)=[@cred={0x20, 0x1, 0x2, r2, r3, r4}, @rights={0x10}, @rights={0x20, 0x1, 0x1, [r0, r0, r0, r0]}, @cred={0x20, 0x1, 0x2, r5, r6, r7}], 0x70, 0x84}, 0x800) [ 1397.403210][ T5039] binder: BINDER_SET_CONTEXT_MGR already set [ 1397.423747][ T5042] dlm: plock device version mismatch: kernel (1.2.0), user (1.6.0) 01:57:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x300000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xfdfdffff}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x7, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1397.470084][ T5039] binder: 5032:5039 ioctl 40046207 0 returned -16 [ 1397.476636][ T5045] binder: BINDER_SET_CONTEXT_MGR already set 01:57:30 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000)='/dev/snapshot\x00', 0x4800, 0x0) getsockopt$inet_sctp6_SCTP_MAXSEG(0xffffffffffffff9c, 0x84, 0xd, &(0x7f0000000040)=@assoc_id=0x0, &(0x7f00000000c0)=0x4) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f0000000100)={r2, @in={{0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1e}}}, 0x3e8, 0x1, 0x6, 0x2, 0x6}, 0x98) [ 1397.520613][ T5045] binder: 5043:5045 ioctl 40046207 0 returned -16 01:57:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x700000000000000]}}}], 0x0, 0x0, 0x0}) [ 1397.600775][ T5057] dlm: plock device version mismatch: kernel (1.2.0), user (1.7.0) 01:57:30 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xc018ae85, 0x0) 01:57:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xfffffdfd}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x48, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:30 executing program 0: r0 = accept4$inet6(0xffffffffffffff9c, &(0x7f0000001800), &(0x7f0000001840)=0x1c, 0x0) ioctl$sock_SIOCINQ(r0, 0x541b, &(0x7f0000001880)) r1 = socket$inet_udp(0x2, 0x2, 0x0) syz_open_dev$sndpcmp(&(0x7f0000000080)='/dev/snd/pcmC#D#p\x00', 0x101, 0xc0002) r2 = dup3(r0, r0, 0x80000) getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r2, 0x84, 0x7, &(0x7f0000000040), &(0x7f00000000c0)=0x4) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000100)={0x4, 'hsr0\x00'}, 0x18) ioctl(r1, 0x800000000008982, &(0x7f0000000080)) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r0, 0x4010640d, &(0x7f0000000000)={0x9, 0x3}) [ 1397.689434][ T5062] binder: 5061:5062 got transaction with invalid offset (504403158265495552, min 24 max 24) or object. [ 1397.749519][ T5067] binder: 5061:5067 got transaction with invalid offset (504403158265495552, min 24 max 24) or object. [ 1397.762307][ T5068] binder: BINDER_SET_CONTEXT_MGR already set [ 1397.768317][ T5068] binder: 5063:5068 ioctl 40046207 0 returned -16 01:57:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x500000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1397.816687][ T5075] dlm: plock device version mismatch: kernel (1.2.0), user (1.72.0) 01:57:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x100000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0xa00000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x101200, 0x0) ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffffff, 0xc0206434, &(0x7f0000000040)={0x101, 0x0, 0x3, 0x1}) ioctl$DRM_IOCTL_SG_ALLOC(r1, 0xc0106438, &(0x7f00000000c0)={0x3, r2}) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:30 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x4c, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:30 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xc020660b, 0x0) [ 1397.975142][ T5084] binder: 5083:5084 got transaction with invalid offset (720575940379279360, min 24 max 24) or object. [ 1397.997433][ T5088] dlm: plock device version mismatch: kernel (1.2.0), user (1.76.0) 01:57:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x600000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 0: socket$bt_bnep(0x1f, 0x3, 0x4) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) socket$bt_bnep(0x1f, 0x3, 0x4) [ 1398.028314][ T5091] binder: BINDER_SET_CONTEXT_MGR already set [ 1398.040319][ T5091] binder: 5087:5091 ioctl 40046207 0 returned -16 [ 1398.051125][ T5093] binder: 5083:5093 got transaction with invalid offset (720575940379279360, min 24 max 24) or object. [ 1398.071513][ T5091] binder: BINDER_SET_CONTEXT_MGR already set 01:57:30 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x60, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1398.096064][ T5091] binder: 5087:5091 ioctl 40046207 0 returned -16 01:57:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x1000000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x200000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1398.193671][ T5105] dlm: plock device version mismatch: kernel (1.2.0), user (1.96.0) 01:57:30 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x804000000008982, &(0x7f00000000c0)="8f09414fe176950af89fc45fe490c5d5a9b3bf96e9681a1a8d8fcdd0965c7ecb3473510e5896a2cad4ee7b7a87e948960882fe8098aae7d43dac72961463ebb87a512469e126aed63eed56a6fa03cc76222ae4a2f48160e81a8e621d89cb471a03726703579f5529c209ee391463515032ba5c9b9ac2fd1b167087945140074b7eb24c9021bdb3c30187b7") r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x8000, 0x0) write$input_event(r1, &(0x7f0000000040)={{0x77359400}, 0x17, 0x101, 0x4}, 0x18) 01:57:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x700000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1398.240628][ T5109] binder: 5106:5109 got transaction with invalid offset (1152921504606846976, min 24 max 24) or object. 01:57:30 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x68, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:30 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x2) 01:57:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x300000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0xa00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:30 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = socket$inet(0x2, 0x0, 0x1000) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(0xffffffffffffffff, 0x84, 0x70, &(0x7f0000000200)={0x0, @in={{0x2, 0x4e24, @local}}, [0x800, 0x2, 0x5c, 0xffff, 0x3ff, 0x1f, 0x6, 0x6, 0x9, 0x8, 0x4, 0x6, 0x5, 0x7, 0x3]}, &(0x7f0000000040)=0x100) r3 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000380)='/dev/vcs\x00', 0x600000, 0x0) getsockopt$bt_sco_SCO_OPTIONS(r3, 0x11, 0x1, &(0x7f00000003c0)=""/203, &(0x7f00000004c0)=0xcb) getsockopt$inet_sctp_SCTP_DELAYED_SACK(r1, 0x84, 0x10, &(0x7f0000000300)=@sack_info={r2, 0x8001, 0x2}, &(0x7f0000000340)=0xc) r4 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0xa00, 0x0) setsockopt$inet6_group_source_req(r4, 0x29, 0x22f, &(0x7f00000000c0)={0x6, {{0xa, 0x4e23, 0xffffffff, @mcast1, 0x1}}, {{0xa, 0x4e23, 0x100000000, @loopback, 0x8}}}, 0x108) getsockopt$inet_IP_XFRM_POLICY(r3, 0x0, 0x11, &(0x7f0000000500)={{{@in6, @in6=@empty}}, {{@in6=@remote}, 0x0, @in6=@mcast1}}, &(0x7f0000000600)=0xe8) 01:57:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x1800000000000000]}}}], 0x0, 0x0, 0x0}) [ 1398.421590][ T5123] dlm: plock device version mismatch: kernel (1.2.0), user (1.104.0) [ 1398.458881][ T5130] binder: BINDER_SET_CONTEXT_MGR already set 01:57:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x2000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:31 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x6c, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1398.488157][ T5130] binder: 5121:5130 ioctl 40046207 0 returned -16 [ 1398.496305][ T5133] binder: BINDER_SET_CONTEXT_MGR already set 01:57:31 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) pipe2(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4800) write$P9_RSYMLINK(r1, &(0x7f0000000140)={0x14, 0x11, 0x2, {0x80, 0x1, 0x5}}, 0x14) ioctl$SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT(r1, 0x40505330, &(0x7f00000000c0)={{0x8, 0x4561c314}, {0xbc5, 0x5}, 0x80, 0x1, 0x9}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x400000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1398.555675][ T5133] binder: 5132:5133 ioctl 40046207 0 returned -16 [ 1398.555732][ T5136] dlm: plock device version mismatch: kernel (1.2.0), user (1.108.0) [ 1398.589740][T31106] binder_thread_release: 16 callbacks suppressed [ 1398.589751][T31106] binder: release 5135:5140 transaction 11146 out, still active 01:57:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x2000000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x4800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:31 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x74, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:31 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x3) 01:57:31 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x3, 0x0) ioctl$KVM_CHECK_EXTENSION_VM(r1, 0xae03, 0x0) 01:57:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x500000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1398.734257][ T5151] dlm: plock device version mismatch: kernel (1.2.0), user (1.116.0) [ 1398.748224][T31106] binder: release 5149:5150 transaction 11162 out, still active [ 1398.761871][T31106] binder_release_work: 24 callbacks suppressed [ 1398.761877][T31106] binder: undelivered TRANSACTION_COMPLETE [ 1398.770457][ T5156] binder: BINDER_SET_CONTEXT_MGR already set 01:57:31 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x7a, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1398.801542][ T5156] binder: 5154:5156 ioctl 40046207 0 returned -16 [ 1398.811981][T31106] binder_send_failed_reply: 17 callbacks suppressed [ 1398.811988][T31106] binder: send failed reply for transaction 11162, target dead 01:57:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x4c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:31 executing program 0: socket$inet6_udp(0xa, 