00ff8), 0x4}) clock_gettime(0x7, &(0x7f0000000200)) 05:00:35 executing program 1: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:35 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x600}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1031.540599] ALSA: seq fatal error: cannot create timer (-22) [ 1031.584555] binder: 27761:27768 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1031.594132] binder: 27763:27765 ERROR: BC_REGISTER_LOOPER called without request [ 1031.611857] binder: 27761:27768 BC_FREE_BUFFER u0000000000000000 no match [ 1031.622903] binder: 27763:27765 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER 05:00:35 executing program 4: r0 = socket$inet_smc(0x2b, 0x1, 0x0) listen(r0, 0x0) shutdown(r0, 0x2) r1 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x9, 0x0) ioctl$KVM_IRQ_LINE(r1, 0x4008ae61, &(0x7f0000000040)={0x100000000, 0x287}) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0xfffffffffffffffc, 0x31, 0xffffffffffffffff, 0x0) setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x3, &(0x7f0000000600)={0x303, 0x33}, 0x6) setsockopt$inet_msfilter(r0, 0x0, 0x29, &(0x7f0000000080)={@dev={0xac, 0x14, 0x14, 0x17}, @remote={0xac, 0x14, 0x14, 0xbb}, 0x0, 0x3, [@remote={0xac, 0x14, 0x14, 0xbb}, @multicast1=0xe0000001, @broadcast=0xffffffff]}, 0x1c) ioctl$EVIOCGMASK(r1, 0x80104592, &(0x7f0000000100)={0x15, 0x2d, &(0x7f00000000c0)="6600ce37fce64491d7fdc7e74b666391b6e526712a33b8fdb4acb2a5232d8c28f76bf81ba3863f8d501a9d56f6"}) 05:00:35 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0xf}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:35 executing program 1: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:35 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x4e21, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:35 executing program 7: r0 = syz_open_dev$sg(&(0x7f0000005000)='/dev/sg#\x00', 0x0, 0x8002) r1 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$mice(&(0x7f0000000100)='/dev/input/mice\x00', 0x0, 0x200) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r2, 0x84, 0x6, &(0x7f0000000380)={0x0, @in={{0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0x12}}}}, &(0x7f0000000200)=0x84) getsockopt$inet_sctp_SCTP_ASSOCINFO(r2, 0x84, 0x1, &(0x7f0000000440)={r3, 0x20, 0x3, 0x8, 0x8, 0xffffffffffffffc1}, &(0x7f0000000480)=0x14) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f00000001c0)) getpid() r4 = fcntl$getown(r0, 0x9) r5 = syz_open_procfs(r4, &(0x7f0000000240)="6e65742f70736368656400f14bde37add687de9028c66e08a511ea72ccd2baec14d87c9cf48ae0f8613a4ee1166d96729a2456b8d243a5dabd236a4e371abf5c149ec12ad4d0696c47af027cde611c68498d20923cdbc76a975bceb2554e92994c2101354ddbec3496b3c4b7d02258651d646330508f35c166240f4285b930c7042cf4edd3b7614f369a54e3ad72c26937a8cc1b683b6821468940ad1a312739c2d03ba1df33ef05a551fa306420846ff74707d6a7f7c46a29053dbdc0a39d664778f70e69dca0c730738563a61790d1881e5920e45d3c92fd39bd4acdebfcc1ef047c876601ba1741a9367f69ba641fd4043acb97280664adbb586f96f5aad40700000000") write(r1, &(0x7f0000000500)="b63db85e1e8d020000c21da48c576116386e000000003ef0011dcc606aed69d2bc7037cebc9bc2feffffff56ffffffe22c9b160096aa1f8e1a", 0x397) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f0000000040)={0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f00000000c0)={r6}) readv(r0, &(0x7f000085dff0)=[{&(0x7f0000e94000)=""/62, 0x10024}], 0x146) ioctl$TUNSETLINK(r2, 0x400454cd, 0x207) [ 1031.645536] binder: 27761:27768 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1031.679923] binder: 27761:27768 BC_FREE_BUFFER u0000000000000000 no match [ 1032.485451] ALSA: seq fatal error: cannot create timer (-22) [ 1032.653303] ALSA: seq fatal error: cannot create timer (-22) 05:00:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x41) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") getsockopt$IP6T_SO_GET_REVISION_MATCH(r1, 0x29, 0x44, &(0x7f0000000040)={'NETMAP\x00'}, &(0x7f0000000080)=0x1e) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:36 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x4e21, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x5, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:36 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x12}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:36 executing program 1 (fault-call:4 fault-nth:0): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:36 executing program 4: r0 = socket$vsock_stream(0x28, 0x1, 0x0) getsockopt$sock_buf(r0, 0x1, 0x80000000000001c, &(0x7f00000003c0)=""/253, &(0x7f0000000540)=0xffffffffffffff68) r1 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x86, 0x80000) ioctl$KVM_S390_INTERRUPT_CPU(r1, 0x4010ae94, &(0x7f0000000140)={0x80, 0x5, 0x4}) 05:00:36 executing program 7: r0 = syz_open_dev$sndseq(&(0x7f0000000040)='/dev/snd/seq\x00', 0x0, 0x20007) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0xc0189436, &(0x7f0000000080)) r1 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_msfilter(r1, 0x0, 0x29, &(0x7f0000000000)={@broadcast=0xffffffff, @remote={0xac, 0x14, 0x14, 0xbb}, 0x0, 0x1, [@dev={0xac, 0x14, 0x14, 0xd}]}, 0x14) 05:00:36 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x7a00000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1032.829982] binder: 27821:27825 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1032.850941] FAULT_INJECTION: forcing a failure. [ 1032.850941] name failslab, interval 1, probability 0, space 0, times 0 [ 1032.859706] binder: 27821:27825 BC_FREE_BUFFER u0000000000000000 no match [ 1032.862282] CPU: 0 PID: 27823 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1032.876106] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1032.885471] Call Trace: [ 1032.888077] dump_stack+0x1b9/0x294 [ 1032.891725] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1032.896948] ? lock_acquire+0x1dc/0x520 [ 1032.900945] should_fail.cold.4+0xa/0x1a [ 1032.905026] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1032.910143] ? graph_lock+0x170/0x170 [ 1032.913939] ? print_usage_bug+0xc0/0xc0 [ 1032.917990] ? rcu_report_qs_rnp+0x790/0x790 [ 1032.922391] ? find_held_lock+0x36/0x1c0 [ 1032.926444] ? graph_lock+0x170/0x170 [ 1032.930238] ? lock_downgrade+0x8e0/0x8e0 [ 1032.934379] ? __lock_is_held+0xb5/0x140 [ 1032.938435] __should_failslab+0x124/0x180 [ 1032.942659] should_failslab+0x9/0x14 [ 1032.946446] kmem_cache_alloc+0x47/0x760 [ 1032.950496] ? ip_mc_drop_socket+0x270/0x270 [ 1032.954899] dst_alloc+0xbb/0x1d0 [ 1032.958344] rt_dst_alloc+0xfa/0x500 [ 1032.962050] ? fnhe_flush_routes+0x460/0x460 [ 1032.966448] ? __lock_is_held+0xb5/0x140 [ 1032.970595] ip_route_output_key_hash_rcu+0xa45/0x3380 [ 1032.975866] ? ip_route_input_noref+0x250/0x250 [ 1032.980544] ? find_held_lock+0x36/0x1c0 [ 1032.984598] ? lock_acquire+0x1dc/0x520 [ 1032.988559] ? ip_route_output_key_hash+0x1a3/0x390 [ 1032.993572] ? kasan_check_read+0x11/0x20 [ 1032.997710] ? rcu_is_watching+0x85/0x140 [ 1033.001845] ? rcu_report_qs_rnp+0x790/0x790 [ 1033.006248] ? iov_iter_npages+0xe60/0xe60 [ 1033.010474] ip_route_output_key_hash+0x23a/0x390 [ 1033.015326] ? ip_route_output_key_hash_rcu+0x3380/0x3380 [ 1033.020851] ? rcu_is_watching+0x85/0x140 [ 1033.024989] ? iov_iter_advance+0x14c0/0x14c0 [ 1033.029474] ip_route_output_flow+0x28/0xc0 [ 1033.033783] raw_sendmsg+0xf7e/0x29b0 [ 1033.037577] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1033.042669] ? rcu_report_qs_rnp+0x790/0x790 [ 1033.047074] ? graph_lock+0x170/0x170 [ 1033.050866] ? expand_files.part.8+0x9a0/0x9a0 [ 1033.055432] ? check_same_owner+0x320/0x320 [ 1033.059749] ? lock_downgrade+0x8e0/0x8e0 [ 1033.063885] ? lock_release+0xa10/0xa10 [ 1033.067847] ? check_same_owner+0x320/0x320 [ 1033.072157] ? __check_object_size+0x95/0x5d9 [ 1033.076663] inet_sendmsg+0x19f/0x690 [ 1033.080464] ? __might_sleep+0x95/0x190 [ 1033.084430] ? ipip_gro_receive+0x100/0x100 [ 1033.088744] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1033.094269] ? security_socket_sendmsg+0x94/0xc0 [ 1033.099012] ? ipip_gro_receive+0x100/0x100 [ 1033.103321] sock_sendmsg+0xd5/0x120 [ 1033.107021] __sys_sendto+0x3d7/0x670 [ 1033.110808] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1033.115469] ? wait_for_completion+0x870/0x870 [ 1033.120045] ? __lock_is_held+0xb5/0x140 [ 1033.124107] ? __sb_end_write+0xac/0xe0 [ 1033.128071] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1033.133593] ? fput+0x130/0x1a0 [ 1033.136859] ? ksys_write+0x1a6/0x250 [ 1033.140653] ? __ia32_sys_read+0xb0/0xb0 [ 1033.144701] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1033.150238] __x64_sys_sendto+0xe1/0x1a0 [ 1033.154290] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1033.159294] do_syscall_64+0x1b1/0x800 [ 1033.163167] ? finish_task_switch+0x1ca/0x840 [ 1033.167650] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1033.172569] ? syscall_return_slowpath+0x30f/0x5c0 [ 1033.177488] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1033.182865] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1033.187698] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1033.192874] RIP: 0033:0x4559f9 [ 1033.196045] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1033.215300] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1033.223017] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 05:00:36 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/pmtu_disc\x00', 0x2, 0x0) ioctl$KVM_SET_CPUID2(r1, 0x4008ae90, &(0x7f0000000140)={0x7, 0x0, [{0x0, 0x1000000000000, 0x0, 0xfff, 0x10001, 0x0, 0x100000001}, {0x80000007, 0x6, 0x7, 0x5, 0x8, 0x400, 0x2}, {0x80000007, 0x7, 0x4, 0x7, 0x1000, 0x1000}, {0x0, 0x3, 0x4, 0x6, 0xffffffffffffff00, 0x6, 0xfffffffffffffffe}, {0x40000007, 0x8, 0x3, 0x1ff, 0x2, 0x7, 0x7}, {0x4000000b, 0x9, 0x0, 0x8000, 0x729d, 0x0, 0x100000001}, {0x40000001, 0x400, 0x7, 0x52d2, 0x11ae, 0x7, 0x10001}]}) msgrcv(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="000000000000000000000000000000000000000000000000000000000000000000000000000000000000008b4eae1ba3de5588c2020996f4297bf9473dc6968bace22465"], 0x2419c8f35964dcf3, 0xfffffffffffffffc, 0x0) [ 1033.230275] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1033.237529] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1033.244786] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1033.252051] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000000 [ 1033.263254] binder: 27813:27814 ERROR: BC_REGISTER_LOOPER called without request 05:00:36 executing program 7: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000200)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$rdma_cm(r0, &(0x7f0000008880)=@create_id={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000008840)={0xffffffff}, 0x13f}}, 0x20) perf_event_open(&(0x7f0000000140)={0x2, 0xb1, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) write$rdma_cm(r0, &(0x7f00000000c0)=ANY=[@ANYBLOB="0e000000180000fa", @ANYPTR=&(0x7f0000000080)=ANY=[@ANYBLOB='@\x00\x00\x00'], @ANYRES32=r1, @ANYBLOB="000000000100000004000000"], 0x20) 05:00:36 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00'}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x4e21, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) [ 1033.275831] binder: 27813:27814 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1033.284063] binder: 27813:27814 unknown command 0 [ 1033.291813] binder: 27821:27825 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1033.322880] binder: 27821:27825 BC_FREE_BUFFER u0000000000000000 no match [ 1033.338915] binder: 27813:27814 ioctl c0306201 2000dfd0 returned -22 [ 1033.699528] ALSA: seq fatal error: cannot create timer (-22) 05:00:37 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x1800000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:37 executing program 1 (fault-call:4 fault-nth:1): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:37 executing program 4: r0 = accept4(0xffffffffffffff9c, &(0x7f0000000940)=@sco, &(0x7f0000000340)=0x80, 0x80000) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f00000009c0)={{{@in6=@mcast2, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@loopback}, 0x0, @in6}}, &(0x7f0000000ac0)=0xe8) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000b00)={0x0, 0x0, 0x0}, &(0x7f0000000b40)=0xc) fchown(r0, r1, r2) sync_file_range(0xffffffffffffffff, 0x0, 0x7, 0x0) close(0xffffffffffffffff) rt_sigaction(0x0, &(0x7f00000000c0)={0x1, {0x400040000000}, 0x80000000}, &(0x7f0000000180), 0x8, &(0x7f0000000280)) r3 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r3, 0x6, 0x80000000000002, &(0x7f0000000140)=0x78, 0x4) bind$inet(r3, &(0x7f0000deb000)={0x2, 0x4e23, @multicast1=0xe0000001}, 0x10) setsockopt$SO_ATTACH_FILTER(r3, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) r4 = syz_open_dev$adsp(&(0x7f0000000300)='/dev/adsp#\x00', 0x100000001, 0x0) recvmmsg(r4, &(0x7f00000008c0)=[{{&(0x7f00000004c0)=@can, 0x80, &(0x7f0000000c00)=[{&(0x7f0000000540)=""/186, 0xba}, {&(0x7f0000000340)}, {&(0x7f00000003c0)=""/22, 0x16}, {&(0x7f0000000600)=""/141, 0x8d}, {&(0x7f0000000c80)=""/51, 0x33}, {&(0x7f0000000700)=""/41, 0x29}, {&(0x7f0000001300)=""/4096, 0x1000}], 0x7, &(0x7f00000007c0)=""/223, 0xdf, 0x7ff}, 0x100000000}], 0x1, 0x100, &(0x7f0000000900)={0x77359400}) setsockopt$netrom_NETROM_IDLE(0xffffffffffffffff, 0x103, 0x7, &(0x7f0000000480)=0x1, 0xfffffffffffffc71) getsockopt$IP6T_SO_GET_INFO(r4, 0x29, 0x40, &(0x7f0000000b80)={'nat\x00'}, &(0x7f0000000440)=0x54) sendto$inet(r3, &(0x7f0000a88f88), 0x29f, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @loopback=0x7f000001}, 0x10) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(0xffffffffffffffff, 0xc00c642e, &(0x7f0000000380)={0x0, 0x80000}) r5 = openat$pfkey(0xffffffffffffff9c, &(0x7f00000002c0)='/proc/self/net/pfkey\x00', 0x0, 0x0) fcntl$F_SET_FILE_RW_HINT(r5, 0x40e, &(0x7f0000000400)=0x6) sendto$inet(r3, &(0x7f0000001280)="822cda77044a9244fc92ebe66f50ed66b327bad0470da022786bcf98d2ffc5e8de32c67a16534db16f50b981bd7468fedd35b92e4794eb132fe34bc3ff1cbb8c249c72f0dd1427ae76a0137f1c83a557633b3ad2b7a6e3b75a", 