0x2, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) fsetxattr$trusted_overlay_opaque(r0, &(0x7f0000000000)='trusted.overlay.opaque\x00', &(0x7f0000000040)='y\x00', 0x2, 0x3) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r1, 0x84, 0x6b, &(0x7f00000000c0)=[@in={0x2, 0x4e24, @multicast2}, @in={0x2, 0x4e22, @remote}, @in={0x2, 0x4e20, @local}, @in={0x2, 0x4e22, @broadcast}, @in={0x2, 0x4e20, @initdev={0xac, 0x1e, 0x0, 0x0}}, @in={0x2, 0x4e22, @local}, @in6={0xa, 0x4e21, 0x0, @mcast2, 0x298}, @in6={0xa, 0x4e20, 0x3, @empty, 0x1f}, @in={0x2, 0x4e21, @local}, @in6={0xa, 0x4e22, 0x8, @ipv4={[], [], @local}, 0x379}], 0xc4) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1398.872234][ T5162] binder: BINDER_SET_CONTEXT_MGR already set [ 1398.872562][T31106] binder: send failed reply for transaction 11163 to 5149:5157 [ 1398.899102][ T5165] dlm: plock device version mismatch: kernel (1.2.0), user (1.122.0) 01:57:31 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x4) 01:57:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x2800000000000000]}}}], 0x0, 0x0, 0x0}) [ 1398.923095][T31106] binder: undelivered TRANSACTION_COMPLETE [ 1398.929774][ T5162] binder: 5161:5162 ioctl 40046207 0 returned -16 01:57:31 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0xfffffffffffffe39) syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x77, 0x101000) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:31 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x300, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x600000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:31 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl$TCSETA(r0, 0x5406, &(0x7f0000000000)={0x9, 0x9, 0x7ff, 0x12, 0x9, 0x4, 0x9, 0x1f, 0x2, 0x400}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x3f00000000000000]}}}], 0x0, 0x0, 0x0}) [ 1399.123684][ T5185] dlm: plock device version mismatch: kernel (1.2.0), user (1.768.0) 01:57:31 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) pipe2(&(0x7f0000000000)={0xffffffffffffffff}, 0x80000) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(0xffffffffffffff9c, 0x84, 0x6d, &(0x7f00000000c0)={0x0, 0x1000, "d02a2ac04572ae53a232d9e97d29c16c32b3b367cf5491ca8701481ef21a5baf8c7fc65f709a1cc0e3bb0e328a549373f879562b110b422eddcb5f40d6342a8f7308074220bfa648ef1ae15c7c61bbed62f26f809db96f665c70e6b2e290d8c9d3a7d9b84c113d97215ccddd1f40f574675e7803db6a06b9338c5b114f22c3123fdd80189fc227230cfed512ad766cb93969bf330ee14e65c5a6f97a71fcff2a7b50e94a57954ca4d6e3092e3b4e294cdce7334fbab350d40d98ec8106f689feccecdf93d8cb1d006facbae4d525d867f9584022d95cdf08f3aa12d4f9e3469361c88f8c0710e3da1f5d9bb74c8df5644e7ae1bdca3f9447d53d95157588d8f715f188968ef192f3e7953cbb2323c1e1f77980332a991b62e8616e47a4ed0ec0e8fad72d00662c4ecf4ecf212e138fba7a3f9417468414f9b3e6366dd1958fa2abc29f54ac3a35a98cd2c7a60ee78d9d7df366c11d82e42bbe5f77069503d642c5f489d1e6294f4a8b29d87618e284cfce19d3915598bcb1b807e93ff9fc391dbb8dc1e1c8f5eadd53a4d1cf72d8e9aa0d18312e9d5efb6030555da36e701d06b4aa22dccb1de77ae7f52b89db987295dafb6fd8df13eb1f71ff28a89abeb9e76507e432e32bc8c9761afae1201b772940e762bbc3f6dc3bba7427aa7446b18b904e076a6e6a26b1a46922e1793bb25939189942fa21c89d2923e6ae16ce40412be1e2acf8f858d39a2b64fedeaa79957ea92ee11355e0453c67ae9074f98df7347a701f0e1c1f707d9f1f9d16da7d172a0c8282c2029cfb727d268e1f98b88ad5f43ca2297ea5dc6c4bbfcccc9af53f6202258b93a093f124f2cf5d63cae45dc8a7b3ac34cbd5865d9749f430577009f5795c592677f4d74cd448ca907492104e9478432c7159a06cc73a73948d70329711b9d3ec0b23c8a9b3e4a8039c675cb2145a51ee44a7ea7b11b1d905295d7ff9242ac0953a8443ebcea70d19b362453cb4b4bbea1caa0c7b3edd47e890332145dd0ac09deae4fc55d12c4903e32eb606c000027eea19e9399087d420e1ffeaf45082164cbdd0eb579de393de79652daa2363f1d846c59f81325121fd401b1c295e309c6048cd666c86ad6af567a945825d3d07ac30554ff2f74c83b54c61874f759d497cee24121a8f7418805c6ddee0b9988993a6dcbc580d35731c14fc0705b6b207e2bdc57b1902613455a5920a31ea99b37c26947b8761adf38124abdcd748dbde454f2ebde7ccdfeee13e175804cca75dc052c6c4261bf576dd202e0c50e3abbec8406a0c87a3340c09242f1cf53666660d22b4b09a7059f38f913ae54f19d578d4d26f654af21847dddc6b237483f611eae4850f6cc344c0f09d83305e0f450954a7ce6314647ed74422adeeaf07bed3b587c838a027a19f22ed8d3bcf38ef9d60794a4a3e9733f5443de8b394172c4d343337b8e08227bf2c500e402819fc4204c365369fa9dbece0b72780240d9014c8281143816768cd856d90e92de51901fd886c10c419a1c1c966d8f2d557e00cb4a29fc97c3d71ed5332b6a7f779fc92aa5b4306df3fbc4b415c5528e9e863abff3a915fa67d013fdfce3a10b45fcbac085d6cd0e235f122ec0e1be0574768e9fa64c0ac5d0769f5c95e554164864f6a5f5c4e38424daa140f96aa03018c85d43d6d1cd758466f00a6fe63911e1ac1f907a014d9a36acebdbd74ee028d03c50a44a959cdfd94e6489f4de5609cd0dc1d88debbd1e3b48dd53482aed2c4d753717aad473a2a4fd81364b455440068daabdfd94f71ec84cfa53b8a49404f2a89dde10764c65cf070381ea2bde1d8bfd7c188b8762287889040738e954bf4dcd4e75faed0e1757cf0c37c13d86c5e2fcd2efead246715adb16cb0b32497aa2de797eb1771a5a04beec2a2c950cc42576d2cc9858df76660d14f67b96060cb5a6bd5d970fbc5393161b98c5d797e861985c3f3cca1fde654e8f6a78814bd6ef26678dd5ead5ec72fb9a66f4e956a55f591e5d81f77db3bd11fe952363d35fbfd10e2103c19a64677c0c7280c9eb0bab494679203e836daba7bc4a63909947cb8cd3e1f9b1c9b3a515d4fe16950c54a68e10b5973674199dc83c887b6a5e92d442e9c704fa3e1edd92b6bf5638ffeb670961bb2e5bacede5f5be23793d04a7b66cfe7cd9489eae245785f36756f995a25a25eb0516caeb874374e158ac53265cfd0c1a60dc8e3e5cc4880def7bff45a39e5298e2d12e546f45334e62a0287731c0383b5c6e6c48eb74dd3593eeef3cf9acb47103661b03cd34132008b7de5e46ea4a160003e6e7a8e20fd9f75f98979c89d6f993ea69a6e141d4170b3de9d8c172d4dec051022644e216d64387241a287f36401496e717769f0830d47406ac23601468877e8f418adbf731c08de34aff890bb3e5442f9e602c301247e3487991d5f93a223638fb4dbf95a93e049bdf44864d69b8c6cfed02c734a5dfd49a80cb352dc701a1fc44802d24c26ddf70a6f7dae8df9be87e52e98ed3b02a067918b3b45d489cfbc12154d6002e09b25ef653d60d688e16e2c54b00335d32478fc9c1f2fe7070a1f6a439fbdd69bfaeb620341ec59a061dfac9873a17d038dca83cbaeab60d6d5683c341e07b8e93b6f02f04ec8e35c0537d2495e5c885da37f3e1e5978ad4f74fcbda0ad0c60d4be6d55a5bb302c5ad723c5f70acf948c35c0ed654eaffd1e6a1f1c175fd79a5549203ccc5a452cfa116d26d016bad22188cf1d6f8a1edf7b73ef0ebd652b934c5e1482c22f62cacb166f4f54e9fc262c7c69aa8f1acd692b39197b2a47bc4f5f9dfdbba11ee15360432149e49cd2a1e3a79eb8af5bc0413448ea342e89d3e398f3689f9d9e982afce7f55b9668ec25836312f3077f5fbfc91365ce5def5f1647a051214520a3d7d8720696cc9112063be92fa1a7337c8071a47da97db1ffe49f23e9c3647e2a895a6f4cb846c667448d40e318a631de5da94443cc85c4df96e0928c80f462ca5d4591a4479b8f003e4cba85ea69bf359577e5ef1a18c1bd92fecc3cd964c1b728febc23b532d8fb21ea9af0d225767dd63a22bb09913f8bad8b4b291b264b773e2b304f65106a93bdc457d09359d0ddfbf2e0d5fcdd1de91411107c9eb73ad12f15dd232ce2fe982c1ec944f8f166d1c3cb0984e9dd74e69c9c2505e2732d8a66a8d1d4888f48882d023d3a89d2cf6bcd5971668698050a37d955e8413fa3bfc28aa2ba629d1e0ce02bd85e2ad59ee420a2e4db0d0855db092e6298c2eb983b9e130b0c4bd020f083947c28ea3fa5b345fb3b02bb72c6eca5e785a724e90b09170cdda34dd6f1fb5de2e9cbf676b75b9ba3793495bb19138e21854b539555bfd71c3029726572ffe137482418bb3936542d02a3ba95fb92e1d971a9eb27c995be77e61244ca1bf791b776c9d9f893a8bf331d266654f0af971cd5fcf41412d01e3719ce537d33bd8e3b55cff5cad1ac4e14946d848417237df83359c0e121b339002ab21f5a3aa646b7904e9af82fe721a3129bc3d9ef5e6dea8c1ee9b421932b9aeecf7bf4ac0873d15d126b31232ba8d0c8edebe767e2dd76227907e417fb66dec697379c53d82cbfa97258cb5e823b3579b077c8c9b1593e405a205a3869b037113430f7057c0885970c27ddb80166d82d8737938d7050219137c90820f914891c85e6584567cf4d853d577faa4d3e60f711d1d7a9d593514a8869940fe2578299d4cafda83e96f2347853d3f51489eb81ff8761c5884782886a6a385f100ec73399704ca702cdcb0913511ea3490762f49090f5ca0096b4a13a2e58231d022e7fd66c2dbb353cd800eea226f26f79627be654185cca9e20c7d6c357942ff2dfb9db081485566f377e1ec37f17b72b1ff044cae118cda513f369b25baf58e6ddc7c7ce9bd5104907db5e446031f7cd4d56f761bb7f5a94befb7939b7a86156d9202efe567b24a73546b6d3d7c112ed46b4c275558567e93c3b482a929d8d981959a5937660f5d02282384b872bfc34b9bbfb12a4dea2192d8b7a7f55671faa38acb616801bba738d5c1b0a9974ee5285efa21eec627c412536c77cfa3f6cd7e01a59aff0e489006caf755e077930843c5ea7dd20d9b16cf88af763eb0e942895f7cdcfa752491dc4ab72a90feca40b4ac9ee0c37384de952732dfd5d27bb56e506426681f128e2808098b0e5b3bec17b62149286404956c1235384f7e6ca8baa8cee4bc6173e01e644df92fc8ee85cf483737004a6662fe0e169468c15d52f1131340fe5d8a9841cdccd6246036e8b03032e1bbe4b6d2d1f03cf725630502fe71caa7494780d95ea8df1430b63f775eb46a4b21579f81dda8f0698f48bfb1318f9d41cb0fccc1e798bd6405979be31aab41d7f82d4cee05c416ced6d1a5697238937efbead51737640f7aba38010f07226989d7d62f930950763ff2194dacd181d273f71c48e3cea988e92da7d7aa25191922179a23dc841c6d0cf9770296796718e9ee29de1370405b1d51ced746c561c2f605c18a36aaffc757bca08002d28d0b046519e079b6e90caada8aa651c4df7d71a0f5784792d08e92cc0c70b415a502d123ac4d73b8b397627790c6fb50da91350114f5fc18a50ae17f10c9daf908df4c01806733239f43288ead61c3824a1c12adae56f5e26560a258664059d0bda705bd7f387452d0da6f665c5a9b2aacd70c2d15e162e5dc05049d73a55d72ec64fb8376be82f9cf95286b0acb61a045cc4b5357da1df12e33e31efb25f9cf87183b955931ed5bbbb85cc1f64e8a4ed1beaf26f19410f6fef79ae5404d6e910a024ee18a20a2e774cda3bc134812181da937cc4d8aecb7732c22030681593fcf62408826e725f4b7a1257fa93a5e3239283337c84b60ec27e85073d3c97ad190c33b07c178b30c6ca060eefb85b861dcaee9da9cee02dd1360dc5ec15814637a6a6c8ff9958f029a267f1a6f14c47a0012e4debec31d0c6839d61360d3404addb79bba35a6c236cfcfabe039518e8797e992bf866f0c6a566f28fafa62d013e6608431b02c8efdfbe07efd8452581ff206cf79c214a486881919edc2f51533f991937da0f60fc733c524cd7c0974a5ba237545e9e9bc911063fde9b86dbc74b396ca98edf02bdbbdf4585355e3d63a0268d4104c2c03dd98b2ddbfc6f93d0c197907f6b7daf2b9c603384124b7ac130b553396711c0e4bd7ee5cfc6bc489a1a56f7437890f627564e721b9aef99bf481976a6dd504ecfa1b7677f72512ac96c5a8241e1cdf82d4eb92a28874d2c09d3b1a9b113764821382aca28a2ca8673a4440a5f62380acbc560c8e84267b7d2d8c9c8206a3c6199b7f971fe62cf58e3b82f9f11eacc2336d67858b94eab7a8b21dd3cd6d346c41b1fe277c4c704c340b82ac5ebca00015e566f149a3a15c27af81681179aa07cf5f8c9ebc7b7e4877fd22d32a7bb735dd582dfa90baa4ce45ffd52e92a8639d1ea4d22544359757027d74f624f5bd2d0d4be438e29b5b8beff690d63468ffe3d2814c504cbe93bfb493d118264348b08ee4a7f8192a0a6223e9e315961de81ab0ceceda90abf6823a8887f6e8ba550415ddd1004957b7dd64cf7de0b2dc11a70090b957f62cdfa8c9231cbd2cc3afb260a8a268486e45bf517e4574df15b22dd681cc7687e2c5d373daaf7a0c2531da5bf6d13658b5c24eb084e37c1ce38100382fd8781f95058fbb3c9fcd24a8edc9cad13ca506b9207b27c753b631c95a1dbe5b55b7f95f6e6589497548db8ed5e768ae626f067"}, &(0x7f0000000040)=0x1008) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000001100)={r2, @in={{0x2, 0x4e22, @broadcast}}, [0x68e9, 0x8, 0x1, 0xfffffffffffffffb, 0xffffffff80000000, 0x1f, 0x9, 0x3, 0x4, 0x9, 0x5, 0x6, 0x5, 0x1, 0x7]}, &(0x7f0000001200)=0x100) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:31 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x500, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x700000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1399.217986][ T5197] binder: BINDER_SET_CONTEXT_MGR already set [ 1399.254498][ T5197] binder: 5195:5197 ioctl 40046207 0 returned -16 01:57:31 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x5) 01:57:31 executing program 0: r0 = creat(&(0x7f0000000000)='./file0\x00', 0x90) ioctl$VIDIOC_RESERVED(r0, 0x5601, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r1, 0x800000000008982, &(0x7f0000000000)) [ 1399.296894][ T5203] binder: BINDER_SET_CONTEXT_MGR already set [ 1399.304310][ T5206] dlm: plock device version mismatch: kernel (1.2.0), user (1.1280.0) [ 1399.329960][ T5203] binder: 5202:5203 ioctl 40046207 0 returned -16 [ 1399.336608][T31106] binder: send failed reply for transaction 11195 to 5198:5207 01:57:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x4800000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:31 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x600, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1399.362567][T31106] binder: undelivered TRANSACTION_COMPLETE [ 1399.368645][ T5208] binder_transaction: 21 callbacks suppressed [ 1399.368656][ T5208] binder: 5202:5208 got transaction with too large buffer 01:57:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x6c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1399.414375][ T5212] binder: BINDER_SET_CONTEXT_MGR already set [ 1399.433583][ T5212] binder: 5211:5212 ioctl 40046207 0 returned -16 01:57:32 executing program 0: setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(0xffffffffffffffff, 0x800000000008981, &(0x7f00000000c0)="b5c00b5d2cb9bf0dd68ffa38ff95b80181f6772bb6ae74d7b86e0a4e7ac9504c7acaa71f67f3fd3108d41401633d53e22c47a5be065e467b395f2e385ad170a31be8ea1844cd40a3af9bddac3d647b4ac3bdbcd11fd6f87d44e98ece299fdf8406e323ef2b464105a02f3580afb4b04e933203962f25150729a6c576f3335d") [ 1399.467446][ T5212] binder: BINDER_SET_CONTEXT_MGR already set [ 1399.500094][ T5221] dlm: plock device version mismatch: kernel (1.2.0), user (1.1536.0) [ 1399.509696][ T5212] binder: 5211:5212 ioctl 40046207 0 returned -16 01:57:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xa00000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x700, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x7400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x4c00000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x4, 0x410a00) ioctl$VIDIOC_SUBDEV_G_FRAME_INTERVAL(r1, 0xc0305615, &(0x7f0000000100)={0x0, {0x5f7369c7, 0x6d5}}) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r2 = syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00', 0x0, 0x20000) ioctl$TIOCSERGETLSR(r2, 0x5459, &(0x7f0000000040)) [ 1399.602413][ T5226] binder: 5225:5226 got transaction with too large buffer [ 1399.657380][T19060] binder: release 5227:5231 transaction 11213 out, still active [ 1399.672892][ T5226] binder: BINDER_SET_CONTEXT_MGR already set [ 1399.689017][ T5234] dlm: plock device version mismatch: kernel (1.2.0), user (1.1792.0) [ 1399.699109][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x7a00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1399.712041][ T5226] binder: 5225:5226 ioctl 40046207 0 returned -16 [ 1399.712743][ T5232] binder: BINDER_SET_CONTEXT_MGR already set [ 1399.737906][ T5232] binder: 5230:5232 ioctl 40046207 0 returned -16 [ 1399.743343][T19060] binder: send failed reply for transaction 11213, target dead [ 1399.789802][T19060] binder: send failed reply for transaction 11214 to 5227:5231 [ 1399.797568][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:32 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x2000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6000000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x1000000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x6) 01:57:32 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = syz_open_dev$admmidi(&(0x7f0000002500)='/dev/admmidi#\x00', 0x0, 0x101000) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f00000000c0)={0x0, @in6={{0xa, 0x4e21, 0x10000, @remote, 0x8}}, [0x54, 0x6, 0x0, 0x4, 0xe4d5, 0x0, 0x9, 0x1000, 0x0, 0x6, 0x1a9092c8, 0xf8, 0x800, 0x3, 0x9]}, &(0x7f00000001c0)=0x100) setsockopt$inet_sctp_SCTP_ADD_STREAMS(r1, 0x84, 0x79, &(0x7f0000000200)={r2, 0x1f, 0x6}, 0x8) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(0xffffffffffffffff, 0x84, 0x7c, &(0x7f0000002540)={0x0, 0x8, 0x2}, &(0x7f0000002580)=0x8) setsockopt$inet_sctp_SCTP_AUTH_DELETE_KEY(r1, 0x84, 0x19, &(0x7f00000025c0)={r3, 0x3}, 0xffffffffffffff25) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) setsockopt$ARPT_SO_SET_ADD_COUNTERS(r0, 0x0, 0x61, &(0x7f0000000000)={'filter\x00', 0x4}, 0x68) [ 1399.917395][ T5254] dlm: plock device version mismatch: kernel (1.2.0), user (1.8192.0) [ 1399.922146][ T5248] binder: BINDER_SET_CONTEXT_MGR already set [ 1399.937737][ T5248] binder: 5244:5248 ioctl 40046207 0 returned -16 [ 1399.937910][T31106] binder: release 5245:5253 transaction 11228 out, still active [ 1399.946445][ T5248] binder: 5244:5248 got transaction with too large buffer 01:57:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6800000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1399.969114][ T5248] binder: BINDER_SET_CONTEXT_MGR already set [ 1399.975665][ T5248] binder: 5244:5248 ioctl 40046207 0 returned -16 [ 1399.991963][T31106] binder: undelivered TRANSACTION_COMPLETE [ 1399.997912][T31106] binder: release 5245:5257 transaction 11229 out, still active [ 1400.000378][ T5258] binder: 5244:5258 got transaction with too large buffer 01:57:32 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x8, &(0x7f0000000000)) r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ubi_ctrl\x00', 0x80, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_PORT_INFO(r1, 0xc0a85322, &(0x7f00000000c0)) 01:57:32 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x3f00, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1400.055450][T31106] binder: undelivered TRANSACTION_COMPLETE [ 1400.070147][ T5263] binder: BINDER_SET_CONTEXT_MGR already set [ 1400.081200][ T5264] binder_alloc_new_buf_locked: 5 callbacks suppressed [ 1400.081207][ T5264] binder_alloc: 5246: binder_alloc_buf, no vma [ 1400.097683][T31106] binder: send failed reply for transaction 11228, target dead [ 1400.109301][ T5263] binder: 5261:5263 ioctl 40046207 0 returned -16 [ 1400.115944][T31106] binder: send failed reply for transaction 11229, target dead 01:57:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x2000000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x6c00000000000000]}}}], 0x0, 0x0, 0x0}) [ 1400.166241][ T5271] dlm: plock device version mismatch: kernel (1.2.0), user (1.16128.0) 01:57:32 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x80002) openat$snapshot(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snapshot\x00', 0x80000, 0x0) ioctl$VIDIOC_SUBDEV_ENUM_FRAME_SIZE(r1, 0xc040564a, &(0x7f0000000040)={0x0, 0x0, 0x1006, 0xffffffffffffffff, 0x0, 0x100000000, 0x7fff}) 01:57:32 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x4800, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:32 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x7) [ 1400.227168][ T5275] binder: 5274:5275 got transaction with too large buffer [ 1400.260449][T19060] binder: release 5276:5277 transaction 11244 out, still active [ 1400.268135][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1400.288466][ T5284] dlm: plock device version mismatch: kernel (1.2.0), user (1.18432.0) [ 1400.302828][T19060] binder: release 5276:5283 transaction 11245 out, still active [ 1400.313662][ T5282] binder: BINDER_SET_CONTEXT_MGR already set [ 1400.321342][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:32 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1400.337694][ T5282] binder: 5281:5282 ioctl 40046207 0 returned -16 [ 1400.337698][ T5275] binder: BINDER_SET_CONTEXT_MGR already set [ 1400.337726][ T5275] binder: 5274:5275 ioctl 40046207 0 returned -16 [ 1400.367344][T19060] binder: send failed reply for transaction 11244, target dead 01:57:32 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x4c00, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1400.386497][ T5287] binder: 5274:5287 got transaction with too large buffer [ 1400.404033][T19060] binder: send failed reply for transaction 11245, target dead 01:57:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x2800000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x7400000000000000]}}}], 0x0, 0x0, 0x0}) [ 1400.433474][T19060] binder: release 5290:5293 transaction 11255 out, still active [ 1400.465770][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1400.474143][ T5294] dlm: plock device version mismatch: kernel (1.2.0), user (1.19456.0) 01:57:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1400.499917][T19060] binder: release 5290:5292 transaction 11254 out, still active [ 1400.528091][ T5296] binder: BINDER_SET_CONTEXT_MGR already set 01:57:33 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) setsockopt$IP_VS_SO_SET_STARTDAEMON(r0, 0x0, 0x48b, &(0x7f0000000140)={0x0, 'ip6tnl0\x00', 0x9}, 0x18) r1 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x2000, 0x0) connect$nfc_llcp(r1, &(0x7f00000000c0)={0x27, 0x1, 0x2, 0x4, 0xb9, 0x5, "3b3e8228588482549854eed86ebf383241a54783507624692ae221446d710419e41ed04086e8a7e899d546cf2cd197251a5eb432aef63264559efe2736d5ef", 0x2b}, 0x60) ioctl$EVIOCGVERSION(r1, 0x80044501, &(0x7f0000000200)=""/77) ioctl$SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE(r1, 0x80045530, &(0x7f0000000040)=""/64) [ 1400.575192][T19060] binder: send failed reply for transaction 11254, target dead [ 1400.575757][ T5298] binder_transaction: 90 callbacks suppressed [ 1400.575775][ T5298] binder: 5297:5298 transaction failed 29201/-22, size 24-16 line 3242 [ 1400.589306][ T5296] binder: 5295:5296 ioctl 40046207 0 returned -16 [ 1400.597729][ T5301] binder: 5295:5301 got transaction with too large buffer [ 1400.603791][T19060] binder: send failed reply for transaction 11255, target dead 01:57:33 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x6000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:33 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0xc) [ 1400.643801][T31106] binder: release 5300:5302 transaction 11263 out, still active 01:57:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1400.704009][ T5301] binder: 5295:5301 transaction failed 29201/-22, size 64-16 line 3357 [ 1400.710011][T31106] binder: send failed reply for transaction 11263, target dead [ 1400.722978][T31106] binder: send failed reply for transaction 11264, target dead [ 1400.731477][ T5309] binder: 5297:5309 transaction failed 29201/-22, size 24-16 line 3242 01:57:33 executing program 0: r0 = socket$vsock_dgram(0x28, 0x2, 0x0) r1 = syz_open_dev$audion(&(0x7f00000000c0)='/dev/audio#\x00', 0x9, 0x80000) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000140)='TIPC\x00') sendmsg$TIPC_CMD_SET_LINK_PRI(r1, &(0x7f0000000240)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x2a0000}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)=ANY=[@ANYBLOB='h\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="0c002abd7000fddbdf25010000000000000008410000004c00180000000062726f6164636173742d6c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000000000000"], 0x68}, 0x1, 0x0, 0x0, 0x20004000}, 0x4000880) connect(r0, &(0x7f0000000000)=@x25={0x9, @null=' \x00'}, 0xffffffffffffff33) r3 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r3, 0x800000000008982, &(0x7f0000000080)) [ 1400.752295][ T5311] dlm: plock device version mismatch: kernel (1.2.0), user (1.24576.0) [ 1400.757631][ T5296] binder: BINDER_SET_CONTEXT_MGR already set [ 1400.797972][ T5296] binder: 5295:5296 ioctl 40046207 0 returned -16 [ 1400.798062][T31106] binder_release_work: 96 callbacks suppressed [ 1400.798070][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1400.817175][ T5301] binder: 5295:5301 got transaction with too large buffer 01:57:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x7a00000000000000]}}}], 0x0, 0x0, 0x0}) 01:57:33 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x6800, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1400.848138][ T5314] binder_alloc: 5297: binder_alloc_buf, no vma [ 1400.851119][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1400.871678][ T5314] binder: 5312:5314 transaction failed 29189/-3, size 24-0 line 3148 [ 1400.890511][ T5301] binder: transaction release 11269 bad handle 1, ret = -22 [ 1400.899449][ T5301] binder: 5295:5301 transaction failed 29201/-22, size 64-16 line 3357 [ 1400.910988][ T5319] binder: 5318:5319 transaction failed 29201/-22, size 24-16 line 3242 [ 1400.933257][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1400.934535][ T5321] dlm: plock device version mismatch: kernel (1.2.0), user (1.26624.0) 01:57:33 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000007480)='/dev/full\x00', 0x210300, 0x0) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000007500)='TIPCv2\x00') sendmsg$TIPC_NL_PEER_REMOVE(r1, &(0x7f0000007840)={&(0x7f00000074c0)={0x10, 0x0, 0x0, 0x40002}, 0xc, &(0x7f0000007800)={&(0x7f0000007540)={0x284, r2, 0xc04, 0x70bd2b, 0x25dfdbff, {}, [@TIPC_NLA_MEDIA={0x40, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'eth\x00'}, @TIPC_NLA_MEDIA_PROP={0x24, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x6}]}]}, @TIPC_NLA_MON={0x14, 0x9, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x5}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x6}]}, @TIPC_NLA_NODE={0xc, 0x6, [@TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x2}]}, @TIPC_NLA_LINK={0x4}, @TIPC_NLA_MEDIA={0xf0, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x24, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x1}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x15}]}, @TIPC_NLA_MEDIA_PROP={0x4}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x13}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xc26}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xffffffffffffe009}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x4c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfff}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xffffffff}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1b}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x14}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x3c, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffffffffffffc}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x992}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x4}]}]}, @TIPC_NLA_BEARER={0x18, 0x1, [@TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xfffffffffffffc00}, @TIPC_NLA_BEARER_NAME={0xc, 0x1, @l2={'ib', 0x3a, 'sit0\x00'}}]}, @TIPC_NLA_MEDIA={0xc4, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x54, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xb}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x9}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1c}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x44, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xe3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xffff}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xffffffffffffffc0}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xffff}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x5}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}]}, @TIPC_NLA_MON={0x24, 0x9, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x5}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x9}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x8}]}, @TIPC_NLA_MON={0x1c, 0x9, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x3}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x80000000}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x7}]}]}, 0x284}, 0x1, 0x0, 0x0, 0x40}, 0x4000000) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1400.953227][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1400.963385][ T5319] binder: BINDER_SET_CONTEXT_MGR already set [ 1400.982050][ T5319] binder: 5318:5319 ioctl 40046207 0 returned -16 [ 1400.982276][T19060] binder: undelivered TRANSACTION_ERROR: 29201 01:57:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x3800000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:33 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x6c00, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1401.008531][ T5323] binder: 5318:5323 transaction failed 29189/-22, size 24-16 line 2995 [ 1401.047631][T19060] binder: undelivered TRANSACTION_ERROR: 29189 01:57:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x8000000000000000]}}}], 0x0, 0x0, 0x0}) [ 1401.073360][ T5327] binder: 5324:5327 got transaction with too large buffer [ 1401.108308][ T5330] dlm: plock device version mismatch: kernel (1.2.0), user (1.27648.0) 01:57:33 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x1f3003, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f00000000c0)={0xffffffffffffffff}) setsockopt$sock_attach_bpf(r2, 0x1, 0x32, &(0x7f0000000100)=r1, 0x4) write$P9_RLERROR(r1, &(0x7f0000000040)={0x14, 0x7, 0x1, {0xb, 'trustedproc'}}, 0x14) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:33 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0xf) [ 1401.127945][ T5327] binder: 5324:5327 transaction failed 29201/-22, size 64-16 line 3357 [ 1401.175677][ T5337] binder: 5324:5337 got transaction with too large buffer [ 1401.175854][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1401.196057][ T5336] binder: BINDER_SET_CONTEXT_MGR already set [ 1401.206430][ T5337] binder: 5324:5337 transaction failed 29201/-22, size 64-16 line 3357 [ 1401.215662][ T5327] binder: BINDER_SET_CONTEXT_MGR already set 01:57:33 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:33 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x7400, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1401.227613][ T5336] binder: 5334:5336 ioctl 40046207 0 returned -16 [ 1401.249830][T31106] binder: undelivered TRANSACTION_ERROR: 29201 [ 1401.256189][ T5327] binder: 5324:5327 ioctl 40046207 0 returned -16 01:57:33 executing program 0: prctl$PR_MCE_KILL_GET(0x22) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00', 0x1}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1401.275570][ T5341] binder: 5334:5341 transaction failed 29201/-22, size 24-16 line 3242 01:57:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x3f00000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1401.320787][ T5345] binder_alloc: 5324: binder_alloc_buf, no vma [ 1401.331748][ T5336] binder: BINDER_SET_CONTEXT_MGR already set [ 1401.351020][ T5349] dlm: plock device version mismatch: kernel (1.2.0), user (1.29696.0) 01:57:33 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x7a00, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1401.388903][T19060] binder: undelivered TRANSACTION_ERROR: 29189 [ 1401.397197][ T5336] binder: 5334:5336 ioctl 40046207 0 returned -16 [ 1401.403927][T19060] binder: undelivered TRANSACTION_ERROR: 29201 [ 1401.420796][ T5352] binder: BINDER_SET_CONTEXT_MGR already set 01:57:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x48, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ubi_ctrl\x00', 0x408041, 0x0) ioctl$SNDRV_RAWMIDI_IOCTL_DROP(r1, 0x40045730, &(0x7f0000000040)=0x8) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1401.438363][ T5352] binder: 5351:5352 ioctl 40046207 0 returned -16 01:57:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0xfdfdffff00000000]}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4000000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1401.513133][ T5359] dlm: plock device version mismatch: kernel (1.2.0), user (1.31232.0) 01:57:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x10) 01:57:34 executing program 0: r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x80000, 0x0) r1 = syz_genetlink_get_family_id$ipvs(&(0x7f00000000c0)='IPVS\x00') ioctl$FS_IOC_RESVSP(r0, 0x40305828, &(0x7f0000000200)={0x0, 0x0, 0x100000000, 0x8}) sendmsg$IPVS_CMD_NEW_DAEMON(r0, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000180)={&(0x7f0000000100)={0x78, r1, 0x0, 0x70bd2d, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_SERVICE={0x48, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8, 0xb, 'sip\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x72}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x3}, @IPVS_SVC_ATTR_TIMEOUT={0x8}, @IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'rr\x00'}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@rand_addr=0x1}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x1e}]}, @IPVS_CMD_ATTR_DAEMON={0x14, 0x3, [@IPVS_DAEMON_ATTR_MCAST_TTL={0x8}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8}]}]}, 0x78}, 0x1, 0x0, 0x0, 0x10}, 0x1) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f0000000040)={0x2, 'vxcan1\x00'}, 0x2c3) ioctl(0xffffffffffffffff, 0x800000000008982, &(0x7f0000000080)) 01:57:34 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x1000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1401.613254][ T5367] binder: BINDER_SET_CONTEXT_MGR already set [ 1401.632895][ T5367] binder: 5365:5367 ioctl 40046207 0 returned -16 01:57:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x60, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4800000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) bpf$OBJ_GET_PROG(0x7, &(0x7f0000000040)={&(0x7f0000000000)='./file0\x00', 0x0, 0x8}, 0x10) [ 1401.671655][ T5377] dlm: plock device version mismatch: kernel (1.2.0), user (1.16777216.0) [ 1401.680545][ T5367] binder_transaction: 14 callbacks suppressed [ 1401.680560][ T5367] binder: 5365:5367 got transaction with invalid offset (-144678142324244480, min 24 max 24) or object. 01:57:34 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x2000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:34 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x11) 01:57:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x68, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1401.826527][ T5367] binder: transaction release 11310 bad handle 1, ret = -22 [ 1401.876086][ T5367] binder: BINDER_SET_CONTEXT_MGR already set [ 1401.905991][ T5393] dlm: plock device version mismatch: kernel (1.2.0), user (1.33554432.0) [ 1401.916981][ T5367] binder: 5365:5367 ioctl 40046207 0 returned -16 01:57:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0xffffffff00000000]}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) r1 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x400000, 0x0) write$P9_RRENAMEAT(r1, &(0x7f0000000040)={0x7, 0x4b, 0x1}, 0x7) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x4c00000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x3000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:34 executing program 0: openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x4000, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1402.040878][ T5405] binder: BINDER_SET_CONTEXT_MGR already set [ 1402.046904][ T5405] binder: 5404:5405 ioctl 40046207 0 returned -16 [ 1402.076842][ T5405] binder: 5404:5405 got transaction with invalid offset (-4294967296, min 24 max 24) or object. 01:57:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x5000000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1402.100198][ T5408] dlm: plock device version mismatch: kernel (1.2.0), user (1.50331648.0) 01:57:34 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x4000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:34 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x19) 01:57:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x74, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1402.142768][ T5405] binder: transaction release 11334 bad handle 1, ret = -22 01:57:34 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = openat(r0, &(0x7f0000000000)='./file0\x00', 0x0, 0x10) write$P9_RSTAT(r1, &(0x7f00000000c0)={0x7c, 0x7d, 0x1, {0x0, 0x75, 0x5, 0x9, {0x10, 0x0, 0x5}, 0x2140000, 0x3e, 0x7, 0x401, 0x10, 'veth0_to_bridge\x00', 0x10, 'posix_acl_access', 0x12, 'keyring)-ppp1bdev^', 0x10, 'veth0_to_bridge\x00'}}, 0x7c) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1402.200124][ T5405] binder: BINDER_SET_CONTEXT_MGR already set [ 1402.233795][ T5423] dlm: plock device version mismatch: kernel (1.2.0), user (1.67108864.0) 01:57:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6000000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1402.247322][ T5405] binder: 5404:5405 ioctl 40046207 0 returned -16 [ 1402.247419][ T5419] binder: 5404:5419 got transaction with invalid offset (-4294967296, min 24 max 24) or object. [ 1402.280442][ T5419] binder: transaction release 11346 bad handle 1, ret = -22 01:57:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0x2}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:34 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x5000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1402.322381][ T5429] binder: BINDER_SET_CONTEXT_MGR already set [ 1402.343147][ T5429] binder: 5428:5429 ioctl 40046207 0 returned -16 01:57:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6800000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000040)) r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full\x00', 0x200, 0x0) r2 = openat$snapshot(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snapshot\x00', 0x0, 0x0) ioctl$PERF_EVENT_IOC_SET_OUTPUT(r1, 0x2405, r2) r3 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ubi_ctrl\x00', 0x800, 0x0) prctl$PR_GET_SPECULATION_CTRL(0x34, 0x0, 0x2) ioctl$ASHMEM_PURGE_ALL_CACHES(r3, 0x770a, 0x0) [ 1402.427604][ T5438] dlm: plock device version mismatch: kernel (1.2.0), user (1.83886080.0) 01:57:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x300, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x6000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1402.487533][ T5441] binder: 5440:5441 got transaction with unaligned buffers size, 2 [ 1402.523948][ T5445] binder: BINDER_SET_CONTEXT_MGR already set 01:57:35 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x48) [ 1402.569655][ T5445] binder: 5443:5445 ioctl 40046207 0 returned -16 [ 1402.570027][ T5447] binder: 5440:5447 got transaction with unaligned buffers size, 2 [ 1402.586277][ T5452] dlm: plock device version mismatch: kernel (1.2.0), user (1.100663296.0) 01:57:35 executing program 0: r0 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x1c240, 0x0) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x400, 0x1000000000000}, &(0x7f00000000c0)=0x10) setsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f0000000100)={r1, @in6={{0xa, 0x4e23, 0xe740, @mcast2, 0xe9}}, 0xaa, 0x4}, 0x90) r2 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r2, 0x800000000008982, &(0x7f0000000080)) 01:57:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x500, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0x3}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x7000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x6c00000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_open_dev$swradio(&(0x7f0000000040)='/dev/swradio#\x00', 0x1, 0x2) getsockopt$inet_sctp_SCTP_PR_SUPPORTED(r1, 0x84, 0x71, &(0x7f0000000000)={0x0, 0x4}, &(0x7f00000001c0)=0x8) setsockopt$inet_sctp_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f0000000500)=ANY=[@ANYRES32=r2, @ANYBLOB="056f050000000000000034643f904b09e600040030004024f5158990c7f3180b7000100300"], 0x10) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000004c0)='vlan0\x00', 0x10) setsockopt$inet6_MRT6_ADD_MFC_PROXY(r1, 0x29, 0xd2, &(0x7f0000000140)={{0xa, 0x4e21, 0x5, @ipv4={[], [], @broadcast}, 0x7}, {0xa, 0x4e24, 0x4, @remote, 0x4f}, 0x1, [0x3, 0x7, 0x3, 0x0, 0x4, 0x800, 0x5, 0x1]}, 0x5c) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r1, 