0x59, 0x0, &(0x7f0000000000)={0x2, 0x0, @broadcast=0xffffffff}, 0x10) setsockopt$sock_int(r3, 0x1, 0x8, &(0x7f0000000100), 0x921b527a62bfd8af) recvmsg(r3, &(0x7f0000000240)={&(0x7f0000000040)=@nfc, 0x80, &(0x7f00000001c0)=[{&(0x7f0000003ac0)=""/4096, 0x1000}], 0x1, &(0x7f0000000200)=""/20, 0x14}, 0x100) write$binfmt_elf64(r3, &(0x7f0000002300)=ANY=[@ANYBLOB="7f454c4600250000050000000000000003003e00060000002c010000000000004000000000000000e1000000000000000500000087003800020002000700ea000200007001000000ea0a000000000000f7ffffffffffffff00000000ffffffff00000000000000000100000001000000010000000000000001000070040000000500000000000000000000000000000005000000000000000100000001000000ff0f00000000000000fcfffffffffffff423273d395b5dfe49a633eb0eb0263328129db30c89d614ca312379424593d1149401363a977a2b10bc8394762bab422771360aa38dc889b26829f721e3098b0f80c2f4ee55bcf0df04911af0a6a16e0ab5b5bb1e2227df0cb7b403be567ea3b9adef738dd4b7efbd9e56dfc0dc488a064d4ad246d477bc8fedb6c1fbcdb1469e544a6ac9afa9987b94c8d1209a41a79416931a8f43bd761418a2c47221a2a4d6bee2592cd6eab8fa3ac582965b48d68fb1dde708c9901874b0f1628c0adb0dc15872d102a327e9f073a52942892de4cc87c25e76cde841dd1e09db3f59955450018b682981af9bf3133a11fbf7915b41105bd663e6f7116777b3cb43f260d25a06d22119ca7674f7d9eeb496cccae5ea73758600072b6f0c2a39d824fa2001cb9377fbc132be60c8b0bf6ac0a892b355685d62cb7077a1e889c359d7bfc544111c6ca232e6c6593a0b8f085567b065536d649fea6d4e202254fc1a0dedba780af208b0457ed33958cfd97c0155f59b06d997423bb3b6f3d5e01c8b74030434cacb0e50dcc661aff03a72021b6011f6ff05f6070f0bcb7d75cbf1668562cd6599dcf1eac792c47370ac83b2730215d9955f6fa81f59d3209fbaf52f41f8c413432d976fe6eb3ae98661de6250e09bcf7b82d0492b349ca022abade27ee2d41aa83ba7d2ed5193dda7e9c78769b1430e5a171e12e0fa1d057e1aef4b856ab0f2dabc8b207f09d78e1f83461ccac0b2558732ea70d369973971d2c6d94081f33308b1e4b27a2ce6f45838809407045aa63b6219d82564c7323f73bfc2260fd95e5e8eeca550ba9adcca477de69469764858d7aa3ab8afd99e883c43dacae12ac88e7fea5a99df90755e5caf59185794ed6419a22fe36d9070ed6558b090cb871914491e2a135047b729107896b784bf87c941f7b993033898b993c83b8bcec93aed20e900921e8c8e716321ad5664665e7f89839258d1477a2e8fceaa9280b9c9dc53b5ed4bd907c3942d8fac1eff961bf3040ae0faed3985bccc35551fdfcd52907750828fc988e60aec5b577af9769cebc8d6e87a826826f8362c84fe7ec9e6d3cc39c1b6b6b9005eaaf0d9037fa576757018d3f60fbab576284cd7343e70a4b8143dc67e94c1090b7376eec330f5995c4b3a119646b4a953cf0669d6e52264827bbbae2c7565529a68f46f5e1a23137059867d0192caf6b22e2d74f8fbe12a139bc90a0d12b6acc0a106ba4fc2baf87c254bb540835206fc5f63dbc82581cec68813c331af00086cae971610587c4683d5f1b0dd68b8a419f581f0387cc9d1a435e329a0595d73a4489b1ea23c331ca752bfd46de13faee26e7e2e9b11dd7151883ac8112c0ba049070bcf00881cc0a37395f1a102cddda4b0b903b0233461e70254e6a75b9c29c02fce51b630d5cd58867e5f8e5b47fdb2fb53e0b9485f1079ddb39d7b3ef5d8d37be9a08714575e454274581a8ad758ba53da32d2c893e8a40de0febf31f84016558a9db7c53dec27895d69fa1a34e4b5b856f4d0974a9dd4031e28632a245b921a576f1a19f47d7ba08e9ca94a7ae46c89b379d90e0dfdcffb790586d920ea79f94af735aa51695dfe0c9c73a44b277e877b473b43f5c3a960d7c5e22678ab3f7cf46bdf23cbbd31df613827f8e23f7b2c71be25eab7dbd56f7b426b784583ec97db1659afc521a84e709cd879f8e5afe72366ffcd05c29b92ad59b3fe569e0b92c7978630ff418af3b81e35a19df805a2b89b9b87a13109c19ea941e9b9f6ee1c47708870abfda2debce7eae0f356bc896a5a207f6bc3ed4186117e1ae9b861d3a9a94520a6df99fd700c6fc3b82467a1257c2040dd34b2fb30c032224e6b864900f93168e387edaeeedaebf8b7b40d4caaa97c85229e63770ced3382013fd11010d0ee46333666aaec98aacc511c92be9e55eee400c74ab4614552624ad88f5d63b6f87e85826ee7cf6f15418f9712c6d07f36a54f097d9bc48b3035ae569af4753e7831dc520fe4726d0c96d0cb7b45e5ca5002884d38ed8e8ead8d4a7da76f9bcfd848fd27345bec7dd4356ef7b11a0cd3113bd9d9bd72597daf8e25b987b6a17329b9c581e7e647eddd060553fd6e6d90bc07ffc5ca9eb6e9ce36aa545ac0f6e242e381282522481668f05909a69db9c8f417ce2406fb727c11fa8ed3ec6f0c7fed51414f3286075c414753979f58a70d97539c1215ad15f4f2bdc9cb27e00245bb2291f767d4c581387a63022c727026043c0180a848edd1c3fffff21c3fe0b11c65caca8941959536882277e3dc9e61da52527a24e2d79a497a80b33b24f1ca184d56ad13194867d7a0a424977b5f256a4643460a03007ccf2abb042c6a8f357e8c67298f4ee68fa10d82aeec9c63884f43927692db04bfa6651a630ff1e945d5c2ceb1552d0cd69830f257e5d2b500e4447f03edc78938d82871b7075be875dee546cd23ae617356f51fe8f1fb11417e63a436d7ca0ecd22fab3719ab5b4a4fa0ac2b6a44002fdddb61f7d6fe2beac291455b144cff1da4cb487c430a42cd6dee2b0752536175bdeb3abf2a393823dddf4567d7a6ac785662eb272ea9ea223e0d63a2d027fc3bfa6da9c1537a5c207c9f2495bd45eee778875ba641ceb20f3fb23d57269a4e40e0baea56d0b4247f12ebb7cf6ee0e64b0d521c8636ca845287f752adfde004e37bee0451540bcabf455b43233e287e4ce36ebbf2cf0aa8325b72b90c40cc5bdf77f66b07bf5423a80409e1e95424e2d63c09e621354d87d29d28758c290f29746e00e72e1f6ee9fc93841a7a4ec7420c1d78c09f9355b41c5b6a2e94d84218428a4e4e40bcab84f0cdc9a230101146a11e1f36367b4b5f21e76b5e58c31aec27a47e7ce6c22d29c553f03d0515199b541750e92718c53542cb8c0e4202c89b5bc2a4e3cd4fd1e33ba846b2d2d1c94d2e73327b1d327fe80ff1113634e2e94769b97a1088c2f00001fd26ffbf3b4b82036e960a01efd1eecb0e4cff79c5943cb7f3390757f2ebaa20ac131cddf19065dad03237cca7406b5c30228494fe25d1be39d26631795f3b0a16ac6c8c27e37a75bce127c582beed29fe6137efe5ac28a2a89597db794c570055e318e92f17f36e3fcbc68c8233d2f0c433f9e11b2819ade8026682c9c966d13605ba9cfa66d91f8203260ed06d8c53912b2c25be01165ebda24e3b70c4fa4a99c56470ee40080aa92272d6ba4a0906d5b8df7039b82bf83378b78ce124aca8b7944fffdd65bfca51e33614282fb1738dd43c6b95f2bc5e9b24605ff3fb5a06ece40c2c4a86b93acdde534777d47c5196e7ef7d65ff45606324b402aa6b81afa463f63f96bc442cd25a033b7b6feed08de0f00bccb16c439813c6c4b1d1733bb55a6245a9180ec71a7f31631613c60af161f5ef64493b859a6c4baa9e3811250984db538169178a4f4cb4141f74e366a28b4fdeef59bb22f6f525c493912a044bd99a3b4b86b2834a4f837d58d4292a22a730b6a2e5ec7bf358c2016326fff4889d5d5e1beec898a3a88d0f4a450d86548a1a9b1cc1bee45e6a4e2c4e09cd69a51d46190755bd42c1e53d4a1f80010da651d6c500a066afa9c98755acf643ff381af66742c6e091746c77e0f14f2583d6d70339ed50e9da34a0aa8820359872132179f087f16cdaf3636688927e39a857a99f911d08406b6addefa9f895f3b29812234eaf4d5a93b9363fa02a4ee9fe8676811004fabc8121f7639e9f92c0d7f796a6355e984d7a85aadc6220847666f8f52c4571516eb1a9fc487e918956411823e1edef555a61ba7d45931457b221bdcc8aaad58e8007497a8846278e0aed68926d3ea9fd96a89ccc89627c86da315c3eb5445bf799df613befe958390660f6c9f7ac02e3187100f18ea3bfacf9662601fc9868329b3524cb8c07850726355bd748f7c51b32e6c4341676cef6af55351e599d196d38d63bf0cd20b85f4bc79a2895b9c5c4d46090b4e1a10394f8ba7201d45d3878dc9b3e7ec3510073424b92a7448f9d8d9c15fff2a1c0e6dde7e6ad83f6243b21c6c14bd1b36e834b9cdc2b09022c0ddad8b5cdedb4a9e401acd96b77825cf6cb459e0c70b310c4d6f7a192c6766e75b4b50e64680b8bbe41065eac33f24c280ae6d89ef5fad05d8a9b635b052176cc3a9c2c9ffd43c0530deafd29079147dd34b5cd866e7feffe95f76695a40c216729ab52614cb603b6065e88ce689e29e016313ebc63814b33ffc28f8bbe846e6c5aceb44e92af060d2e3407c2ecb95be53e68a2dd5cac2cebc0d202fb01557e017fccda71d8dfab8c686dd8b0aba628417e3e39dbfa08ba07f8faeb2edf59a513dbf07325bf6e2604d1896e7ecaef489fa240d7c962c654c803898147df6ff04c01117033cb7e1d960e0996d5ad4261514c61ea804e2effcaa4478cf3e39cfd79f8649886892bc2ee8459333e01de02cc747a728f4543619037f0e4e461ded523d75cc9fa8461a46ffa6ace8895f062df6f9ef9af0ee03bc156b3197fe6348a4d84e5da4c058e9d4e8722e30cea964e8f1c96070a8f973c6646c0730f5c46309537c87ef3c61eaa3ee8947ded16b4012c13aacd49c4db459676de562f749dfcb22d80c6d998c5b1cfba66cb84a803f5cfcb1c68a08711308f536f5c2ba4daa8b14f90132012efb0749df28fcf75bc3afc818706550a2f07398745d67b1dda4015e816daf6655c8540e23a5719e413a59cbdab51bf05a8c65f1b3270386676f22bb81351d9480675f1c169bf833467c832d736364bcfc2f314cc43656e1ea5077c9433362e96b4fde669f97cab4d70b66ab2dea08953a9d4223a5be36bd3bb93d7a0d51b3770f656f698e272e6c8cf175df0729b38bdd56227a245fd65cd227beced78d2f3816ddc6e458de06b859efc50dfc719a93d60ad660a7fac045631bbff7401d8db635dfc0f16941957d253e4bf297b4e03103bea91a94cfbdac5d4ffb6e6d371369a2744537539b5d1220f2555509996acc58a9a21b0b607a9062fccd469133c5b2db1c0b62ed0205be7bc55e457e44e6a509863ccfca7dd770d2681a002de566c048833cba7135497e3e8430b1dd50d8810143f0947ca665726d33e87a090750371f6059e4270005b61f9f46e0ba5e49313055cf1c25c20945ae0ae7564f246c3c454c0e8a26947ffb1b80f2b7b4f5b82a4f4011446f675bace0f202750ccf6e145285bf4e294825b25f45ff78cf787ba58e28595fe76d023109c363f27b4236b406228cf4e28bf5e27887f912970eff09ebd02258df3b6d1047d53be10c58efab6849353c9287a4376a05eedb5e049363d3882feaa030cd868b912c1d4754248f7a0a0338f0d3b3c5147f3db59ab3300e5781c006499efdb1064908b03c373e42a2204e3f984c8fced1601bf09a0620b567627580477f58e393a25c81a680da7f00000000726722863be650d125c08b9bd28a9d1b69b59e0de9e82acdaf745a831d68f5fb10293d331f921ef5596e72cfeef75d9fb9ae80676c5e52c0d4949c07af0f78fa2581"], 0xffb) 05:00:37 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0xffffff7f00000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:37 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00'}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x4e21, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$EVIOCGABS0(r0, 0x80184540, &(0x7f0000000040)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:37 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x300000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:37 executing program 7: r0 = socket$inet_udp(0x2, 0x2, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000040)='fdinfo/3\x00') connect$pppoe(r1, &(0x7f00000000c0)={0x18, 0x0, {0x1, @empty, 'veth0_to_bridge\x00'}}, 0x1e) bind$inet(r0, &(0x7f0000000080)={0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 0x10) setsockopt$sock_int(r0, 0x1, 0x6, &(0x7f0000000000)=0x3, 0x4) connect$inet(r0, &(0x7f0000593000)={0x2, 0x0, @broadcast=0xffffffff}, 0x10) ioctl$KDGETMODE(r1, 0x4b3b, &(0x7f0000000100)) sendto$inet(r0, &(0x7f0000000240), 0x26e, 0x0, 0x0, 0x4e) [ 1033.868921] ALSA: seq fatal error: cannot create timer (-22) [ 1033.906429] binder: 27858:27860 ERROR: BC_REGISTER_LOOPER called without request [ 1033.925547] binder: 27859:27865 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1033.933903] binder: 27859:27865 BC_FREE_BUFFER u0000000000000000 no match [ 1033.942859] binder: 27858:27860 ioctl 80184540 20000040 returned -22 [ 1033.949895] binder: 27858:27860 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1033.958074] binder: 27858:27860 unknown command 0 05:00:37 executing program 7: r0 = memfd_create(&(0x7f0000d2efff)='\x00', 0x0) r1 = syz_open_dev$sndseq(&(0x7f0000042000)='/dev/snd/seq\x00', 0x0, 0x8000000000102) r2 = dup2(r1, r0) ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r2, 0xc0045516, &(0x7f0000000040)=0xffffffffffffff38) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f0000001000)={0x0, 0x0, 0x0, "9ede7a8c5ae95ec8672c93340f643a664f13eeab65c0322901dc6bd36cde2c51f01b7f0b014f9f91eeb7c37c7240f476c8d753d000aa8faf8fb574dbcfa6dc4d"}) write$vnet(r2, &(0x7f0000000240)={0x1, {&(0x7f0000000340)=""/74, 0x4a, &(0x7f0000000140)=""/247, 0x3}}, 0x68) ioctl$VT_GETSTATE(r0, 0x5603, &(0x7f0000000080)={0x8, 0x100000001, 0x1ff}) r3 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r4 = memfd_create(&(0x7f000003e000)='\t', 0x0) dup2(r3, r4) setsockopt$inet_sctp6_SCTP_AUTH_CHUNK(r2, 0x84, 0x15, &(0x7f00000000c0)={0x7}, 0x1) r5 = syz_open_dev$sndseq(&(0x7f000011c000)='/dev/snd/seq\x00', 0x0, 0x8000000000102) dup2(r5, r4) write$sndseq(r4, &(0x7f0000e6ffd0)=[{0x1e, 0x0, 0x0, 0x3fd, @time, {}, {}, @connect}], 0x30) 05:00:37 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00'}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x4e21, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) [ 1033.978248] binder: 27858:27860 ioctl c0306201 2000dfd0 returned -22 [ 1033.983963] binder: 27859:27876 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1034.013126] binder: 27859:27876 BC_FREE_BUFFER u0000000000000000 no match [ 1034.025337] FAULT_INJECTION: forcing a failure. [ 1034.025337] name failslab, interval 1, probability 0, space 0, times 0 [ 1034.036667] CPU: 0 PID: 27878 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1034.043605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1034.052968] Call Trace: [ 1034.055574] dump_stack+0x1b9/0x294 [ 1034.059226] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1034.064437] ? is_bpf_text_address+0xd7/0x170 [ 1034.068956] should_fail.cold.4+0xa/0x1a [ 1034.073039] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1034.078175] ? graph_lock+0x170/0x170 [ 1034.081992] ? save_stack+0xa9/0xd0 [ 1034.085642] ? find_held_lock+0x36/0x1c0 [ 1034.089727] ? __lock_is_held+0xb5/0x140 [ 1034.093821] ? check_same_owner+0x320/0x320 [ 1034.098167] ? print_usage_bug+0xc0/0xc0 [ 1034.102250] ? rcu_note_context_switch+0x710/0x710 [ 1034.107199] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1034.112232] ? rt_add_uncached_list+0x1dc/0x270 [ 1034.116921] __should_failslab+0x124/0x180 [ 1034.121179] should_failslab+0x9/0x14 05:00:37 executing program 5: r0 = accept$nfc_llcp(0xffffffffffffffff, &(0x7f0000000040), &(0x7f00000000c0)=0x60) finit_module(r0, &(0x7f0000000180)=',eth1\x00', 0x2) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = openat$full(0xffffffffffffff9c, &(0x7f0000000280)='/dev/full\x00', 0x2a0400, 0x0) r3 = syz_open_dev$admmidi(&(0x7f00000002c0)='/dev/admmidi#\x00', 0x9, 0xc00) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000300)={r2, r3, 0x6, 0x3}, 0x10) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl$PPPIOCGMRU(r2, 0x80047453, &(0x7f0000001340)) ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") socket$inet6(0xa, 0x4, 0x2) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) setsockopt$inet_tcp_buf(r2, 0x6, 