0x820000000028982, &(0x7f0000000200)="2adb5cdaa8bbfebe7c29f757ff2b058be585747a9c3f2061016c53034e07f58a40d1afa6d8ab6e474e0029513e04971713adb3ea") sendto(r0, &(0x7f0000000280)="5791dadb832d3995acba519ed79ec85b5ca269d2ac098294d5eba66a61b4ded21431615ac88716dd9f6261e3044e515d2e3ed3e9a60aaf70be75caaa0534ce79d28552eb53383b531e8773bbd42d2ae6c01f52ddf258e2b9e81e20175063e2c3be35e96cf7527186615d5b5004651ba4d55410f14e601098ec2f7cb7d1b7fc20a84501c8b6fd4d51d68543a9028171ac4e68ed73160300000000000000ec0af3b0be02e9700d7a257452b2e52e8e271a13d0c3f4828cd6a48152e383be9fbac510c61c12450e5525da7ba5b4a56cc703f1772e1fe0fafd47f72f9a491534d57764d3564b3f63ca49f10bc1c615f8005c8a439c3667785883518d612db28dafc898c8c7681b8c94698f86dd84bb22da946b8dfe74231490014909d5ff82984ae04602007c277da669bb3134ccc134c672b0d4bf1dd4e465d50f64d826664ec668a7525c97ba0a7bb97ad3fa9bee346ebec51b9bacdcf2ac74d10b3514f89826c644a91afca08f5f7c000000000059e98e5c3dfb302c8b080a5f441779136fb998a878b63fbd43205ce056f3b71fd972e4e9ce552d5a66f2554f849c8be9f4a6f5206546e7e446ed04f2c51805926e55122990d58a1ed7dc272e80e5e56ff0386637dfc32ac5a5be22548e4b643b964dff3cfa62a4188415ff3784deb0bdd3aefbd83bfa04a389031e64a1290dbe32425b206642b631d88cbb11c0ac51514a20951b584a4c715ea84a9d2f5edc575bb1df1b4d3d64f093e429e9360008c86988ab8802968fb240514f374e5556e1e67f00"/570, 0x23a, 0x80, &(0x7f00000000c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, r1, 0x3, 0x4, 0x1, 0x0, {0xa, 0x4e22, 0x9, @empty, 0x10001}}}, 0xd8) ioctl$RTC_ALM_READ(r1, 0x80247008, &(0x7f0000000540)) [ 1402.723873][ T5461] binder: 5459:5461 got transaction with unaligned buffers size, 3 [ 1402.725824][ T5463] dlm: plock device version mismatch: kernel (1.2.0), user (1.117440512.0) 01:57:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x600, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1402.784471][ T5469] binder: BINDER_SET_CONTEXT_MGR already set [ 1402.819281][ T5471] binder: 5459:5471 got transaction with unaligned buffers size, 3 01:57:35 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x20000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1402.831692][ T5469] binder: 5467:5469 ioctl 40046207 0 returned -16 01:57:35 executing program 0: r0 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x0, 0x703240) r1 = accept4$alg(r0, 0x0, 0x0, 0x1080000) r2 = creat(&(0x7f0000000040)='./file0\x00', 0x0) ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x89e0, &(0x7f00000000c0)={r1, r2}) bind$rds(r0, &(0x7f0000000100)={0x2, 0x4e24, @multicast1}, 0x10) r3 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'cge\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x10\x00'}, 0x18) ioctl$PIO_FONTRESET(r2, 0x4b6d, 0x0) ioctl(r3, 0x800000000008982, &(0x7f0000000080)) ioctl$FICLONE(r1, 0x40049409, r1) 01:57:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x700, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0x4}}], 0x0, 0x0, 0x0}) [ 1402.889876][ T5469] binder: BINDER_SET_CONTEXT_MGR already set [ 1402.916830][ T5469] binder: 5467:5469 ioctl 40046207 0 returned -16 [ 1402.923630][ T5480] dlm: plock device version mismatch: kernel (1.2.0), user (1.536870912.0) 01:57:35 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x4c) 01:57:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x7400000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x3f000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1402.987671][ T5485] binder: 5484:5485 got transaction with unaligned buffers size, 4 01:57:35 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) ioctl$sock_inet_SIOCGIFNETMASK(r0, 0x891b, &(0x7f0000000000)={'veth0\x00', {0x2, 0x4e22, @multicast1}}) 01:57:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa00, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1403.068393][ T5493] binder: BINDER_SET_CONTEXT_MGR already set [ 1403.107582][ T5493] binder: 5484:5493 ioctl 40046207 0 returned -16 01:57:35 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x3, 'veth0_to_bridge\x00', 0x2000000000001}, 0xfffffffffffffffd) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) [ 1403.107775][ T5494] binder: 5484:5494 got transaction with unaligned buffers size, 4 [ 1403.122123][ T5492] binder: BINDER_SET_CONTEXT_MGR already set [ 1403.128113][ T5492] binder: 5491:5492 ioctl 40046207 0 returned -16 [ 1403.152823][ T5500] dlm: plock device version mismatch: kernel (1.2.0), user (1.1056964608.0) 01:57:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x48000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1403.243382][ T5492] binder: BINDER_SET_CONTEXT_MGR already set [ 1403.259643][ T5492] binder: 5491:5492 ioctl 40046207 0 returned -16 01:57:35 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f00000002c0)={{{@in6=@ipv4={[], [], @multicast1}, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @remote}}, 0x0, @in=@local}}, &(0x7f0000000000)=0xe8) setsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f00000001c0)={{{@in=@initdev={0xac, 0x1e, 0x1, 0x0}, @in=@empty, 0x4e22, 0x7c72, 0x4e20, 0x0, 0x0, 0x80, 0x20, 0x8, 0x0, r1}, {0x8, 0xffffffffffffffff, 0x101, 0x8, 0x10000, 0x4, 0x5}, {0x1000, 0x2, 0x8000, 0x2}, 0x8, 0x0, 0x3, 0x0, 0x1}, {{@in=@loopback, 0x4d2, 0xa625963ce9d2c876}, 0x2, @in6=@mcast2, 0x34ff, 0x3, 0x2, 0x100000000, 0x2, 0x8, 0xfffffffffffffffb}}, 0xe8) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0x4, 0x40100) 01:57:35 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x60) 01:57:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0x5}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4800, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x7a00000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1403.324079][ T5513] dlm: plock device version mismatch: kernel (1.2.0), user (1.1207959552.0) 01:57:36 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x4c000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1403.391372][ T5517] binder: 5516:5517 got transaction with unaligned buffers size, 5 [ 1403.417066][ T5522] binder: BINDER_SET_CONTEXT_MGR already set [ 1403.454059][ T5525] binder_alloc: 5516: binder_alloc_buf, no vma [ 1403.465949][ T5528] dlm: plock device version mismatch: kernel (1.2.0), user (1.1275068416.0) [ 1403.469686][ T5522] binder: 5521:5522 ioctl 40046207 0 returned -16 [ 1403.491602][ T5517] binder: BINDER_SET_CONTEXT_MGR already set 01:57:36 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = socket$inet(0x2, 0x5, 0x43) getsockopt$IP_VS_SO_GET_TIMEOUT(r0, 0x0, 0x486, &(0x7f0000000000), &(0x7f0000000040)=0xc) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r2 = fcntl$dupfd(r0, 0x406, r1) connect$bt_sco(r2, &(0x7f00000000c0)={0x1f, {0x8, 0x1000, 0x1, 0x6, 0x7, 0xd459}}, 0x8) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) 01:57:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c00, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1403.507487][T19558] binder: send failed reply for transaction 11401 to 5518:5524 [ 1403.515272][ T5517] binder: 5516:5517 ioctl 40046207 0 returned -16 01:57:36 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x60000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:36 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x68) [ 1403.566113][ T5529] binder_alloc: 5516: binder_alloc_buf, no vma 01:57:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6000, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0x6}}], 0x0, 0x0, 0x0}) [ 1403.607741][ T5539] dlm: plock device version mismatch: kernel (1.2.0), user (1.1610612736.0) 01:57:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x8000000000000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1403.692984][ T5549] binder: 5545:5549 got transaction with unaligned buffers size, 6 01:57:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6800, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:36 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_EDITDEST(r0, 0x0, 0x489, &(0x7f00000000c0)={{0x32, @empty, 0x7, 0x4, 'rr\x00', 0x0, 0x1, 0x41}, {@remote, 0x4e22, 0x1, 0x9, 0x8, 0x8000}}, 0x44) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) setsockopt$inet_dccp_buf(r0, 0x21, 0xe, &(0x7f0000000000)="b8f3c503c6720174deb37a10f2b6d4da8e222c7e1dfe90612ce0b12e0f7f5024c8227ff4d185f43c81ee63f907b628cd97a11474a8676beb56c6db4454ab", 0x3e) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:36 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x68000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1403.785448][ T5549] binder: BINDER_SET_CONTEXT_MGR already set [ 1403.809060][ T5558] IPVS: set_ctl: invalid protocol: 50 0.0.0.0:7 [ 1403.825239][ T5561] dlm: plock device version mismatch: kernel (1.2.0), user (1.1744830464.0) [ 1403.846688][ T5558] IPVS: set_ctl: invalid protocol: 50 0.0.0.0:7 [ 1403.849764][ T5549] binder: 5545:5549 ioctl 40046207 0 returned -16 [ 1403.853070][ T5555] binder: BINDER_SET_CONTEXT_MGR already set [ 1403.883175][T19060] binder_thread_release: 22 callbacks suppressed [ 1403.883186][T19060] binder: release 5560:5562 transaction 11411 out, still active [ 1403.889435][ T5556] binder: 5545:5556 got transaction with unaligned buffers size, 6 [ 1403.891270][ T5555] binder: 5554:5555 ioctl 40046207 0 returned -16 [ 1403.911736][T19060] binder_release_work: 25 callbacks suppressed [ 1403.911742][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c00, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:36 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x6c000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1403.948683][T19060] binder: release 5560:5565 transaction 11414 out, still active [ 1403.972185][T19060] binder: undelivered TRANSACTION_COMPLETE 01:57:36 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x6c) 01:57:36 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, &(0x7f00000000c0)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0x7}}], 0x0, 0x0, 0x0}) [ 1404.000967][ T5567] dlm: plock device version mismatch: kernel (1.2.0), user (1.1811939328.0) [ 1404.018939][T19558] binder: release 5568:5569 transaction 11417 out, still active [ 1404.038587][T19558] binder: undelivered TRANSACTION_COMPLETE 01:57:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xfdfdffff00000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1404.062530][T19558] binder_send_failed_reply: 21 callbacks suppressed [ 1404.062537][T19558] binder: send failed reply for transaction 11411, target dead [ 1404.102524][T19558] binder: send failed reply for transaction 11414, target dead 01:57:36 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x74000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:36 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7400, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1404.113640][ T5576] binder: 5573:5576 got transaction with unaligned buffers size, 7 [ 1404.144713][T19558] binder: send failed reply for transaction 11417, target dead [ 1404.159094][ T5580] binder: BINDER_SET_CONTEXT_MGR already set 01:57:36 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x8000, &(0x7f00000000c0)="a0ba1752553ade447700b3aa0000002b4833083ddb") r1 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0xffffffffffff8000, 0x200400) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000100)='TIPC\x00') sendmsg$TIPC_CMD_RESET_LINK_STATS(r1, &(0x7f00000001c0)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0xe940e6be3b7cfcde}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x30, r2, 0x300, 0x70bd29, 0x25dfdbfd, {{}, 0x0, 0x410c, 0x0, {0x14, 0x14, 'broadcast-link\x00'}}, ["", "", "", "", "", "", ""]}, 0x30}, 0x1, 0x0, 0x0, 0x80}, 0x4000) [ 1404.171343][T19558] binder: send failed reply for transaction 11421 to 5568:5570 [ 1404.188810][ T5585] dlm: plock device version mismatch: kernel (1.2.0), user (1.1946157056.0) [ 1404.199395][ T5580] binder: 5579:5580 ioctl 40046207 0 returned -16 [ 1404.206018][ T5576] binder: BINDER_SET_CONTEXT_MGR already set [ 1404.219782][ T5576] binder: 5573:5576 ioctl 40046207 0 returned -16 [ 1404.227231][ T5580] binder_alloc: 5573: binder_alloc_buf, no vma [ 1404.251356][ T5580] binder: BINDER_SET_CONTEXT_MGR already set 01:57:36 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt$IP_VS_SO_GET_DAEMON(r0, 0x0, 0x487, &(0x7f0000000080), &(0x7f0000000240)=0x30) r1 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(r1, 0x0, 0x48c, &(0x7f0000000200)={0x2, 'veth0_to?brydge\x00', 0x200000000}, 0x18) accept4(r1, &(0x7f0000000140)=@ipx, &(0x7f00000001c0)=0x80, 0x80000) getsockopt$inet_mreq(r1, 0x0, 0x20, &(0x7f0000000000)={@initdev, @empty}, &(0x7f0000000040)=0x8) ioctl(r1, 0x7fffffff, &(0x7f00000000c0)="2553e5d8b01c783ede65af") syz_open_dev$admmidi(&(0x7f0000000100)='/dev/admmidi#\x00', 0x1, 0x200000) 01:57:36 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x7a000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1404.294220][ T5580] binder: 5579:5580 ioctl 40046207 0 returned -16 [ 1404.294706][ T5581] binder_alloc: 5573: binder_alloc_buf, no vma [ 1404.307957][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1404.329729][ T5584] binder_alloc: 5573: binder_alloc_buf, no vma 01:57:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0xa}}], 0x0, 0x0, 0x0}) 01:57:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0xffffffff00000000}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) 01:57:37 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x74) 01:57:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a00, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1404.422287][ T5595] dlm: plock device version mismatch: kernel (1.2.0), user (1.2046820352.0) [ 1404.449436][ T5600] binder: BINDER_SET_CONTEXT_MGR already set [ 1404.455472][ T5600] binder: 5596:5600 ioctl 40046207 0 returned -16 01:57:37 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x100000000000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:37 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) r1 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x6, 0x230000) ioctl$EVIOCSREP(r1, 0x40084503, &(0x7f0000000040)=[0x5, 0x1ff]) [ 1404.468122][ T5599] binder_transaction: 18 callbacks suppressed [ 1404.468134][ T5599] binder: 5598:5599 got transaction with too large buffer [ 1404.541277][ T5600] binder: BINDER_SET_CONTEXT_MGR already set [ 1404.557306][ T5612] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1404.564361][ T5608] binder: BINDER_SET_CONTEXT_MGR already set [ 1404.570746][ T5600] binder: 5596:5600 ioctl 40046207 0 returned -16 01:57:37 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) socket$vsock_dgram(0x28, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f0000000080)) 01:57:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0x10}}], 0x0, 0x0, 0x0}) [ 1404.603940][ T5608] binder: 5598:5608 ioctl 40046207 0 returned -16 [ 1404.637917][ T5609] binder: 5598:5609 got transaction with too large buffer [ 1404.639205][T19060] binder: release 5606:5610 transaction 11436 out, still active 01:57:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1000000, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) 01:57:37 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x200000000000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1404.683840][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1404.716249][T19060] binder: release 5606:5616 transaction 11439 out, still active 01:57:37 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x7a) 01:57:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}, @ptr={0x70742a85, 0xffffff7f, 0x0, 0x0, 0x2}], &(0x7f00000005c0)=[0x0, 0x18]}}}], 0x0, 0x0, 0x0}) [ 1404.741674][ T5621] binder: BINDER_SET_CONTEXT_MGR already set [ 1404.742164][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1404.776299][ T5621] binder: 5620:5621 ioctl 40046207 0 returned -16 [ 1404.779331][ T5623] binder_alloc: 5598: binder_alloc_buf, no vma 01:57:37 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000000)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl$FS_IOC_MEASURE_VERITY(r0, 0xc0046686, &(0x7f0000000180)=ANY=[@ANYBLOB="0300da00a9da4cca8c4f559e4ba1a65ab1fa34499a53af817bfefbd3d10ad10af247295f939927fe835226264bfdf036d3a16d656a6a836310eece353cdd87e4d626ccfeced1964a7bf10cb213e424d83a43ffa33d3a92b2e66be69bd1e35526ea8dc98e9e3a8c4e255432d3941fd45f8a19c69b142c994276b6726081d39ae6059afe24cd5e5d6beaede30fd7cdaa8cfc05ca00eb526446e31da336e4fe4cc6c1818f785ff7ac1c9373c85a3ef5fa49d9ac14e2586b62c0da0bad16a80757c96220ed235bece9162b86742555f9990a06de377947ced064e3629becaca9"]) r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null\x00', 0x400000, 0x0) write$FUSE_BMAP(r1, &(0x7f0000000080)={0x18, 0xffffffffffffffda, 0x5, {0x2}}, 0x18) ioctl(r0, 0x7ffc, &(0x7f00000000c0)="0faace72c33f550206c3510399108d0578441f02dea2b4b4989f99b51e8c46b36c1be0a3e02cd37f7f5c65f7a0676b4d5c8dd0d9cc7c308aea97b629f1d82db1f4488e78a77375d17bc826603b5726980452a01ff9fcb85cd13a4751ce812c0c559cbe59ac90b0ec56e7dda6a174db11109c9aa77dc27fc80e5c744973bd104052de624290ea7dab324e5d3b4bf9269dcaeda080649110874727") [ 1404.789888][ T5625] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1404.801939][T19060] binder: send failed reply for transaction 11436, target dead [ 1404.812011][ T5628] binder: 5620:5628 got transaction with invalid offset (0, min 24 max 24) or object. [ 1404.839245][T19060] binder: send failed reply for transaction 11439, target dead [ 1404.844998][ T5630] binder: BINDER_SET_CONTEXT_MGR already set 01:57:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x10, &(0x7f0000000580)=[@flat={0x77622a85}], &(0x7f00000005c0)=[0x0, 0x0]}, 0x18}}], 0x0, 0x0, 0x0}) 01:57:37 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x300000000000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:37 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = open(&(0x7f0000000000)='./file0\x00', 0x48c0, 0x0) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(0xffffffffffffff9c, 0x84, 0x6, &(0x7f00000000c0)={0x0, @in6={{0xa, 0x4e22, 0x10000000, @remote, 0x2}}}, &(0x7f0000000040)=0x84) getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r1, 0x84, 0x18, &(0x7f0000000180)={r2, 0x2}, &(0x7f0000000240)=0x8) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0xffffffff, &(0x7f00000001c0)="13d401f85da51559ad7dd9bed749c074fe536be852969058e9d915a6181a577514c6fa25f1f5393cee95152a344e07f7ee3d03dcf880b6bcf963e31ea585f343ffa404ec94013b1dfbc304c3ce21b6ae77dd9642c1258b1b2e") [ 1404.896734][ T5630] binder: 5629:5630 ioctl 40046207 0 returned -16 01:57:37 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1404.940001][ T5636] ------------[ cut here ]------------ [ 1404.945501][ T5636] kernel BUG at drivers/android/binder_alloc.c:1139! [ 1404.960356][ T5639] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1404.982435][ T5643] binder: BINDER_SET_CONTEXT_MGR already set [ 1404.990209][ T5636] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 1404.996294][ T5636] CPU: 0 PID: 5636 Comm: syz-executor.4 Not tainted 5.1.0-rc6+ #85 [ 1404.996317][ T3876] kobject: 'loop0' (0000000001eb3d4f): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 1405.004176][ T5636] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1405.004219][ T5636] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 1405.004236][ T5636] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 cf 5d 23 fc 4c 89 e6 4c 89 ef e8 e4 5e 23 fc 4d 39 e5 76 07 e8 ba 5d 23 fc <0f> 0b e8 b3 5d 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 c1 [ 1405.004253][ T5636] RSP: 0018:ffff8880981ef4e0 EFLAGS: 00010212 [ 1405.029064][ T3876] kobject: 'loop3' (00000000730ad5fc): kobject_uevent_env [ 1405.030930][ T5636] RAX: 0000000000040000 RBX: 0000000020001000 RCX: ffffc9000e864000 [ 1405.030938][ T5636] RDX: 000000000000063e RSI: ffffffff854d2f36 RDI: 0000000000000006 [ 1405.030946][ T5636] RBP: ffff8880981ef560 R08: ffff8880594f6240 R09: 0000000000000008 [ 1405.030954][ T5636] R10: ffffed101303df15 