0x1f, &(0x7f0000000340)="5314769e717e1e6699979632b852ef64b065cb677f7c9fdbe8055b2686bafe198e35ff2a13e2871743c665a474ffbc592b7c95a3d24e1d02de0473fe3d8d2d835ed2e86a33a8548bdf9c195b5a775d8d6c460f611e8b336ddaf33bf072ff342b4e192b647cf8cd51a670edfe789989aed79ca4e3a5c3da31eeecc11270e67f478caeaee6fe362e641b7ad03eb80c08e404bff1b1d362ebac5cca7db544b2fcec1483968db8c9c4af8bb706dd641e895837f1115849de1d3a1671883d178389128493f3593b6dc4caf7c589584d151e51399b0c7f26765ae0a3560069cfc4f6568601aadcd5b0dce5028e9b5dfc0764d1a90ac78beb85c3706b2e68e7432b421234d50eccf40873675234f44af0df203f5625337fd9da7c8e62993cfc14cf544dba51c27eb1d22e2759fd146c3af138e4c128d98211fbc52962cc42c8778e6a3a17a133b3f6bef60bffd6e100b99014070c570cc0a7d9abbf53ed96ffc358a0366c80fc2c7b598ede720ac8e3388007238656b3d258c843884ea6180f8ed192415bb685bda5f1b861fc7b64b659339d9bbabd3845df12ab89c528271501d330ea0db6fec383174320711cb58dfebb506b6bfd70b0518119ecd0b9434ad170271ab7eb88925ebf12af707ea2cdd4c647273aca3b19a9a536c67375f11377efaa1b3239580e2d28a6620e92fd1a5b1695d05e55357c4a4f33a1b87aaac0b7adcb7b6ca8fb07aad0c07e82feb87dc10ad4bfbd5043a3b0fc0ce09c147185ae8ed5ce25341fa0b321caeeff562d81cdc707b50f15543011256946431c78922cfceb99d958c425aa36064506178a722152402505f2a70e539e34e7c809f6f10ea0bf681b82f57e3fc63f4557ea1f4f51b3bd509c37e77ca81b3477e3ce304f9d379996598580c7b5e0df864eb34a8d0f4a2bbdbdf05a570cc3f496657079a14487b7fc6ea3286bed349e8a26de84828d5f609c301d171c4fb6841e13ad0d278d32e79e849662eca91ed2bf5dbdb7bbe35a1efeb75bcf2d5638f1019b319113b3540ed3d6e8b0394fd809514143b4aa1f80d3aedb24eb2b7019d4022d8b4841cc5703aa54f4e2ed450effbe58be570fdf4106026d7d0144e5c80bd6f00a3ccf014a1c5953b1aa7e1074c604a6266cbf9accdf0e6932b346160d016d4400c0fd45c41d8db6b9f229e0ee0a6bd5df79759a90ce94a4a1e3b0aa6da772746efecd9d636475fb14be9b16c706861bbd53e7d02fdf168e4f01cf58bb55a2df94e6341fa60077a25eb5984ed6428e74f83a6a40d51c5bbe320891c27a094253917cc21b7985425ff1a3501603cef36d46703232588ec4537b63cf4498f3f177bdde48db2d95cd1d2c499376dd95f728dc9046a795566ef53769bbb5eda6216675cd468d769c7ab43c19741f0f99ee7c00e7eb4651f0c9910e2d904cfb61ce7a6959b67d4f6ae165d9e76e43b33a461fe21846fd1cc36fa8c4a5346e5ffbcf779c08297f065cbdeef6105f04f8787b5592d71196497257248ecb5324473b3a7a9839e4af44e81248c140e16ebd700f00411b1b14db957ce3eb353c79148fc3e6809f3123650c3a3d9fa88e816aec29702cecc0d8722322c53eb86e9823a8a29b8c420275a6fd044aadefb4f023a954f90c15b4fb265b108df78fc6beb71d85aaed8b66672b6ff5b48357b3c8c8c00f59dd049d145c9f8b3406fff7ef4aea97fc64387fd3f1c1aa4649f9a29584de4bdb970d2ffb987e320505a8f2aeaa5478c6592c2e7d412baff475fe1e9b9574f5d5b103dc91b934596a0e94253714a5ff5ef5a22c72fe4d5f6cb97a1bc4ea8588adfeece615deec9afe7cf53725c8d24ef32c0aa679e4bb47050ab14f53411f588d2f58ec839e051319bd246797f5f914ade6a68a65a51d4840d4c81b2b2d997d7e2e42586482f3c33633ecb0fa43bf9d9b4883e7731785e971c6d97b4b79d3e7813e8f7f72296779b83ee38e578d41dd34adfced0af4cb76d46fbdc9e25e274ec8084bddce55b46736fdf406c2f191ee55ba095a7819b412c97f2070b5c923f364236225f735c01397973402206f3a347e58aba20179d19aa0f3a216bef6d00554504b09afb2084ff94819525eea27bddfc2cc2cd6fc102090ba9ef6c8f038c87100c46c04999deae1fc07c099a5d7c78751731e5616fb934b0e5faa2806071346ce28d48400c2a1dad089beb3b8dbfd458b47c814abab09c647106b14babffa2a8472b13bcf52b07f6fc6663dfa6285ce5a75e6622018ba503331447631e3761495d1ecdc566eaf576d6514168cfc14e6d7e5bfa8ce64589c1ea23064358ade80b48e800336872dad17fa48da46494b838a670f86cfe75570c99ee786cf0996700bbe92377d4bf0049fc3e1101e99a2e702ecfb21b667fc2877df62c33301912f70d51d360e9697fdffbb9984448c0a730454858a0370feb34025b56d0d98ab606a188314249c97d958613a3966986c929752c1afadb752fde8fd0975083f21caf476c853320c9d1720815caee675e3b5fc672b98738f516d38afcf8959b531a58bef887bf6a22f9a4a054ef4129d04777e4efbc646aa08ead3731f439204b79452bb426092ddb00e6f39bf166933865456b2f0f3667e46267e8d62fbb1f03836d137069f967983c9e55868581c30416bb6c144ea29b5db69d1892aff9b15aa12d3befb9e946962d59255c7f836837d0b8a5a0764bf7e8c385e674e89f99ed67adb77ebae8be30012943035dd80e3b67d1696233855c58bc5cdbaee0faa9b17d0295b517d157a9e2f1527daa683d19cdab2584935bbf7075ed77a0713572c0e490384c7aef17d293d97ce7d43aeeacc585d582378e09a70079621449961b56174de7421166314ee50f1efc0fb06f695dbd44fefe10744d61c38903725d2d9da0618215e61598726e8a13ad03ec38e338a502df0014c9142233c60c344c518f255c387feaece95a3510425d20a6b4fe379617e913f71b36e6bad6602af4f31a48618c3b68990515f432d3f2607d3797789a9f08e1d9a2ac591288f816f5f2f7610948a4645acca8facf28f3de3db985a355a9bd2a6499e30aae5fe6a81b831ad027d3c95d7b770fefbfec5a449ec7e6c31f0c1d90bc645343343d8a666c0f6f84b4f02727aa6041cf92ae1d17b0bbe81eeb6e9031fe26d16bdd2458b0f3061515068335c7fbce9a51f581f544d5ca3af99b1120a979547eef2db7f554c4c445ad816f090a0c4d09f10ca78326232039c6460d996d87e5f3c652f54b2f3fc982606b1f185fd779f42d5d8d2147bb2dd4cde5b9dab62d2573a660e57a7ddd76fef9ea3d442159ee36a9a85769a2add31ab89a88436ab6520928c4e0d9bdb498c1ad8ef29d2c44c0ecb8fed0914e92532e7a0ee445c2a19e1be98f3fcc880bd051e0378316b85bfcac40f977784940d64a7f45f8f518cefb5b5631f11d3cfe7922dadf19dfc6484faad9fe4a414d3b43e8604b46e2ffc55fd967c8960c0563924b43d68f76170854a0e198cac30c2970261ae0c93ed9c30826ded8355e16d90b5d155adb18798894443a913993ec292ae6cdcab70971bfe49220486a7a94deb321d8b109cc1967a96598223115cd53002c2706f3a28e56650956ccbb987dcfd4ad4c6bfb157ab521d8f528c0afa35c49972d95efa2741f47ffd194fdfe56ca7c0265063234b9de0fb94d1358b9a56c8a4c84cf6c64c22b00eea01bbc910fbdf3fa68afdca9b99bf5371837c0e08a1d1df68ee27df0ad908222b031f242fe7c2003900c24da5b6b13fca60d3c33b8c0ef18f6f306933b71601ed00705abb4aacffba6a7b5d3d1f219306b989f21b3e1fcb0c8e2c82dc6d17f3655a05e754640559c59ec86bf8c04db441c3bbb06893cfb1ae5e2ef715fb9a4adb37a80d1b90f20d12f53953d89a66c02e607dc038bc05ebeb2bf17f58d136b9ee29a77d1bf6f440b0ea1840474e8bfc4521c92bf095cc58630e4de9a888dcaeca9d5bca771dcb284e1173e1b5cfe9824ac04e9c34939a7f388aafc2d1391969da619818192b9716eadb0cba7ae42b9a9e5638a42d410f5759d7626dbbe1e4ceee70508ad8e69b227cde3c866710f34f1eb57aee2c43ff7ca3066393a219f9fcb9a1d82e02053af8e519e0acdc82794af803d6349fe1c40fdf959d6eaf770eeca6d8b87ba112fbfd8f3243727ed19b819c72770a85997b588862efb208a340b42055c724cd65cb39a3fcb8fe47287ce28252631ad07a97edfab3e2259611a10b4c34c083302598eeb4268f997cd5c55f5a72ae2ca129f5990272858adfc84f1c234e71518f204f3399dcc8ede4dccbe358d3cebc51d0347a456559483c9d4c2278cf8289812aba8096cc06ae5a2ed2eac8564a8c8d0f1f2dd75aa4607de5515770cd152f09c5496bd5e63b375a5a7e5c13edfbd6dbabda04f2954ca4d5782e4d9e24fee1f218742de36a74230435783e511281ad5f08e95d93eb19646ccd6089bcea6e01ca2a8dd34262b8bb3ef536894f46abd264c69eacd1441407eed101766347e3bba147a2ea5f42b9e90b9073a3bedb6452d169b6c44a86f990952ee08683583c880565d922e2852d8a4bc8f7b2389c63d0c69f453327cadbc2d84f4ba7e6a2779301937ad0edbc0088db47506c6c1ff7fb103f16285de58fc35193d7b25fcacd6a764e28b0047ecfc3aa005c56d6ad408d8faeeb5bc2c55fa45bfbd0313e5eba22215629f9190dd151098a518de5347fea1d50db68dec4c41baaf579ae227063651d7f1c322211ad7dfae4a57fb7ee8d4eec0fb13497c665930891146d85bb6b16ccd0ec8aee0bd694f36175746e6850ee77be71d83c31541cabe0e442dbaddcf9ca2a31376e06cdce335550ab490a86a39565aac65df2258af5585f11ebe75fc5fefcdc8987defe8eec196ba0cd9cec10fdb09ffcc2c2af74cbf05e62130f653c396c8c33a3860d61a1887eff3cfd4669cb05e27c294619cfa445c5b05310cb65d500972a4d0777b745519a43abbcd61775c5a359668a2ab000e934f644249b990e0c3da65aa1580e94ec147325d7d45304f2a6b012f430d867ebb57dac9dd10ef35ae78f587ac4a6cdd7de5384a1798b9cb84323adfb336762ab969ec2a6b8af10b53e908f6e5e41f06f54d321d09d058e13191ea4a89b8d464a01c8ce293f1c6e3b434a115fb34970d4746d405378bce7014b31f0475413314083ed43f0f1d119323f07a542e0ae4b7ecbac9925396908ea57099213674bb385adc1785f3a9069ded07fac992a80e573b472fee6bd3a70d800cf1ed382d4071a660ac5cb7ede2972de836636e6b3aa432eb07494bcc44523ca1f1fbceb792e02123ae9aaff119458d824dfe20158c5dbce14f7ffe3302c74ad696f610f668947c8fe8b8f78775e18b0039b1f743641748df2d2a9776c03c5d0872c5431ed3d757397cb615fdab8dd1589363f7e7ca05e9ded1a106d98ad388e0f59333d9cf6197fc5f5fb357a1e178931e0ae840fafb21702bebaa2c8ef27de9c761f31afd4c822b49eee3b1453b7c31e9d746b468ea2a1d7760eb6ceca5a97051071040f454105b3cbfa76991210fb643fc1995d9d82cd6922c2db0f22f59a1ecc6a5e8aa4c42ced1dfd8b57e9251c7a1a40916230580464af05ad269f1a136846122d3311f9e0392d6afd8a0b5d63efdbf46776357c8fd57215baf69c9b4b1ab4ba5392948e860a5d518e87ee775a3826ed8b1fcf7fad5b45704e94763e1e3617056cf6b024ecb9fb56c4e12c09fd34486deffc7ff4e7959a779f7628fe1472c54b933f269fd6a002", 0x1000) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f00000001c0)=ANY=[@ANYBLOB="0c635600229059f9b8acdee818c24cf487ca8c78f446c2b71c73318996f914745a600dac45c31a24e129b13fd2d244e135c4c0eb1048779e6e7ee9ec1ac4c85028202d8c44f40b08905eb49781067634913568304497afc49e2745a7254f6ac902a87e2b891fa194fde100bc01ae0130072eefa719f147d1d908cf33d26d7a83c4d3781b245ab1c3179bfff03f1fe43bbb1192"], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:37 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(0xffffffffffffffff, 0x8955, &(0x7f0000000d00)={{0x2, 0x4e21, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:37 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x18000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1034.124990] kmem_cache_alloc_node+0x272/0x780 [ 1034.129585] ? ip_mtu_from_fib_result+0x5e0/0x5e0 [ 1034.134449] __alloc_skb+0x111/0x780 [ 1034.138199] ? skb_scrub_packet+0x580/0x580 [ 1034.142546] ? debug_check_no_locks_freed+0x310/0x310 [ 1034.147754] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1034.153310] ? rt_dst_alloc+0x3f0/0x500 [ 1034.157304] ? fnhe_flush_routes+0x460/0x460 [ 1034.161736] ? __lock_is_held+0xb5/0x140 [ 1034.165821] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1034.170861] ? raw_destroy+0x30/0x30 [ 1034.174593] ? xfrm_policy_lookup+0x70/0x70 05:00:37 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x100000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1034.178948] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1034.184768] ? ipv4_mtu+0x375/0x580 [ 1034.188417] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1034.193895] ? lock_acquire+0x1dc/0x520 [ 1034.197893] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1034.203448] ? ip_setup_cork+0x4dc/0x7c0 [ 1034.207527] ip_append_data.part.48+0xf3/0x180 [ 1034.212128] ? raw_destroy+0x30/0x30 [ 1034.215861] ip_append_data+0x6d/0x90 [ 1034.219675] ? raw_destroy+0x30/0x30 [ 1034.223408] raw_sendmsg+0x1dae/0x29b0 05:00:37 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x4000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1034.227321] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1034.232437] ? rcu_report_qs_rnp+0x790/0x790 [ 1034.236869] ? graph_lock+0x170/0x170 [ 1034.240690] ? expand_files.part.8+0x9a0/0x9a0 [ 1034.245284] ? check_same_owner+0x320/0x320 [ 1034.249630] ? lock_downgrade+0x8e0/0x8e0 [ 1034.253795] ? lock_release+0xa10/0xa10 [ 1034.257779] ? check_same_owner+0x320/0x320 [ 1034.262118] ? __check_object_size+0x95/0x5d9 [ 1034.266633] inet_sendmsg+0x19f/0x690 [ 1034.270447] ? __might_sleep+0x95/0x190 [ 1034.274436] ? ipip_gro_receive+0x100/0x100 05:00:37 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x3f000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1034.278772] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1034.284329] ? security_socket_sendmsg+0x94/0xc0 [ 1034.289098] ? ipip_gro_receive+0x100/0x100 [ 1034.293439] sock_sendmsg+0xd5/0x120 [ 1034.297169] __sys_sendto+0x3d7/0x670 [ 1034.300986] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1034.305672] ? wait_for_completion+0x870/0x870 [ 1034.310271] ? __lock_is_held+0xb5/0x140 [ 1034.314354] ? __sb_end_write+0xac/0xe0 [ 1034.318337] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1034.323880] ? fput+0x130/0x1a0 [ 1034.327176] ? ksys_write+0x1a6/0x250 [ 1034.330994] ? __ia32_sys_read+0xb0/0xb0 [ 1034.335069] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1034.339942] __x64_sys_sendto+0xe1/0x1a0 [ 1034.344016] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1034.349054] do_syscall_64+0x1b1/0x800 [ 1034.352953] ? finish_task_switch+0x1ca/0x840 [ 1034.357464] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1034.362409] ? syscall_return_slowpath+0x30f/0x5c0 [ 1034.367357] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1034.372738] ? trace_hardirqs_off_thunk+0x1a/0x1c 05:00:38 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x58000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1034.377602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1034.382795] RIP: 0033:0x4559f9 [ 1034.385980] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1034.405352] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1034.413079] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1034.420375] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1034.427657] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1034.434940] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1034.442218] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000001 05:00:38 executing program 1 (fault-call:4 fault-nth:2): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1034.542784] binder: 27889:27911 ERROR: BC_REGISTER_LOOPER called without request [ 1034.559429] FAULT_INJECTION: forcing a failure. [ 1034.559429] name failslab, interval 1, probability 0, space 0, times 0 [ 1034.562882] binder: 27889:27911 unknown command 5661452 [ 1034.570915] CPU: 1 PID: 27920 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1034.583056] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1034.592432] Call Trace: [ 1034.595037] dump_stack+0x1b9/0x294 [ 1034.598684] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1034.602579] binder: 27889:27911 ioctl c0306201 2000dfd0 returned -22 [ 1034.603885] ? perf_trace_lock_acquire+0xe3/0x980 [ 1034.603908] ? kernel_text_address+0x79/0xf0 [ 1034.603923] ? __unwind_start+0x166/0x330 [ 1034.603947] should_fail.cold.4+0xa/0x1a [ 1034.603967] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1034.632942] ? graph_lock+0x170/0x170 [ 1034.636741] ? save_stack+0x43/0xd0 [ 1034.640359] ? kasan_slab_alloc+0x12/0x20 [ 1034.644503] ? find_held_lock+0x36/0x1c0 [ 1034.648561] ? __lock_is_held+0xb5/0x140 [ 1034.652689] ? check_same_owner+0x320/0x320 [ 1034.657006] ? rcu_note_context_switch+0x710/0x710 [ 1034.661935] __should_failslab+0x124/0x180 [ 1034.666167] should_failslab+0x9/0x14 [ 1034.669959] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1034.675062] __kmalloc_node_track_caller+0x33/0x70 [ 1034.679986] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1034.684747] __alloc_skb+0x14d/0x780 [ 1034.688455] ? skb_scrub_packet+0x580/0x580 [ 1034.692777] ? debug_check_no_locks_freed+0x310/0x310 [ 1034.697962] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1034.703499] ? rt_dst_alloc+0x3f0/0x500 [ 1034.707466] ? fnhe_flush_routes+0x460/0x460 [ 1034.711884] ? __lock_is_held+0xb5/0x140 [ 1034.715943] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1034.720962] ? raw_destroy+0x30/0x30 [ 1034.724669] ? perf_trace_lock+0x900/0x900 [ 1034.728903] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1034.734699] ? ipv4_mtu+0x375/0x580 [ 1034.738320] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1034.743770] ? lock_acquire+0x1dc/0x520 [ 1034.747737] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1034.753264] ? ip_setup_cork+0x4dc/0x7c0 [ 1034.757323] ip_append_data.part.48+0xf3/0x180 [ 1034.761912] ? raw_destroy+0x30/0x30 [ 1034.765627] ip_append_data+0x6d/0x90 [ 1034.769425] ? raw_destroy+0x30/0x30 [ 1034.773152] raw_sendmsg+0x1dae/0x29b0 [ 1034.777048] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1034.782157] ? graph_lock+0x170/0x170 [ 1034.785966] ? expand_files.part.8+0x9a0/0x9a0 [ 1034.790565] ? lock_downgrade+0x8e0/0x8e0 [ 1034.794709] ? lock_release+0xa10/0xa10 [ 1034.798678] ? __check_object_size+0x95/0x5d9 [ 1034.803170] inet_sendmsg+0x19f/0x690 [ 1034.806961] ? __might_sleep+0x95/0x190 [ 1034.810926] ? ipip_gro_receive+0x100/0x100 [ 1034.815239] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1034.820771] ? security_socket_sendmsg+0x94/0xc0 [ 1034.825518] ? ipip_gro_receive+0x100/0x100 [ 1034.829832] sock_sendmsg+0xd5/0x120 [ 1034.833539] __sys_sendto+0x3d7/0x670 [ 1034.837337] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1034.842004] ? wait_for_completion+0x870/0x870 [ 1034.846585] ? __lock_is_held+0xb5/0x140 [ 1034.850651] ? __sb_end_write+0xac/0xe0 [ 1034.854621] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1034.860147] ? fput+0x130/0x1a0 [ 1034.863418] ? ksys_write+0x1a6/0x250 [ 1034.867213] ? __ia32_sys_read+0xb0/0xb0 [ 1034.871281] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1034.876815] __x64_sys_sendto+0xe1/0x1a0 [ 1034.880881] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1034.885893] do_syscall_64+0x1b1/0x800 [ 1034.889774] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1034.894697] ? syscall_return_slowpath+0x30f/0x5c0 [ 1034.899622] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1034.904979] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1034.909835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1034.915022] RIP: 0033:0x4559f9 [ 1034.918198] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1034.937559] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1034.945259] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1034.952533] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1034.959799] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1034.967058] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1034.974318] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000002 05:00:38 executing program 7: socket$inet6(0xa, 0x0, 0x0) r0 = socket(0xf, 0x1, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f00000004c0)=@broute={'broute\x00\x00d\x00', 0x20, 0x1, 0x1c8, [0x0, 0x0, 0x0, 0x0, 0x0, 0x20000100], 0x0, &(0x7f0000000040), &(0x7f0000000100)=[{0x0, '\x00', 0x0, 0xffffffffffffffff, 0x1, [{{{0x9, 0x0, 0x0, 'bond0\x00', 'bond_slave_0\x00', 'veth0_to_team\x00', 'veth0\x00', @link_local={0x1, 0x80, 0xc2}, [], @empty, [], 0x108, 0x108, 0x138, [@limit={'limit\x00', 0x20, {{0xfffffffffffffc00, 0x81}}}, @ipvs={'ipvs\x00', 0x28, {{@ipv6}}}]}}, @common=@CONNSECMARK={'CONNSECMARK\x00', 0x8}}]}, {0x0, '\x00', 0x1, 0xffffffffffffffff}, {0x0, '\x00', 0x1, 0xffffffffffffffff}]}, 0x240) 05:00:38 executing program 4: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) setsockopt$sock_int(r1, 0x1, 0x10, &(0x7f0000000040)=0xffff, 0x4) bind$unix(r1, &(0x7f0000003000)=@file={0x1, "e91f7189591e9233614b00"}, 0xc) listen(r1, 0x0) r2 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) open_by_handle_at(r2, &(0x7f0000000140)=ANY=[@ANYBLOB="230000002466d7e4487cd06e667de816c168b2561e7013bb163a312935a80494"], 0x200040) connect$unix(r0, &(0x7f0000000080)=@file={0x1, "e91f7189591e9233614b00"}, 0x6e) ioctl$int_out(r2, 0x2, &(0x7f0000000100)) accept4$unix(r1, &(0x7f000046f000)=@abs, &(0x7f0000937000)=0x8, 0x0) 05:00:38 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x20000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") sendto$inet6(r1, &(0x7f0000000180)="500f23c1650ff1fde57643994563db16d1eb82ee905c2a82cc12aa40c170efbb0a5f84f9e3a95c265953b0d42ccd383dce2dc69ce93b478c72423f07f967d612cd4cd332431f4d75481daa29b2e9ef80d418d2e624948954448612515634a8607229fb0833219010da72ecc560852a8c2aab4ff9f8984dbeba021a6a0244c122b6cdd7ad3121d28dee211c61e26524c7fa5b9d078666208da526e48b568e54372f0899b6b96ad2c664e6d328dba3f15d94699e105f3b1f2f96ba96714680ed4c8d383ea47c4025ba7f00b77247beca", 0xcf, 0x0, 0x0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:38 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(0xffffffffffffffff, 0x8955, &(0x7f0000000d00)={{0x2, 0x4e21, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:38 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x4}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:38 executing program 1 (fault-call:4 fault-nth:3): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:38 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x7a000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1035.088739] binder: 27932:27939 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1035.115103] FAULT_INJECTION: forcing a failure. [ 1035.115103] name failslab, interval 1, probability 0, space 0, times 0 [ 1035.126537] CPU: 0 PID: 27940 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1035.131788] binder: 27932:27939 BC_FREE_BUFFER u0000000000000000 no match [ 1035.133466] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1035.133473] Call Trace: [ 1035.133499] dump_stack+0x1b9/0x294 [ 1035.133522] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1035.133550] ? unwind_get_return_address+0x61/0xa0 [ 1035.166139] ? graph_lock+0x170/0x170 [ 1035.169956] should_fail.cold.4+0xa/0x1a [ 1035.174017] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1035.179123] ? __lock_is_held+0xb5/0x140 [ 1035.183171] ? __kmalloc_node_track_caller+0x47/0x70 [ 1035.188261] ? graph_lock+0x170/0x170 [ 1035.192057] ? __x64_sys_sendto+0xe1/0x1a0 [ 1035.196279] ? find_held_lock+0x36/0x1c0 [ 1035.200329] ? __lock_is_held+0xb5/0x140 [ 1035.204380] ? __irqentry_text_end+0xc0318/0x1f98a8 [ 1035.209395] ? check_same_owner+0x320/0x320 [ 1035.213706] ? rcu_note_context_switch+0x710/0x710 [ 1035.218689] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1035.223960] __should_failslab+0x124/0x180 [ 1035.228185] should_failslab+0x9/0x14 [ 1035.231971] kmem_cache_alloc_node+0x272/0x780 [ 1035.236539] ? __kmalloc_node_track_caller+0x47/0x70 [ 1035.241633] __alloc_skb+0x111/0x780 [ 1035.245335] ? skb_scrub_packet+0x580/0x580 [ 1035.249649] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1035.255173] ? ip_generic_getfrag+0x11c/0x2d0 [ 1035.259657] ? ip_reply_glue_bits+0xc0/0xc0 [ 1035.263973] ? raw_getfrag+0x15b/0x220 [ 1035.267855] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1035.272869] ? raw_destroy+0x30/0x30 [ 1035.276578] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1035.282364] ? ipv4_mtu+0x375/0x580 [ 1035.285979] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1035.291426] ? lock_acquire+0x1dc/0x520 [ 1035.295390] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1035.300911] ? ip_setup_cork+0x4dc/0x7c0 [ 1035.304959] ip_append_data.part.48+0xf3/0x180 [ 1035.309529] ? raw_destroy+0x30/0x30 [ 1035.313235] ip_append_data+0x6d/0x90 [ 1035.317026] ? raw_destroy+0x30/0x30 [ 1035.320731] raw_sendmsg+0x1dae/0x29b0 [ 1035.324614] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1035.329706] ? rcu_report_qs_rnp+0x790/0x790 [ 1035.334108] ? graph_lock+0x170/0x170 [ 1035.337902] ? expand_files.part.8+0x9a0/0x9a0 [ 1035.342469] ? check_same_owner+0x320/0x320 [ 1035.346789] ? lock_downgrade+0x8e0/0x8e0 [ 1035.350925] ? lock_release+0xa10/0xa10 [ 1035.354882] ? check_same_owner+0x320/0x320 [ 1035.359193] ? __check_object_size+0x95/0x5d9 [ 1035.363698] inet_sendmsg+0x19f/0x690 [ 1035.367495] ? __might_sleep+0x95/0x190 [ 1035.371458] ? ipip_gro_receive+0x100/0x100 [ 1035.375767] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1035.381292] ? security_socket_sendmsg+0x94/0xc0 [ 1035.386042] ? ipip_gro_receive+0x100/0x100 [ 1035.390351] sock_sendmsg+0xd5/0x120 [ 1035.394052] __sys_sendto+0x3d7/0x670 [ 1035.397840] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1035.402519] ? wait_for_completion+0x870/0x870 [ 1035.407097] ? __lock_is_held+0xb5/0x140 [ 1035.411158] ? __sb_end_write+0xac/0xe0 [ 1035.415124] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1035.420644] ? fput+0x130/0x1a0 [ 1035.423915] ? ksys_write+0x1a6/0x250 [ 1035.427705] ? __ia32_sys_read+0xb0/0xb0 [ 1035.431756] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1035.437288] __x64_sys_sendto+0xe1/0x1a0 [ 1035.441337] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1035.446343] do_syscall_64+0x1b1/0x800 [ 1035.450214] ? finish_task_switch+0x1ca/0x840 [ 1035.454697] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1035.459613] ? syscall_return_slowpath+0x30f/0x5c0 [ 1035.464529] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1035.469883] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1035.474715] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1035.479888] RIP: 0033:0x4559f9 [ 1035.483060] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1035.502329] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1035.510034] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1035.517288] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1035.524548] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1035.531804] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 05:00:39 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x9}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) [ 1035.539060] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000003 [ 1035.575534] binder: 27932:27939 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:39 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(0xffffffffffffffff, 0x8955, &(0x7f0000000d00)={{0x2, 0x4e21, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:39 executing program 1 (fault-call:4 fault-nth:4): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1035.621969] binder: 27932:27939 BC_FREE_BUFFER u0000000000000000 no match [ 1035.647298] binder: 27956:27958 ERROR: BC_REGISTER_LOOPER called without request 05:00:39 executing program 7: r0 = syz_open_procfs(0x0, &(0x7f0000000080)="2f65786500000000000409004bddd9de91be10eebf000ee9a90f798058439ed554fa07424adee901d2da75af1f0200f5ab26d7a071fb35331ce39c5a") fcntl$F_GET_RW_HINT(r0, 0x40b, &(0x7f0000000000)) ioctl$DRM_IOCTL_GET_UNIQUE(r0, 0xc0106401, &(0x7f0000000140)={0x14, &(0x7f0000000100)}) getpeername$ipx(r0, &(0x7f0000000100), &(0x7f0000000180)=0x10) ioctl$KVM_IOEVENTFD(r0, 0xc0185879, &(0x7f00000000c0)={0x0, &(0x7f0000000040), 0xffffffffffffffff}) 05:00:39 executing program 4: r0 = memfd_create(&(0x7f0000000200)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', 0x0) symlink(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)='./file0\x00') write$binfmt_misc(r0, &(0x7f0000000100)=ANY=[@ANYBLOB="ff7b7a31881860743d543c4b7aec851a192fe4cbeec4eebe6c7baac8818aa419be16987e3e59356f10038195455969f1f2372bd0f74bc498ea5f6798f0ce308677c0a70a3a34253c49fadc2720fa7393cbc30e1ba9b72c90351b7142977eb844ddb183f3760afd037012c0cbaf11cf2e7cde65bda7181577697a4ad6728955ee970f02c9af34bd2ea0ddb2f8da8f346f0deb9a3ac7dead5b4e4b"], 0xffffffde) setrlimit(0x7, &(0x7f0000000080)) execveat(r0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000300), &(0x7f0000000380), 0x1000) 05:00:39 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x10000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1035.832875] FAULT_INJECTION: forcing a failure. [ 1035.832875] name failslab, interval 1, probability 0, space 0, times 0 [ 1035.844362] CPU: 0 PID: 27978 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1035.851307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1035.860671] Call Trace: [ 1035.863274] dump_stack+0x1b9/0x294 [ 1035.866913] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1035.872101] ? is_bpf_text_address+0xd7/0x170 [ 1035.876586] ? kernel_text_address+0x79/0xf0 [ 1035.880987] ? __unwind_start+0x166/0x330 [ 1035.885128] should_fail.cold.4+0xa/0x1a [ 1035.889176] ? __save_stack_trace+0x7e/0xd0 [ 1035.893492] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1035.898616] ? graph_lock+0x170/0x170 [ 1035.902410] ? save_stack+0x43/0xd0 [ 1035.906024] ? kasan_kmalloc+0xc4/0xe0 [ 1035.909896] ? kasan_slab_alloc+0x12/0x20 [ 1035.914036] ? find_held_lock+0x36/0x1c0 [ 1035.918098] ? __lock_is_held+0xb5/0x140 [ 1035.922153] ? check_same_owner+0x320/0x320 [ 1035.926461] ? rcu_note_context_switch+0x710/0x710 [ 1035.931381] __should_failslab+0x124/0x180 [ 1035.935605] should_failslab+0x9/0x14 [ 1035.939393] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1035.944489] __kmalloc_node_track_caller+0x33/0x70 [ 1035.949406] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1035.954152] __alloc_skb+0x14d/0x780 [ 1035.957855] ? skb_scrub_packet+0x580/0x580 [ 1035.962189] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1035.967715] ? ip_generic_getfrag+0x11c/0x2d0 [ 1035.972217] ? ip_reply_glue_bits+0xc0/0xc0 [ 1035.976548] ? raw_getfrag+0x15b/0x220 [ 1035.980425] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1035.985436] ? raw_destroy+0x30/0x30 [ 1035.989149] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1035.994936] ? ipv4_mtu+0x375/0x580 [ 1035.998558] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1036.004094] ? lock_acquire+0x1dc/0x520 [ 1036.008059] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1036.013581] ? ip_setup_cork+0x4dc/0x7c0 [ 1036.017644] ip_append_data.part.48+0xf3/0x180 [ 1036.022217] ? raw_destroy+0x30/0x30 [ 1036.025918] ip_append_data+0x6d/0x90 [ 1036.029705] ? raw_destroy+0x30/0x30 [ 1036.033412] raw_sendmsg+0x1dae/0x29b0 [ 1036.037299] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1036.042390] ? rcu_report_qs_rnp+0x790/0x790 [ 1036.046790] ? graph_lock+0x170/0x170 [ 1036.050582] ? expand_files.part.8+0x9a0/0x9a0 [ 1036.055149] ? check_same_owner+0x320/0x320 [ 1036.059469] ? lock_downgrade+0x8e0/0x8e0 [ 1036.063606] ? lock_release+0xa10/0xa10 [ 1036.067566] ? check_same_owner+0x320/0x320 [ 1036.071873] ? __check_object_size+0x95/0x5d9 [ 1036.076357] inet_sendmsg+0x19f/0x690 [ 1036.080146] ? __might_sleep+0x95/0x190 [ 1036.084114] ? ipip_gro_receive+0x100/0x100 [ 1036.088425] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1036.093952] ? security_socket_sendmsg+0x94/0xc0 [ 1036.098706] ? ipip_gro_receive+0x100/0x100 [ 1036.103016] sock_sendmsg+0xd5/0x120 [ 1036.106719] __sys_sendto+0x3d7/0x670 [ 1036.110524] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1036.115183] ? wait_for_completion+0x870/0x870 [ 1036.119756] ? __lock_is_held+0xb5/0x140 [ 1036.123812] ? __sb_end_write+0xac/0xe0 [ 1036.127778] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1036.133319] ? fput+0x130/0x1a0 [ 1036.136589] ? ksys_write+0x1a6/0x250 [ 1036.140386] ? __ia32_sys_read+0xb0/0xb0 [ 1036.144451] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1036.149280] __x64_sys_sendto+0xe1/0x1a0 [ 1036.153344] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1036.158347] do_syscall_64+0x1b1/0x800 [ 1036.162220] ? finish_task_switch+0x1ca/0x840 [ 1036.166704] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1036.171626] ? syscall_return_slowpath+0x30f/0x5c0 [ 1036.176545] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1036.181901] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1036.186734] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1036.191929] RIP: 0033:0x4559f9 [ 1036.195110] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1036.214362] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1036.222059] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1036.229315] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1036.236572] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1036.243827] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1036.251079] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000004 05:00:40 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0xfdfdffff00000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) r2 = syz_open_dev$ndb(&(0x7f0000000040)='/dev/nbd#\x00', 0x0, 0x0) ioctl$BLKROTATIONAL(r2, 0x127e, &(0x7f0000000080)) 05:00:40 executing program 7: mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x1000000, 0x4000000031, 0xffffffffffffffff, 0x0) syslog(0x4, &(0x7f00000002c0)=""/223, 0xfffffd4f) syz_open_dev$loop(&(0x7f0000000100)='/dev/loop#\x00', 0x9, 0x101000) r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000140)='/dev/uinput\x00', 0x30040, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000800)={{{@in6=@local, @in=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6}, 0x0, @in6=@loopback}}, &(0x7f0000000900)=0xe8) getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f00000005c0)={0x0, @in6={{0xa, 0x4e22, 0x10000, @ipv4={[], [0xff, 0xff], @multicast1=0xe0000001}, 0x8}}, 0x2, 0x2, 0x0, 0x81, 0x20}, &(0x7f0000000680)=0x98) setsockopt$inet_sctp6_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f00000006c0)={r2, 0xfffffffffffffff9, 0xf65, 0x4}, 0x10) stat(&(0x7f0000000080)='./file0\x00', &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0}) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000a00)={{{@in6=@loopback={0x0, 0x1}, @in6=@dev={0xfe, 0x80, [], 0x19}, 0x4e20, 0x0, 0x4e23, 0x0, 0xa, 0xa0, 0x80, 0x8, r1, r3}, {0x7, 0x1, 0xfffffffffffffffe, 0x3, 0x2, 0x6, 0x2, 0x8}, {0x5, 0x800, 0x4, 0x9}, 0x3, 0x6e6bb0, 0x3, 0x1, 0x2, 0x1}, {{@in6, 0x4d2, 0x6c}, 0xa, @in=@dev={0xac, 0x14, 0x14, 0x1a}, 0x3507, 0x95eb3f9bab30b5c9, 0x3, 0x40, 0x4, 0xf840, 0xf84}}, 0xe8) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e22, 0x6, @mcast1={0xff, 0x1, [], 0x1}, 0x867}, 0x1c) sendmsg$nl_route(r0, &(0x7f0000000580)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x2000080}, 0xc, &(0x7f00000003c0)={&(0x7f0000000500)=@ipv6_newrule={0x80, 0x20, 0x500, 0x70bd2c, 0x25dfdbfe, {0xa, 0x80, 0x14, 0x2, 0x7, 0x0, 0x0, 0x0, 0x1e}, [@FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}, @FIB_RULE_POLICY=@FRA_L3MDEV={0x8, 0x13, 0x2}, @FRA_DST={0x14, 0x1}, @FRA_DST={0x14, 0x1, @remote={0xfe, 0x80, [], 0xbb}}, @FRA_SRC={0x14, 0x2, @ipv4={[], [0xff, 0xff], @remote={0xac, 0x14, 0x14, 0xbb}}}, @FRA_SRC={0x14, 0x2}]}, 0x80}, 0x1, 0x0, 0x0, 0x880}, 0x4000) mq_timedreceive(r0, &(0x7f00000001c0)=""/204, 0xcc, 0x2, 0x0) socket$inet6_tcp(0xa, 0x1, 0x0) getsockopt$IP_VS_SO_GET_DAEMON(r0, 0x0, 0x487, &(0x7f0000000400), &(0x7f00000004c0)=0x30) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer\x00', 0x416300, 0x0) ioprio_set$uid(0x3, r3, 0x6) setsockopt$netlink_NETLINK_BROADCAST_ERROR(r0, 0x10e, 0x4, &(0x7f0000000180)=0xd68, 0x4) 05:00:40 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:40 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x5}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:40 executing program 4: r0 = socket(0x11, 0x100000803, 0x0) r1 = syz_open_dev$tun(&(0x7f00000000c0)='/dev/net/tun\x00', 0x0, 0x20000000002) socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={"6966623000faffffffffffffff00", 0x5001}) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000000)={'ifb0\x00', 0xa201}) getsockopt$EBT_SO_GET_ENTRIES(r0, 0x0, 0x81, &(0x7f0000000180)={'nat\x00', 0x0, 0x3, 0x0, [], 0x8, &(0x7f0000000100)=[{}, {}, {}, {}, {}, {}, {}, {}], &(0x7f0000000080)}, &(0x7f0000000200)=0x78) write$tun(r1, &(0x7f0000000240)=ANY=[@ANYBLOB="0500000000006a00000060af04ca004423000000000000e200000000ffffac1414bbff0200000000000000000000000000010420880b0000000000000800000086dd080088be00000000100000000100000000000000080080b104ed68b837631625cf11362d8922eb00000000200000000200000000000000000000000800655800000000"], 0x76) 05:00:40 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0xffffffff00000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:40 executing program 1 (fault-call:4 fault-nth:5): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1036.507436] binder: 27989:27990 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1036.538505] binder: 27988:28002 ERROR: BC_REGISTER_LOOPER called without request [ 1036.541311] FAULT_INJECTION: forcing a failure. [ 1036.541311] name failslab, interval 1, probability 0, space 0, times 0 [ 1036.557449] CPU: 0 PID: 27995 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1036.558339] binder: 27988:28002 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1036.564378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1036.564385] Call Trace: [ 1036.564412] dump_stack+0x1b9/0x294 [ 1036.564434] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1036.564453] ? unwind_get_return_address+0x61/0xa0 [ 1036.564474] ? graph_lock+0x170/0x170 [ 1036.572552] binder: 27988:28002 unknown command 0 [ 1036.581884] should_fail.cold.4+0xa/0x1a [ 1036.581917] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1036.615981] ? __lock_is_held+0xb5/0x140 [ 1036.620056] ? __kmalloc_node_track_caller+0x47/0x70 [ 1036.621307] binder: 27988:28002 ioctl c0306201 2000dfd0 returned -22 [ 1036.625164] ? graph_lock+0x170/0x170 [ 1036.625186] ? __x64_sys_sendto+0xe1/0x1a0 [ 1036.625206] ? find_held_lock+0x36/0x1c0 [ 1036.625229] ? __lock_is_held+0xb5/0x140 [ 1036.625257] ? check_same_owner+0x320/0x320 [ 1036.625276] ? rcu_note_context_switch+0x710/0x710 [ 1036.639107] binder: 27989:27990 BC_FREE_BUFFER u0000000000000000 no match [ 1036.639765] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1036.669283] __should_failslab+0x124/0x180 [ 1036.673528] should_failslab+0x9/0x14 [ 1036.677327] kmem_cache_alloc_node+0x272/0x780 [ 1036.681903] ? __kmalloc_node_track_caller+0x47/0x70 [ 1036.687060] __alloc_skb+0x111/0x780 [ 1036.690764] ? skb_scrub_packet+0x580/0x580 [ 1036.695076] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1036.700604] ? ip_generic_getfrag+0x11c/0x2d0 [ 1036.705089] ? ip_reply_glue_bits+0xc0/0xc0 [ 1036.709407] ? raw_getfrag+0x15b/0x220 [ 1036.713283] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1036.718289] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1036.723296] ? raw_destroy+0x30/0x30 [ 1036.727008] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1036.732794] ? ipv4_mtu+0x375/0x580 [ 1036.736410] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1036.741876] ? lock_acquire+0x1dc/0x520 [ 1036.745846] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1036.751367] ? ip_setup_cork+0x4dc/0x7c0 [ 1036.755417] ip_append_data.part.48+0xf3/0x180 [ 1036.759991] ? raw_destroy+0x30/0x30 [ 1036.763693] ip_append_data+0x6d/0x90 [ 1036.767482] ? raw_destroy+0x30/0x30 [ 1036.771201] raw_sendmsg+0x1dae/0x29b0 [ 1036.775083] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1036.780197] ? rcu_report_qs_rnp+0x790/0x790 [ 1036.784600] ? graph_lock+0x170/0x170 [ 1036.788395] ? expand_files.part.8+0x9a0/0x9a0 [ 1036.792965] ? check_same_owner+0x320/0x320 [ 1036.797286] ? lock_downgrade+0x8e0/0x8e0 [ 1036.801425] ? lock_release+0xa10/0xa10 [ 1036.805386] ? check_same_owner+0x320/0x320 [ 1036.809697] ? __check_object_size+0x95/0x5d9 [ 1036.814185] inet_sendmsg+0x19f/0x690 [ 1036.817974] ? __might_sleep+0x95/0x190 [ 1036.821936] ? ipip_gro_receive+0x100/0x100 [ 1036.826250] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1036.831774] ? security_socket_sendmsg+0x94/0xc0 [ 1036.836517] ? ipip_gro_receive+0x100/0x100 [ 1036.840827] sock_sendmsg+0xd5/0x120 [ 1036.844530] __sys_sendto+0x3d7/0x670 [ 1036.848318] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1036.852979] ? wait_for_completion+0x870/0x870 [ 1036.857572] ? __lock_is_held+0xb5/0x140 [ 1036.861629] ? __sb_end_write+0xac/0xe0 [ 1036.865594] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1036.871115] ? fput+0x130/0x1a0 [ 1036.874387] ? ksys_write+0x1a6/0x250 [ 1036.878177] ? __ia32_sys_read+0xb0/0xb0 [ 1036.882226] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1036.887768] __x64_sys_sendto+0xe1/0x1a0 [ 1036.891815] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1036.896821] do_syscall_64+0x1b1/0x800 [ 1036.900694] ? finish_task_switch+0x1ca/0x840 [ 1036.905177] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1036.910092] ? syscall_return_slowpath+0x30f/0x5c0 [ 1036.915011] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1036.920363] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1036.925196] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1036.930373] RIP: 0033:0x4559f9 [ 1036.933545] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 05:00:40 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") semget(0x2, 0x2, 0x400) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f00009e3ff6)='/dev/ptmx\x00', 0x0, 0x0) syz_open_pts(r1, 0x0) close(r1) [ 1036.952797] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1036.960492] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1036.967746] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1036.975002] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1036.982255] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1036.989512] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000005 05:00:40 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x0, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="0c630000ff3d83554f4b35bffb2bd3a3b00489f9b3e4d488f65e5a94234900000000000000d4fe8b7a07f0e016a2b746afd23c265775a5b3fa8d6ebc6a3c0f8007a9ec4dfa1c1c839e169149ed31cf303a5de2e0cbe2b8c14322bd710eeb65e98a858abfa429db8714d8ae1f36e04ab2a26113a3fdfb49beda7f171cad363cf9cf55d12e201f008efc5b794e0997e144bdec77f9e87596cb09a1de0d39321b033f39f587bacd16d08ca51c84228c94bc7308c8c3f96f5bbb1f0d633d4c581cbbeea4bb8ec09a2dddef6997a9e0f02a68a6a0d285af04ddfc75964c4a9ec4559d"], 0x0, 0x0, &(0x7f0000008f37)}) [ 1037.009555] binder: 27989:27990 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:40 executing program 7: r0 = socket$inet_sctp(0x2, 0x0, 0x84) r1 = add_key$keyring(&(0x7f0000000380)='keyring\x00', &(0x7f00000003c0)={0x73, 0x79, 0x7a, 0x0}, 0x0, 0x0, 0xffffffffffffffff) add_key$keyring(&(0x7f0000000300)='keyring\x00', &(0x7f0000000340)={0x73, 0x79, 0x7a, 0x2}, 0x0, 0x0, r1) r2 = socket$inet6(0xa, 0x1, 0x0) setsockopt$inet_sctp_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x7e4f}, 0xb) ioctl(r2, 0x4000008912, &(0x7f0000000100)="2957e1311f16f477671070") sendto$inet(r0, &(0x7f0000000000)="f2", 0x1, 0x0, &(0x7f00000000c0)={0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 0x10) recvfrom$inet(r0, &(0x7f0000000100), 0x0, 0x2, &(0x7f0000000180)={0x2, 0x0, @broadcast=0xffffffff}, 0x709000) r3 = add_key$user(&(0x7f0000000040)='user\x00', &(0x7f0000000080)={0x73, 0x79, 0x7a, 0x0}, &(0x7f00000001c0)="0f5929cc41dc28478a467e23b9b9a7c67a57d5df81e747ab97b7a1e6a3322123536235963fd6b9144321f774e7870bce2e5c60e5d7cb35fc9f14d32233f86c2296d3895107c0908d0bb2a20df5fef3b0b95b4f46e4b1255cf756dd607965ddcf0982495675ad07f771c7d2189f40daaa8ca9ce5d62484216f395155a9c4835281168fcfac4605655471b78962518053f14382c53ce99f4c0ab912348577974cc9c42f5ee8bdea2304d5f201ecead19e24ea2f17f8334a10b4b3636d0", 0xbc, 0xfffffffffffffffe) r4 = add_key$keyring(&(0x7f0000000140)='keyring\x00', &(0x7f0000000280)={0x73, 0x79, 0x7a, 