R11: ffff8880981ef8af R12: 0000000000000048 [ 1405.030963][ T5636] R13: 0000000000000008 R14: 0000000000000050 R15: 0000000000000000 [ 1405.030974][ T5636] FS: 00007fd0e4da3700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 1405.030992][ T5636] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1405.053685][ T3876] kobject: 'loop3' (00000000730ad5fc): fill_kobj_path: path = '/devices/virtual/block/loop3' [ 1405.056662][ T5636] CR2: 0000001b2d821000 CR3: 000000006542e000 CR4: 00000000001406f0 [ 1405.056672][ T5636] Call Trace: [ 1405.056691][ T5636] ? find_held_lock+0x35/0x130 [ 1405.056714][ T5636] binder_alloc_copy_from_buffer+0x37/0x42 [ 1405.151014][ T5636] binder_validate_ptr+0xcc/0x1d0 [ 1405.156044][ T5636] ? binder_get_object+0x210/0x210 [ 1405.161156][ T5636] ? binder_alloc_copy_user_to_buffer+0x312/0x480 [ 1405.167578][ T5636] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 1405.173310][ T5636] binder_transaction+0x3e02/0x65c0 [ 1405.178537][ T5636] ? binder_thread_read+0x3d30/0x3d30 [ 1405.183913][ T5636] ? __lock_acquire+0x548/0x3fb0 [ 1405.188861][ T5636] ? __might_fault+0x12b/0x1e0 [ 1405.193644][ T5636] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1405.201342][ T5636] ? _copy_from_user+0xdd/0x150 [ 1405.206197][ T5636] binder_thread_write+0x87e/0x2820 [ 1405.211406][ T5636] ? binder_transaction+0x65c0/0x65c0 [ 1405.216779][ T5636] ? __might_fault+0x12b/0x1e0 [ 1405.221549][ T5636] ? lock_downgrade+0x880/0x880 [ 1405.226407][ T5636] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1405.232649][ T5636] ? _copy_from_user+0xdd/0x150 [ 1405.237510][ T5636] binder_ioctl+0x1033/0x183b [ 1405.242191][ T5636] ? binder_thread_write+0x2820/0x2820 [ 1405.247650][ T5636] ? tomoyo_path_number_perm+0x263/0x520 [ 1405.253285][ T5636] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 1405.259103][ T5636] ? binder_thread_write+0x2820/0x2820 [ 1405.264565][ T5636] do_vfs_ioctl+0xd6e/0x1390 [ 1405.269155][ T5636] ? ioctl_preallocate+0x210/0x210 [ 1405.274267][ T5636] ? __fget+0x381/0x550 [ 1405.278422][ T5636] ? ksys_dup3+0x3e0/0x3e0 [ 1405.282841][ T5636] ? nsecs_to_jiffies+0x30/0x30 [ 1405.287700][ T5636] ? tomoyo_file_ioctl+0x23/0x30 [ 1405.292646][ T5636] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1405.298897][ T5636] ? security_file_ioctl+0x93/0xc0 [ 1405.304014][ T5636] ksys_ioctl+0xab/0xd0 [ 1405.308171][ T5636] __x64_sys_ioctl+0x73/0xb0 [ 1405.312764][ T5636] do_syscall_64+0x103/0x610 [ 1405.317361][ T5636] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1405.323249][ T5636] RIP: 0033:0x458da9 [ 1405.327165][ T5636] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1405.346772][ T5636] RSP: 002b:00007fd0e4da2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1405.355186][ T5636] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458da9 [ 1405.363177][ T5636] RDX: 0000000020000780 RSI: 00000000c0306201 RDI: 0000000000000003 [ 1405.371149][ T5636] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 1405.379117][ T5636] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd0e4da36d4 01:57:38 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, 0x0) r2 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r2, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4008ae89, &(0x7f00000000c0)={0x77, 0x0, [0x4b564d02, 0x3]}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000140)={[], 0x0, 0xfffffffffffffffd}) ioctl$KVM_RUN(r3, 0xae80, 0x300) [ 1405.387087][ T5636] R13: 00000000004c010e R14: 00000000004d2468 R15: 00000000ffffffff [ 1405.395065][ T5636] Modules linked in: [ 1405.409215][ T26] audit: type=1800 audit(1556243857.551:47): pid=5646 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="file0" dev="sda1" ino=16586 res=0 [ 1405.409354][ T5643] binder: 5638:5643 ioctl 40046207 0 returned -16 01:57:38 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x800000000008982, &(0x7f00000000c0)="cdbaef8f0b5363c9dd2c05e97db5e773cc6b2af282c55ce298d5e0403636328b89aacafd1d92b9c3f7dec472796e10ee00d981aa45bf5997c9488cc194470ea312351b668935f471fa75301f4c8462dbd405dd2953bf7a8d596943215c16aa5d176740d8a3c47aa3ffbf650b0d28ed0a2d2261bbddacfb2f") signalfd4(r0, &(0x7f0000000000)={0x6}, 0x8, 0x800) 01:57:38 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x400000000000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) [ 1405.445209][ T3876] kobject: 'loop1' (000000008967c0db): kobject_uevent_env [ 1405.447171][ T5649] binder: 5638:5649 got transaction with invalid offset (0, min 24 max 24) or object. [ 1405.459887][ T3876] kobject: 'loop1' (000000008967c0db): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 1405.467601][ T5636] ---[ end trace 8d9da60229e1e26d ]--- [ 1405.480422][T19060] binder: release 5645:5647 transaction 11455 out, still active [ 1405.486226][ T5650] kobject: 'kvm' (000000002d2cae85): kobject_uevent_env [ 1405.490443][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1405.499787][ T5652] dlm: dev_write no op 34bde833 b35018ee82ec6180 [ 1405.510161][ T3876] kobject: 'loop2' (00000000b1481de3): kobject_uevent_env [ 1405.517464][T19060] binder: release 5645:5653 transaction 11456 out, still active [ 1405.519267][ T5636] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 1405.531896][ T5650] kobject: 'kvm' (000000002d2cae85): fill_kobj_path: path = '/devices/virtual/misc/kvm' 01:57:38 executing program 2: r0 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock\x00', 0x1, 0x0) write$nbd(r0, &(0x7f0000000000)={0x1000000, 0x500000000000000, 0x0, 0x0, 0x0, "82b0cfc4336aa6771538be0633e8bd348061ec82ee1850b35616b17333ad88f7e4a258981e458e96afda2a87223ba7f4"}, 0x40) 01:57:38 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000780)={0x4c, 0x0, &(0x7f0000000600)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x3000000, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000580)=[@flat], 0x0}}}], 0x0, 0x0, 0x0}) [ 1405.545629][ T3876] kobject: 'loop2' (00000000b1481de3): fill_kobj_path: path = '/devices/virtual/block/loop2' [ 1405.557168][ T5649] binder: 5638:5649 got transaction with invalid offset (0, min 24 max 24) or object. [ 1405.564231][T19060] binder: undelivered TRANSACTION_COMPLETE [ 1405.571960][ T5659] dlm: dev_write no op 34bde833 b35018ee82ec6180 01:57:38 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$IP_VS_SO_SET_STOPDAEMON(0xffffffffffffffff, 0x0, 0x48c, &(0x7f0000000080)={0x2, 'veth0_to_bridge\x00'}, 0x18) ioctl(r0, 0x100000000, &(0x7f0000000080)) getsockopt$IPT_SO_GET_ENTRIES(r0, 0x0, 0x41, &(0x7f00000000c0)={'raw\x00', 0xce, "334953c4c13cfdb9e509997a9e2dcf115fcdece7ed5c3005be96dc603e173c58f589cb42c9d6e94456c71b9f2e2ac536b44af35abb8120455ac6a887129ef0a135d18136040f5572be7bb766996453839d1b07aec56e54de890ec5bba11c4ba1e3e6750330a85d63e833e420f7fdb544304f8c8e6e7205385528cd6aaa2364445b9441b104576e7862b729b9256f3fda65eda07a0afe3d2e3a5203ad8f038840c3de2d3a699575449596abbbc62a2f3bd9e72221a547c925737607633f33d0545f56cbec77c67200a4d4bfb88a02"}, &(0x7f0000000000)=0xf2) [ 1405.579112][ T5636] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 cf 5d 23 fc 4c 89 e6 4c 89 ef e8 e4 5e 23 fc 4d 39 e5 76 07 e8 ba 5d 23 fc <0f> 0b e8 b3 5d 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 c1 [ 1405.587608][ T3876] kobject: 'loop0' (0000000001eb3d4f): kobject_uevent_env [ 1405.603186][T19558] binder: release 5660:5661 transaction 11460 out, still active [ 1405.619473][ T5643] binder: BINDER_SET_CONTEXT_MGR already set [ 1405.630589][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1405.645591][ T5649] binder_transaction: 67 callbacks suppressed [ 1405.645608][ T5649] binder: 5638:5649 transaction failed 29201/-22, size 24-16 line 3242 [ 1405.659116][ T3876] kobject: 'loop0' (0000000001eb3d4f): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 1405.670836][ T5636] RSP: 0018:ffff8880981ef4e0 EFLAGS: 00010212 [ 1405.677627][T19558] binder: release 5660:5664 transaction 11461 out, still active [ 1405.678785][ T5648] kobject: 'kvm' (000000002d2cae85): kobject_uevent_env [ 1405.685656][ T5643] binder: 5638:5643 ioctl 40046207 0 returned -16 [ 1405.697777][ T3876] kobject: 'loop2' (00000000b1481de3): kobject_uevent_env [ 1405.698953][T19558] binder: undelivered TRANSACTION_COMPLETE [ 1405.708881][ T5648] kobject: 'kvm' (000000002d2cae85): fill_kobj_path: path = '/devices/virtual/misc/kvm' [ 1405.712543][ T5636] RAX: 0000000000040000 RBX: 0000000020001000 RCX: ffffc9000e864000 [ 1405.721871][ T3876] kobject: 'loop2' (00000000b1481de3): fill_kobj_path: path = '/devices/virtual/block/loop2' [ 1405.730583][ T5636] RDX: 000000000000063e RSI: ffffffff854d2f36 RDI: 0000000000000006 [ 1405.748395][ T5636] RBP: ffff8880981ef560 R08: ffff8880594f6240 R09: 0000000000000008 [ 1405.756683][ T5636] R10: ffffed101303df15 R11: ffff8880981ef8af R12: 0000000000000048 [ 1405.765167][ T5636] R13: 0000000000000008 R14: 0000000000000050 R15: 0000000000000000 [ 1405.773585][ T5636] FS: 00007fd0e4da3700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 1405.776913][ T3876] kobject: 'loop3' (00000000730ad5fc): kobject_uevent_env [ 1405.782882][ T5636] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1405.789825][ T3876] kobject: 'loop3' (00000000730ad5fc): fill_kobj_path: path = '/devices/virtual/block/loop3' [ 1405.814163][ T3876] kobject: 'loop0' (0000000001eb3d4f): kobject_uevent_env [ 1405.819187][ T5636] CR2: 000000000070d158 CR3: 000000006542e000 CR4: 00000000001426f0 [ 1405.821419][ T3876] kobject: 'loop0' (0000000001eb3d4f): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 1405.840172][ T5636] Kernel panic - not syncing: Fatal exception [ 1405.842953][ T3876] kobject: 'loop2' (00000000b1481de3): kobject_uevent_env [ 1405.846978][ T5636] Kernel Offset: disabled [ 1405.858364][ T5636] Rebooting in 86400 seconds..