0x0}, 0x0, 0x0, 0xfffffffffffffffa) r5 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000400)='/dev/mixer\x00', 0x400, 0x0) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000540)={{{@in6=@ipv4={[], [], @multicast1}, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in6=@mcast1}}, &(0x7f0000000640)=0xe8) rt_sigaction(0x19, &(0x7f00000006c0)={0x6, {0x4}, 0x2}, 0x0, 0x8, &(0x7f0000000700)) sendto$packet(r5, &(0x7f0000000440)="f0096d6857219106e14474fad40dc177786095775c85cf74eb04c1d1d530426d971bd6426937bfb227dab3d0dade10c2765c521c3fd5a156c7b11384809fe7e3229f7cacd0abfb548ea202eca82e5dd5795adee407db239edd144a80b50e75c67517b82fcc0602d4aae7bf48de4013836acf6c01f74252eb5372a96b746c3419af7f445b7cc422d3b6bfa91b37048fb75fa7bc454ea56479a574170b7a844b4586a9e2e17b75df9235315b550db0c43c8aa4894aafdde75f697317a41568c84a9820e53174e25947940ee0e3c3fc9ba2164a6195ae269af7b39c2c895b0f681041501ae72d634f3e", 0xe8, 0x20008000, &(0x7f0000000680)={0x11, 0x18, r6, 0x1, 0x3, 0x6, @remote={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0xbb}}, 0x14) keyctl$link(0x8, r3, r4) [ 1037.060003] binder: 27989:27990 BC_FREE_BUFFER u0000000000000000 no match 05:00:40 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x700, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1037.211866] binder: 28027:28029 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1037.230098] binder: 28027:28029 BC_FREE_BUFFER u0000000000000000 no match [ 1037.241094] binder: 28027:28029 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1037.248522] binder: 28027:28029 BC_FREE_BUFFER u0000000000000000 no match [ 1037.362595] binder: 28019:28020 ERROR: BC_REGISTER_LOOPER called without request [ 1037.370594] binder: 28019:28020 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1037.378737] binder: 28019:28020 unknown command 1434664447 [ 1037.384510] binder: 28019:28020 ioctl c0306201 2000dfd0 returned -22 [ 1037.391611] ALSA: seq fatal error: cannot create timer (-22) 05:00:41 executing program 1 (fault-call:4 fault-nth:6): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:41 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x4000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:41 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x48, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:41 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x0, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f00000000c0)='/dev/binder#\x00', 0x0, 0x2) r1 = socket$inet6(0xa, 0x1, 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000040)={0xa, 0x0, 0x4, 0x5, 0x4, 0xffffffffffffffff, 0x32cf}, 0x2c) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:41 executing program 4: mmap(&(0x7f0000600000/0x4000)=nil, 0x4000, 0x0, 0x44031, 0xffffffffffffffff, 0x0) r0 = userfaultfd(0x0) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x4}) r1 = dup2(r0, r0) ioctl$UFFDIO_REGISTER(r1, 0x8010aa01, &(0x7f0000000080)={{&(0x7f0000600000/0x3000)=nil, 0x3000}}) 05:00:41 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x6}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:41 executing program 7: r0 = socket$inet6(0xa, 0x1000000000001, 0x0) ioctl(r0, 0x8912, &(0x7f0000000200)="0047fc2f07d82c99240970") r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_open_dev$mice(&(0x7f0000000080)='/dev/input/mice\x00', 0x0, 0x0) setsockopt$inet_tcp_int(r3, 0x6, 0x8, &(0x7f00000000c0)=0x60291a89, 0x4) getsockopt$llc_int(r3, 0x10c, 0xf, &(0x7f0000000140), &(0x7f0000000180)=0x4) bind$netlink(r2, &(0x7f0000000000)={0x10, 0x0, 0x0, 0x400000}, 0xc) bind$netlink(r1, &(0x7f0000000040)={0x10, 0x0, 0x0, 0x8}, 0xc) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r1, 0x10e, 0x2, &(0x7f0000000100)=0x4, 0x4) ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r3, 0xc4c85512, &(0x7f0000000240)={{0x6, 0x3, 0x40, 0xffffffff, 'syz0\x00', 0x643}, 0x1, [0x20, 0x40, 0xff6, 0x0, 0xbb, 0xab8, 0x200, 0x3, 0xac3, 0x80, 0x5, 0x9, 0xffffffff, 0x0, 0x20000000, 0x7, 0x4, 0xa01, 0x29e0, 0x4, 0x5, 0xffff, 0x0, 0x9, 0x2, 0x2c45, 0x1, 0x3, 0x61, 0x80000001, 0x31da, 0x9, 0x80000000, 0xfffffffffffffa81, 0xff, 0x8, 0xffff, 0x4, 0x80000000, 0xffffffff, 0x1, 0xfe9, 0x7a, 0x3, 0xffffffffffffff7f, 0x4, 0x7, 0x1, 0xb55e, 0x6, 0x0, 0x2, 0x6, 0x5, 0x5, 0x0, 0x6, 0x9, 0x2, 0x2, 0x4582e16d, 0x6, 0x5, 0x6, 0x43507895, 0x4d7064aa, 0xd13ee27, 0x652df08f, 0xcea, 0x8, 0x0, 0xffffffff, 0x2, 0x7fff, 0x6, 0x3, 0x0, 0xc068, 0x5, 0x10000, 0x4000000000, 0x5, 0x1, 0x6, 0xffffffffffff8001, 0x401, 0x2, 0x620, 0x6965, 0x5, 0xff, 0x4, 0x800, 0x0, 0x1, 0x79, 0x7f, 0x4, 0x0, 0x0, 0xffffffffffffff6d, 0x8, 0x2, 0x1, 0x9, 0xbb, 0x42bdfaed, 0x0, 0x9, 0x10000, 0x3, 0xb7, 0x0, 0x1, 0x0, 0x38a, 0x1, 0xffffffff, 0x1, 0x7, 0xffffffffffffff01, 0x1ff, 0x80, 0x5, 0x1ff, 0xfffffffffffffffa, 0x3, 0x8001], {0x77359400}}) [ 1037.564613] ALSA: seq fatal error: cannot create timer (-22) [ 1037.597408] binder: 28041:28043 ERROR: BC_REGISTER_LOOPER called without request 05:00:41 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x2300000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1037.616296] binder: 28050:28054 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1037.623071] binder: 28041:28043 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1037.627306] binder: 28050:28054 BC_FREE_BUFFER u0000000000000000 no match [ 1037.631396] binder: 28041:28043 unknown command 0 [ 1037.643792] binder: 28041:28043 ioctl c0306201 2000dfd0 returned -22 [ 1037.655900] FAULT_INJECTION: forcing a failure. [ 1037.655900] name failslab, interval 1, probability 0, space 0, times 0 [ 1037.667226] CPU: 1 PID: 28046 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1037.674165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1037.683527] Call Trace: [ 1037.686131] dump_stack+0x1b9/0x294 [ 1037.689776] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1037.694980] ? is_bpf_text_address+0xd7/0x170 [ 1037.699490] ? kernel_text_address+0x79/0xf0 [ 1037.703909] ? __unwind_start+0x166/0x330 [ 1037.708073] should_fail.cold.4+0xa/0x1a [ 1037.712145] ? __save_stack_trace+0x7e/0xd0 [ 1037.716485] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1037.721633] ? graph_lock+0x170/0x170 [ 1037.725447] ? save_stack+0x43/0xd0 [ 1037.729088] ? kasan_kmalloc+0xc4/0xe0 [ 1037.732988] ? kasan_slab_alloc+0x12/0x20 [ 1037.737154] ? find_held_lock+0x36/0x1c0 [ 1037.741237] ? __lock_is_held+0xb5/0x140 [ 1037.745330] ? check_same_owner+0x320/0x320 [ 1037.749666] ? rcu_note_context_switch+0x710/0x710 [ 1037.754614] __should_failslab+0x124/0x180 [ 1037.758862] should_failslab+0x9/0x14 [ 1037.762671] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1037.767769] __kmalloc_node_track_caller+0x33/0x70 [ 1037.772691] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1037.777437] __alloc_skb+0x14d/0x780 [ 1037.781138] ? skb_scrub_packet+0x580/0x580 [ 1037.785449] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1037.790975] ? ip_generic_getfrag+0x11c/0x2d0 [ 1037.795464] ? ip_reply_glue_bits+0xc0/0xc0 [ 1037.799783] ? raw_getfrag+0x15b/0x220 [ 1037.803658] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1037.808666] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1037.813677] ? raw_destroy+0x30/0x30 [ 1037.817386] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1037.823172] ? ipv4_mtu+0x375/0x580 [ 1037.826787] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1037.832232] ? lock_acquire+0x1dc/0x520 [ 1037.836197] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1037.841722] ? ip_setup_cork+0x4dc/0x7c0 [ 1037.845773] ip_append_data.part.48+0xf3/0x180 [ 1037.850346] ? raw_destroy+0x30/0x30 [ 1037.854051] ip_append_data+0x6d/0x90 [ 1037.857840] ? raw_destroy+0x30/0x30 [ 1037.861545] raw_sendmsg+0x1dae/0x29b0 [ 1037.865428] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1037.870520] ? rcu_report_qs_rnp+0x790/0x790 [ 1037.874922] ? graph_lock+0x170/0x170 [ 1037.878717] ? expand_files.part.8+0x9a0/0x9a0 [ 1037.883287] ? check_same_owner+0x320/0x320 [ 1037.887615] ? lock_downgrade+0x8e0/0x8e0 [ 1037.891752] ? lock_release+0xa10/0xa10 [ 1037.895711] ? check_same_owner+0x320/0x320 [ 1037.900047] ? __check_object_size+0x95/0x5d9 [ 1037.904533] inet_sendmsg+0x19f/0x690 [ 1037.908324] ? __might_sleep+0x95/0x190 [ 1037.912297] ? ipip_gro_receive+0x100/0x100 [ 1037.916610] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1037.922137] ? security_socket_sendmsg+0x94/0xc0 [ 1037.926881] ? ipip_gro_receive+0x100/0x100 [ 1037.931242] sock_sendmsg+0xd5/0x120 [ 1037.934947] __sys_sendto+0x3d7/0x670 [ 1037.938735] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1037.943409] ? wait_for_completion+0x870/0x870 [ 1037.947985] ? __lock_is_held+0xb5/0x140 [ 1037.952045] ? __sb_end_write+0xac/0xe0 [ 1037.956006] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1037.961543] ? fput+0x130/0x1a0 [ 1037.964821] ? ksys_write+0x1a6/0x250 [ 1037.968616] ? __ia32_sys_read+0xb0/0xb0 [ 1037.972664] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1037.978190] __x64_sys_sendto+0xe1/0x1a0 [ 1037.982238] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1037.987248] do_syscall_64+0x1b1/0x800 [ 1037.991124] ? finish_task_switch+0x1ca/0x840 [ 1037.995607] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1038.000546] ? syscall_return_slowpath+0x30f/0x5c0 [ 1038.005464] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1038.010822] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1038.015655] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1038.020845] RIP: 0033:0x4559f9 [ 1038.024016] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1038.043268] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1038.050966] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1038.058222] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 05:00:41 executing program 4: r0 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) ioctl$fiemap(r0, 0x40086602, &(0x7f0000000240)=ANY=[]) pwritev(r0, &(0x7f0000000180)=[{&(0x7f00000000c0)="be", 0x1}], 0x1, 0x100000) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000000)={0x0, 0x6}, &(0x7f0000000040)=0x8) setsockopt$inet_sctp_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000080)={r1, 0x4}, 0x8) ioctl$fiemap(r0, 0xc020660b, &(0x7f0000000200)={0xffff, 0x8000, 0x3, 0x9, 0x9, [{0x40, 0x10001, 0x1, 0x0, 0x0, 0x48b}, {0x6, 0x502, 0x0, 0x0, 0x0, 0x808}, {0x4, 0x0, 0x3}, {0x7fff, 0x49c, 0xcc9, 0x0, 0x0, 0x4}, {0xc0a, 0x6b9, 0x9, 0x0, 0x0, 0x300}, {0xda39, 0x15, 0x9, 0x0, 0x0, 0x904}, {0x2, 0xda71, 0x7, 0x0, 0x0, 0x400}, {0xb7f, 0x7, 0x8000}, {0xfff, 0xffffffffffff97e7, 0x5, 0x0, 0x0, 0x2}]}) lseek(r0, 0x0, 0x3) 05:00:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x6, 0x200003e) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=ANY=[@ANYBLOB="f22d4dfd"], 0x0, 0x0, &(0x7f0000008f37)}) r2 = getuid() r3 = getgid() mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f00000003c0)='./cgroup/syz0\x00', 0x1ff) fchown(r0, r2, r3) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x1f, &(0x7f0000000040)={0x0, @in={{0x2, 0x4e21, @multicast1=0xe0000001}}, 0x9, 0xee7}, &(0x7f0000000180)=0x90) getsockopt$inet_sctp_SCTP_MAX_BURST(0xffffffffffffff9c, 0x84, 0x14, &(0x7f00000001c0)=@assoc_value={0x0}, &(0x7f0000000200)=0x8) r6 = syz_open_dev$mice(&(0x7f0000000480)='/dev/input/mice\x00', 0x0, 0xa0000) ioctl$PIO_UNIMAP(r6, 0x4b67, &(0x7f0000000500)={0x1, &(0x7f00000004c0)=[{0x800, 0x8}]}) r7 = syz_open_dev$amidi(&(0x7f0000000400)='/dev/amidi#\x00', 0x10000, 0x201) setsockopt$bt_l2cap_L2CAP_LM(r7, 0x6, 0x3, &(0x7f0000000440)=0x8, 0x4) getsockopt$inet_sctp6_SCTP_STATUS(r1, 0x84, 0xe, &(0x7f0000000240)={r4, 0x0, 0xffffffffffffffff, 0x8000, 0x6, 0x5, 0x7, 0x5, {r5, @in={{0x2, 0x4e22, @broadcast=0xffffffff}}, 0x3, 0x9, 0x100000000, 0x34, 0x7}}, &(0x7f0000000300)=0xb0) r8 = socket$inet(0x2, 0x80e, 0x5) getsockopt$inet_sctp_SCTP_RECVNXTINFO(r8, 0x84, 0x21, &(0x7f0000000340), &(0x7f0000000380)=0x4) [ 1038.065478] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1038.072735] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1038.079992] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000006 [ 1038.093709] binder: 28050:28054 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1038.111865] binder: 28050:28054 BC_FREE_BUFFER u0000000000000000 no match 05:00:41 executing program 7: bind$alg(0xffffffffffffffff, &(0x7f00000001c0)={0x26, 'aead\x00', 0x0, 0x0, 'aegis128-aesni\x00'}, 0x58) r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x100000001, 0x101000) setsockopt$inet_tcp_int(r0, 0x6, 0x10, &(0x7f0000000780)=0x400, 0x4) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(0xffffffffffffff9c, 0x84, 0x6, &(0x7f0000000240)={0x0, @in6={{0xa, 0x4e23, 0x6, @remote={0xfe, 0x80, [], 0xbb}, 0x7}}}, &(0x7f0000000040)=0x84) getsockopt$inet_sctp_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f00000000c0)={r1, 0x3}, &(0x7f0000000140)=0x8) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000740)='/dev/rtc0\x00', 0x101000, 0x0) setsockopt$ALG_SET_KEY(0xffffffffffffffff, 0x117, 0x1, &(0x7f0000ff8000)="0a0775b005e381e5b3b60ced5c54dbb7", 0x10) r3 = getpid() getpgid(r3) ioctl$DRM_IOCTL_ADD_BUFS(r0, 0xc0206416, &(0x7f0000000540)={0x9, 0x3, 0xfffffffffffffffa, 0x7b, 0xc, 0x81}) setsockopt$inet_sctp6_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x5, &(0x7f0000000480)={r1, @in6={{0xa, 0x4e22, 0x3, @mcast2={0xff, 0x2, [], 0x1}, 0x3}}}, 0x84) socket$vsock_stream(0x28, 0x1, 0x0) r4 = accept$alg(0xffffffffffffffff, 0x0, 0x0) sendmmsg$alg(r4, &(0x7f0000003e80)=[{0x0, 0x0, &(0x7f0000000180)=[{&(0x7f0000000300)="9490aaca7fb45b4fd1f1f779129d06c2c32a0e11e1760b664689ac57856a4100ab5f09b1e83073b29301663736fc0487cd11fc3c6de8c30c3630437df212d2610e1967496ba981e03e0589561a93744e2a2204882c01489634e0b1d302c71faec185bb9b697306c385bbe8ace521845e8a1e5658b3c8c2482f21ee2c54eb19473d648ed3fda3f1f51f68ce7b25bc0684cc3fb832170f4aac5df1538aec4d62ce0c6a75ae2b6e87286430c521da511e1a700cdeb685aa8ff2ea95bc59a27540dd16655029dad9ae0d381fab1691d6ee877b48dee082ee0dd6a6d964", 0xdb}, {&(0x7f0000000400)="e6bbb606266f827512595a11e189691ca8e2797b5da0c5c035ef7d8a084993bb86bdd04f2017ac79a4aef3844fe5ba0aed0031e781a2b0a3fe60da14c4dc849f1c6aefe2fcdf87878a47989596a246eb015524ecead5314426b9fe82059e257223d818e9da256a986d699caa35d1765d0b1ce6b325b467", 0x77}], 0x2, &(0x7f0000000100)=[@op={0x18, 0x117, 0x3, 0x1}], 0x18}], 0x1, 0x0) r5 = getpgrp(0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_ADD(r0, 0xc1105517, &(0x7f0000000600)={{0x9, 0x6, 0x0, 0x6, 'syz1\x00', 0x8837}, 0x2, 0x10000230, 0x10000, r5, 0x2, 0x6, 'syz1\x00', &(0x7f00000005c0)=['aegis128-aesni\x00', 'vmnet1\'\x00'], 0x17, [], [0x10000, 0x20, 0x1, 0x9]}) ioctl$VHOST_GET_FEATURES(r0, 0x8008af00, &(0x7f0000000580)) sched_setaffinity(r3, 0x8, &(0x7f00000007c0)=0xffffffff7fffffff) recvmmsg(r4, &(0x7f0000000080)=[{{0x0, 0x0, &(0x7f0000006140)=[{&(0x7f0000006000)=""/103, 0x67}, {&(0x7f0000006080)=""/160, 0xa0}], 0x2, &(0x7f00000061c0)=""/4096, 0x1000}}], 0x1, 0x0, &(0x7f0000007380)={0x0, 0x1c9c380}) setsockopt$ALG_SET_KEY(r2, 0x117, 0x1, &(0x7f0000000800)="df1b7b596dc44e0b1107a13a257ae06218f7f61750695447231898630dcf6415909dacfa48b89e85119a10e88efb23e62523242ac00666f30b5657a5104d8ed58a2f09459c9ebf5c9439d62067ca086178221bc5c570b326e1421f1abde5660137a69cf00e68696d20d489994d0d42053012343e42a3578bf7cb028ed0a089658072fc42479aa4f53f9c940f33eedbc9455ee4faa44d682efde0e27983b8099a068378856cf89d1c5406e7f0d1d978c7d3ea326f935abc684ceb7696e85f8a7ffdf0aa74af06c280561a1af70fe6002e60d402448fc8c8a62512e0b33decfc15da7e5f3da3d2fb7b81842be3a7", 0xed) 05:00:41 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x0, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:41 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x1e00000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:41 executing program 1 (fault-call:4 fault-nth:7): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1038.174139] binder: 28068:28075 ERROR: BC_REGISTER_LOOPER called without request 05:00:41 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x40000000000000, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x6) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_GET_XCRS(r2, 0x8188aea6, &(0x7f0000000040)) r3 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r4 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000001440)='/dev/vga_arbiter\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(0xffffffffffffffff, 0x84, 0x6d, &(0x7f0000001480)={0x0, 0x61, "c235eb23631d993afd792f7f6b419c281e8214e89e9790a082bc47381078d5ca80a0f22f17e17d66114753929222e5f465a4ef524f4c18115bdc33ed6fb9843732b0389e7175061be02ffa26224ca4082d989831a9d0ee8bdfdc959f0e7db58746"}, &(0x7f0000001500)=0x69) getsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(r4, 0x84, 0x76, &(0x7f0000001540)={r5, 0x9}, &(0x7f0000001580)=0x8) tkill(r3, 0x1000000000016) [ 1038.231460] binder: 28068:28075 unknown command -45273614 [ 1038.242770] binder: 28068:28075 ioctl c0306201 2000dfd0 returned -22 05:00:41 executing program 7: r0 = socket(0x11, 0x3, 0x0) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vga_arbiter\x00', 0x105000, 0x0) getsockname$packet(r0, &(0x7f0000000140)={0x0, 0x0, 0x0}, &(0x7f0000000180)=0x14) bind$can_raw(r1, &(0x7f00000001c0)={0x1d, r2}, 0x10) ioctl$KVM_SET_NR_MMU_PAGES(r1, 0xae44, 0x9) uname(&(0x7f0000000040)=""/192) setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f0000000000)={0x0, 0xffffffe}, 0x4) 05:00:41 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x4c, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1038.271923] binder: 28068:28075 ERROR: BC_REGISTER_LOOPER called without request [ 1038.280147] binder: 28068:28085 unknown command -45273614 [ 1038.286062] binder: 28068:28085 ioctl c0306201 2000dfd0 returned -22 [ 1038.342152] binder: 28092:28093 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1038.351285] FAULT_INJECTION: forcing a failure. [ 1038.351285] name failslab, interval 1, probability 0, space 0, times 0 [ 1038.362623] CPU: 0 PID: 28087 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1038.369564] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1038.378929] Call Trace: [ 1038.381527] dump_stack+0x1b9/0x294 [ 1038.385151] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1038.390353] ? unwind_get_return_address+0x61/0xa0 [ 1038.395270] ? graph_lock+0x170/0x170 [ 1038.399059] should_fail.cold.4+0xa/0x1a [ 1038.403109] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1038.408203] ? __lock_is_held+0xb5/0x140 [ 1038.412251] ? __kmalloc_node_track_caller+0x47/0x70 [ 1038.417344] ? graph_lock+0x170/0x170 [ 1038.421133] ? __x64_sys_sendto+0xe1/0x1a0 [ 1038.425359] ? find_held_lock+0x36/0x1c0 [ 1038.429408] ? __lock_is_held+0xb5/0x140 [ 1038.433462] ? check_same_owner+0x320/0x320 [ 1038.437778] ? rcu_note_context_switch+0x710/0x710 [ 1038.442695] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1038.447962] __should_failslab+0x124/0x180 [ 1038.452185] should_failslab+0x9/0x14 [ 1038.455970] kmem_cache_alloc_node+0x272/0x780 [ 1038.460541] ? __kmalloc_node_track_caller+0x47/0x70 [ 1038.465637] __alloc_skb+0x111/0x780 [ 1038.469342] ? skb_scrub_packet+0x580/0x580 [ 1038.473653] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1038.479179] ? ip_generic_getfrag+0x11c/0x2d0 [ 1038.483663] ? ip_reply_glue_bits+0xc0/0xc0 [ 1038.487978] ? raw_getfrag+0x15b/0x220 [ 1038.491853] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1038.496879] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1038.501892] ? raw_destroy+0x30/0x30 [ 1038.505602] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1038.511391] ? ipv4_mtu+0x375/0x580 [ 1038.515010] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1038.520461] ? lock_acquire+0x1dc/0x520 [ 1038.524429] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1038.529957] ? ip_setup_cork+0x4dc/0x7c0 [ 1038.534006] ip_append_data.part.48+0xf3/0x180 [ 1038.538581] ? raw_destroy+0x30/0x30 [ 1038.542285] ip_append_data+0x6d/0x90 [ 1038.546072] ? raw_destroy+0x30/0x30 [ 1038.549777] raw_sendmsg+0x1dae/0x29b0 [ 1038.553685] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1038.558780] ? rcu_report_qs_rnp+0x790/0x790 [ 1038.563178] ? graph_lock+0x170/0x170 [ 1038.566974] ? expand_files.part.8+0x9a0/0x9a0 [ 1038.571543] ? check_same_owner+0x320/0x320 [ 1038.575871] ? lock_downgrade+0x8e0/0x8e0 [ 1038.580013] ? lock_release+0xa10/0xa10 [ 1038.583975] ? check_same_owner+0x320/0x320 [ 1038.588286] ? __check_object_size+0x95/0x5d9 [ 1038.592771] inet_sendmsg+0x19f/0x690 [ 1038.596556] ? __might_sleep+0x95/0x190 [ 1038.600518] ? ipip_gro_receive+0x100/0x100 [ 1038.604831] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1038.610356] ? security_socket_sendmsg+0x94/0xc0 [ 1038.615112] ? ipip_gro_receive+0x100/0x100 [ 1038.619422] sock_sendmsg+0xd5/0x120 [ 1038.623145] __sys_sendto+0x3d7/0x670 [ 1038.626935] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1038.631596] ? wait_for_completion+0x870/0x870 [ 1038.636170] ? __lock_is_held+0xb5/0x140 [ 1038.640227] ? __sb_end_write+0xac/0xe0 [ 1038.644190] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1038.649713] ? fput+0x130/0x1a0 [ 1038.652990] ? ksys_write+0x1a6/0x250 [ 1038.656779] ? __ia32_sys_read+0xb0/0xb0 [ 1038.660825] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1038.666352] __x64_sys_sendto+0xe1/0x1a0 [ 1038.670404] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1038.675409] do_syscall_64+0x1b1/0x800 [ 1038.679283] ? finish_task_switch+0x1ca/0x840 [ 1038.683779] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1038.688698] ? syscall_return_slowpath+0x30f/0x5c0 [ 1038.693616] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1038.698970] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1038.703802] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1038.708984] RIP: 0033:0x4559f9 [ 1038.712159] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1038.731411] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c 05:00:42 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(0xffffffffffffffff, &(0x7f0000000080)=[{&(0x7f0000000240)=""/163, 0xa3}, {&(0x7f0000000300)=""/242, 0xf2}], 0x2) [ 1038.739106] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1038.746363] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1038.753618] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1038.760874] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1038.768127] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000007 [ 1038.775697] binder: 28092:28093 BC_FREE_BUFFER u0000000000000000 no match [ 1038.854929] binder: 28092:28093 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1038.904997] binder: 28092:28093 BC_FREE_BUFFER u0000000000000000 no match 05:00:42 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x68}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:42 executing program 7: r0 = fcntl$dupfd(0xffffffffffffffff, 0x406, 0xffffffffffffffff) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f0000000000)={{0xffffffffffffffff, 0x0, 0x3ff, 0x4, 0xfffffffffffffffe}}) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0x3, &(0x7f0000000040)=ANY=[@ANYBLOB="180000000000000000000000028000006a0a00fffffff6006118"], &(0x7f0000000080)='syzkaller\x00', 0x0, 0xce, &(0x7f0000000180)=""/206}, 0x48) ioctl$BLKPBSZGET(r0, 0x127b, &(0x7f00000002c0)) bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x9, 0x5, &(0x7f0000000140)=ANY=[@ANYBLOB="1800000000000000000000000000f8dc3b54f361a10000050000000400000000000000000000009500000000000000"], &(0x7f00000004c0)="73797a6b584e3e2f9afed6d0ee3d5d5de2f791e4545b69c564e359a02949ab535c1b25caa665b968d2f1a32e3febe4189befa5f044722bae83e5b6959e392e8d24e41b4ce153c97b5a23e135e38d3b1d14ad7a9eeb7069347fee053569544f1a0000000000000000", 0x80000001, 0xbb, &(0x7f0000000300)=""/187, 0x0, 0x0, [], 0x0, 0xc}, 0x48) 05:00:42 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x4000000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:42 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:00:42 executing program 1 (fault-call:4 fault-nth:8): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:42 executing program 4: r0 = socket$kcm(0x29, 0x5, 0x0) ioctl(r0, 0x8912, &(0x7f0000000240)="0047fc2f07d82c99240970") r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) socket$inet6(0xa, 0x5, 0x7) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000100)=[@text64={0x40, &(0x7f00000000c0)="c4824da82b66ba2100b801000000efb9270900000f323640a7650f30c4e2899c8e02000000f02046452ef3440f6fb800f0ff7fc42101dbc40f2047"}], 0x0, 0x0, &(0x7f0000000080), 0x0) ioctl$KVM_SET_MSRS(r3, 0x4008ae89, &(0x7f0000000040)=ANY=[@ANYBLOB="01000000001e00fb034d564b0000000001"]) ioctl$KVM_X86_SET_MCE(r3, 0xc008ae88, &(0x7f0000000140)={0x2, 0x4d0}) 05:00:42 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x700000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="2c631d5e650968a1db66493745740020"], 0x0, 0x0, &(0x7f0000008f37)}) [ 1039.266242] binder: 28112:28114 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1039.277922] binder: 28112:28114 BC_FREE_BUFFER u0000000000000000 no match [ 1039.287917] binder: 28118:28119 ERROR: BC_REGISTER_LOOPER called without request [ 1039.291849] FAULT_INJECTION: forcing a failure. [ 1039.291849] name failslab, interval 1, probability 0, space 0, times 0 [ 1039.306844] CPU: 0 PID: 28116 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1039.313777] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1039.323132] Call Trace: [ 1039.325726] dump_stack+0x1b9/0x294 [ 1039.329344] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1039.334521] ? is_bpf_text_address+0xd7/0x170 [ 1039.339009] ? kernel_text_address+0x79/0xf0 [ 1039.343401] ? __unwind_start+0x166/0x330 [ 1039.347542] should_fail.cold.4+0xa/0x1a [ 1039.351590] ? __save_stack_trace+0x7e/0xd0 [ 1039.355903] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1039.361002] ? graph_lock+0x170/0x170 [ 1039.364792] ? save_stack+0x43/0xd0 [ 1039.368405] ? kasan_kmalloc+0xc4/0xe0 [ 1039.372278] ? kasan_slab_alloc+0x12/0x20 [ 1039.376415] ? find_held_lock+0x36/0x1c0 [ 1039.380470] ? __lock_is_held+0xb5/0x140 [ 1039.384530] ? check_same_owner+0x320/0x320 [ 1039.388843] ? rcu_note_context_switch+0x710/0x710 [ 1039.393765] __should_failslab+0x124/0x180 [ 1039.397992] should_failslab+0x9/0x14 [ 1039.401781] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1039.406877] __kmalloc_node_track_caller+0x33/0x70 [ 1039.411798] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1039.416548] __alloc_skb+0x14d/0x780 [ 1039.420251] ? skb_scrub_packet+0x580/0x580 [ 1039.424563] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1039.430089] ? ip_generic_getfrag+0x11c/0x2d0 [ 1039.434573] ? ip_reply_glue_bits+0xc0/0xc0 [ 1039.438889] ? raw_getfrag+0x15b/0x220 [ 1039.442766] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1039.447774] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1039.452784] ? raw_destroy+0x30/0x30 [ 1039.456495] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1039.462282] ? ipv4_mtu+0x375/0x580 [ 1039.465898] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1039.471344] ? lock_acquire+0x1dc/0x520 [ 1039.475320] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1039.480849] ? ip_setup_cork+0x4dc/0x7c0 [ 1039.484898] ip_append_data.part.48+0xf3/0x180 [ 1039.489469] ? raw_destroy+0x30/0x30 [ 1039.493183] ip_append_data+0x6d/0x90 [ 1039.496972] ? raw_destroy+0x30/0x30 [ 1039.500681] raw_sendmsg+0x1dae/0x29b0 [ 1039.504574] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1039.509676] ? rcu_report_qs_rnp+0x790/0x790 [ 1039.514106] ? graph_lock+0x170/0x170 [ 1039.517899] ? expand_files.part.8+0x9a0/0x9a0 [ 1039.522466] ? check_same_owner+0x320/0x320 [ 1039.526790] ? lock_downgrade+0x8e0/0x8e0 [ 1039.530926] ? lock_release+0xa10/0xa10 [ 1039.534885] ? check_same_owner+0x320/0x320 [ 1039.539199] ? __check_object_size+0x95/0x5d9 [ 1039.543688] inet_sendmsg+0x19f/0x690 [ 1039.547475] ? __might_sleep+0x95/0x190 [ 1039.551436] ? ipip_gro_receive+0x100/0x100 [ 1039.555748] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1039.561273] ? security_socket_sendmsg+0x94/0xc0 [ 1039.566276] ? ipip_gro_receive+0x100/0x100 [ 1039.570599] sock_sendmsg+0xd5/0x120 [ 1039.574301] __sys_sendto+0x3d7/0x670 [ 1039.578089] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1039.582748] ? wait_for_completion+0x870/0x870 [ 1039.587320] ? __lock_is_held+0xb5/0x140 [ 1039.591380] ? __sb_end_write+0xac/0xe0 [ 1039.595349] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1039.600870] ? fput+0x130/0x1a0 [ 1039.604139] ? ksys_write+0x1a6/0x250 [ 1039.607930] ? __ia32_sys_read+0xb0/0xb0 [ 1039.611978] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1039.617514] __x64_sys_sendto+0xe1/0x1a0 [ 1039.621569] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1039.626574] do_syscall_64+0x1b1/0x800 [ 1039.630451] ? finish_task_switch+0x1ca/0x840 [ 1039.634936] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1039.639852] ? syscall_return_slowpath+0x30f/0x5c0 [ 1039.644775] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1039.650127] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1039.654964] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1039.660141] RIP: 0033:0x4559f9 [ 1039.663863] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1039.683104] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1039.690799] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1039.698056] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1039.705312] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 05:00:43 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x6000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1039.712566] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1039.719819] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000008 [ 1039.733984] binder: 28118:28119 unknown command 1578984236 [ 1039.739927] binder: 28112:28114 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1039.750779] binder: 28112:28114 BC_FREE_BUFFER u0000000000000000 no match 05:00:43 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080), 0x0) 05:00:43 executing program 7: r0 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x4e06, 0x90000) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000080)={0x0}, &(0x7f00000000c0)=0xc) syz_open_procfs(r1, &(0x7f0000000100)='net/sockstat6\x00') ioctl$VT_SETMODE(r0, 0x5602, &(0x7f0000000040)={0xffff, 0x6, 0x7d6b, 0x42, 0x1}) r2 = socket$inet6(0xa, 0x2, 0x0) bind$inet6(r2, &(0x7f0000f13000)={0xa, 0x2}, 0x1c) connect$inet6(r2, &(0x7f000090b000)={0xa, 0x0, 0x0, @remote={0xfe, 0x80, [], 0xffffffffffffffff}, 0x3}, 0x1c) syz_emit_ethernet(0x3e, &(0x7f0000694ffe)={@broadcast=[0xff, 0xff, 0xff, 0xff, 0xff, 0xff], @link_local={0x1, 0x80, 0xc2}, [], {@ipv6={0x86dd, {0x0, 0x6, "06f526", 0x8, 0x11, 0x0, @remote={0xfe, 0x80, [], 0xffffffffffffffff}, @mcast2={0xff, 0x2, [], 0x1}, {[], @udp={0x0, 0x2, 0x8}}}}}}, &(0x7f0000775000)) 05:00:43 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x4c00, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1039.783412] binder: 28118:28119 ioctl c0306201 2000dfd0 returned -22 05:00:43 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x803e000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1039.899456] binder: 28144:28145 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1039.934368] binder: 28144:28145 BC_FREE_BUFFER u0000000000000000 no match [ 1039.954616] binder: 28144:28145 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1039.965318] binder: 28144:28145 BC_FREE_BUFFER u0000000000000000 no match [ 1040.130887] ALSA: seq fatal error: cannot create timer (-22) 05:00:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000000440)={0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0xfffffffffffffebf, 0x0, &(0x7f00000003c0)=[@decrefs={0x40046307, 0x2}, @dead_binder_done={0x40086310, 0x3}, @register_looper={0x630b}, @free_buffer={0x40086303, r2}], 0xffffffffffffff51, 0x0, &(0x7f0000000180)}) 05:00:43 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080), 0x0) 05:00:43 executing program 7: mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x4, 0x32, 0xffffffffffffffff, 0x0) r0 = userfaultfd(0x0) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000000)={0xaa}) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000004fe0)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket(0xa, 0x1, 0x0) r2 = socket$inet6(0xa, 0x1, 0x0) ioctl(r2, 0x4000008912, &(0x7f0000000000)="295ee1311f16f477671070") getsockopt$inet6_int(r1, 0x6, 0x1a, &(0x7f0000000040), &(0x7f0000013000)=0x221) r3 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000100)={0xffffffffffffff9c, 0x3, 0x1, 0x5, &(0x7f00000000c0)=[0x0, 0x0, 0x0, 0x0], 0x4}, 0x20) ioctl$TUNSETQUEUE(r3, 0x400454d9, &(0x7f0000000140)={'teql0\x00', 0x400}) mmap(&(0x7f0000000000/0xfe3000)=nil, 0xfe3000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_open_procfs(0x0, &(0x7f0000000080)='sessionid\x00') close(r1) close(r2) 05:00:43 executing program 1 (fault-call:4 fault-nth:9): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:43 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x300, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:43 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x4000000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:43 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xfffffdfd}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:43 executing program 4: r0 = socket(0xb, 0xffffffffffffffff, 0x3) write(r0, &(0x7f0000a6b000)="1f0000000104ff00fd4354c007110000f305010008000100010423dcffdf00", 0x1f) write(r0, &(0x7f0000000000)="1f0000000104fffffd3b000007110000f30501000b000100020423ca0000cf", 0x1f) [ 1040.300298] ALSA: seq fatal error: cannot create timer (-22) 05:00:44 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x40000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:44 executing program 4: r0 = syz_open_dev$tun(&(0x7f0000000100)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000000)={"74000200000f002dc830ee000000005d", 0x105}) sync_file_range(r0, 0x5, 0x0, 0xfffffffffffffffa) r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/uinput\x00', 0x100, 0x0) ioctl$LOOP_GET_STATUS(r1, 0x4c03, &(0x7f00000003c0)) r2 = socket$nl_route(0x10, 0x3, 0x0) recvmmsg(r2, &(0x7f0000003f80)=[{{&(0x7f0000000080)=@can, 0x80, &(0x7f00000001c0)}}], 0x1, 0x0, &(0x7f0000004000)={0x77359400}) sendmsg$nl_route(r2, &(0x7f0000000140)={&(0x7f0000000040)={0x10}, 0xc, &(0x7f0000000000)={&(0x7f0000000200)=@newlink={0x28, 0x10, 0xc362e63b3f31ba5f, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x3}, [@IFLA_GROUP={0x8, 0x1b}]}, 0x28}, 0x1}, 0x0) sendmsg$nl_route_sched(r2, &(0x7f0000005a00)={&(0x7f0000000180)={0x10}, 0xc, &(0x7f00000059c0)={&(0x7f0000005940)=@getqdisc={0x24, 0x26, 0x201}, 0x24}, 0x1}, 0x0) [ 1040.343345] binder: 28173:28179 ERROR: BC_REGISTER_LOOPER called without request [ 1040.355551] binder: 28176:28178 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:44 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080), 0x0) [ 1040.396080] binder: 28176:28178 BC_FREE_BUFFER u0000000000000000 no match [ 1040.431763] binder: 28176:28178 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:44 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x600}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1040.462126] binder: 28176:28178 BC_FREE_BUFFER u0000000000000000 no match 05:00:44 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x68, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1040.560140] binder: 28204:28205 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1040.568279] binder: 28204:28205 BC_FREE_BUFFER u0000000000000000 no match [ 1040.580290] FAULT_INJECTION: forcing a failure. [ 1040.580290] name failslab, interval 1, probability 0, space 0, times 0 [ 1040.591767] CPU: 0 PID: 28195 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1040.598707] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1040.608075] Call Trace: [ 1040.610685] dump_stack+0x1b9/0x294 [ 1040.614334] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1040.619556] ? unwind_get_return_address+0x61/0xa0 [ 1040.624515] ? graph_lock+0x170/0x170 [ 1040.626296] binder: 28204:28205 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1040.628333] should_fail.cold.4+0xa/0x1a [ 1040.628358] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1040.628379] ? __lock_is_held+0xb5/0x140 [ 1040.648485] ? __kmalloc_node_track_caller+0x47/0x70 [ 1040.653583] ? graph_lock+0x170/0x170 [ 1040.657371] ? __x64_sys_sendto+0xe1/0x1a0 [ 1040.661613] ? find_held_lock+0x36/0x1c0 [ 1040.665668] ? __lock_is_held+0xb5/0x140 [ 1040.669725] ? check_same_owner+0x320/0x320 [ 1040.674038] ? rcu_note_context_switch+0x710/0x710 [ 1040.678955] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1040.684221] __should_failslab+0x124/0x180 [ 1040.688446] should_failslab+0x9/0x14 [ 1040.692263] kmem_cache_alloc_node+0x272/0x780 [ 1040.696833] ? __kmalloc_node_track_caller+0x47/0x70 [ 1040.701985] __alloc_skb+0x111/0x780 [ 1040.705690] ? skb_scrub_packet+0x580/0x580 [ 1040.710002] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1040.715530] ? ip_generic_getfrag+0x11c/0x2d0 [ 1040.720030] ? ip_reply_glue_bits+0xc0/0xc0 [ 1040.724345] ? raw_getfrag+0x15b/0x220 [ 1040.728219] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1040.733227] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1040.738234] ? raw_destroy+0x30/0x30 [ 1040.741941] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1040.747726] ? __schedule+0x809/0x1e30 [ 1040.751603] ? ipv4_mtu+0x375/0x580 [ 1040.755222] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1040.760678] ? lock_acquire+0x1dc/0x520 [ 1040.764643] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1040.770167] ? ip_setup_cork+0x4dc/0x7c0 [ 1040.774218] ip_append_data.part.48+0xf3/0x180 [ 1040.778789] ? raw_destroy+0x30/0x30 [ 1040.782492] ip_append_data+0x6d/0x90 [ 1040.786279] ? raw_destroy+0x30/0x30 [ 1040.789985] raw_sendmsg+0x1dae/0x29b0 [ 1040.793868] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1040.798959] ? rcu_report_qs_rnp+0x790/0x790 [ 1040.803369] ? graph_lock+0x170/0x170 [ 1040.807162] ? do_raw_spin_unlock+0x71/0x2e0 [ 1040.811566] ? expand_files.part.8+0x9a0/0x9a0 [ 1040.816134] ? compat_start_thread+0x80/0x80 [ 1040.820531] ? __down+0x370/0x500 [ 1040.823986] ? lock_downgrade+0x8e0/0x8e0 [ 1040.828145] ? lock_release+0xa10/0xa10 [ 1040.832108] ? check_same_owner+0x320/0x320 [ 1040.836418] ? __check_object_size+0x95/0x5d9 [ 1040.840906] inet_sendmsg+0x19f/0x690 [ 1040.844700] ? __might_sleep+0x95/0x190 [ 1040.848665] ? ipip_gro_receive+0x100/0x100 [ 1040.852985] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1040.858599] ? security_socket_sendmsg+0x94/0xc0 [ 1040.863338] ? ipip_gro_receive+0x100/0x100 [ 1040.867648] sock_sendmsg+0xd5/0x120 [ 1040.871350] __sys_sendto+0x3d7/0x670 [ 1040.875138] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1040.879793] ? wait_for_completion+0x870/0x870 [ 1040.884367] ? schedule+0xef/0x430 [ 1040.887903] ? __sb_end_write+0xac/0xe0 [ 1040.891880] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1040.897405] ? exit_to_usermode_loop+0x87/0x310 [ 1040.902061] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1040.907586] ? exit_to_usermode_loop+0x1ef/0x310 [ 1040.912330] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1040.917162] __x64_sys_sendto+0xe1/0x1a0 [ 1040.921209] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1040.926230] do_syscall_64+0x1b1/0x800 [ 1040.930102] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1040.934934] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1040.939851] ? syscall_return_slowpath+0x30f/0x5c0 [ 1040.944771] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1040.950216] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1040.955048] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1040.960223] RIP: 0033:0x4559f9 [ 1040.963394] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1040.982655] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1040.990351] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1040.997622] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1041.004877] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1041.012143] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1041.019412] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000009 [ 1041.028913] binder: 28204:28205 BC_FREE_BUFFER u0000000000000000 no match [ 1041.241781] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready [ 1041.249370] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready [ 1041.249712] ALSA: seq fatal error: cannot create timer (-22) [ 1041.297398] IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready [ 1041.427674] ALSA: seq fatal error: cannot create timer (-22) 05:00:45 executing program 1 (fault-call:4 fault-nth:10): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:45 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1800}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:45 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x4c00000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:45 executing program 7: syz_mount_image$vfat(&(0x7f0000000700)='vfat\x00', &(0x7f0000000740)='./file1\x00', 0x0, 0x0, &(0x7f00000006c0), 0x40000000000002, &(0x7f0000000200)=ANY=[@ANYBLOB="646f733178666c6f7070792c7569643d2c64656275672c6572726f7273ff72656d6f756e742d726f2c64656275672c73686f77657865632c646973636172642c636f6465706167653d383633"]) syz_mount_image$vfat(&(0x7f0000000000)='vfat\x00', &(0x7f00000004c0)='./file0\x00', 0xe000, 0x1, &(0x7f0000000040)=[{&(0x7f0000000080)="eb3c906d6b66732e666174000204010002000270f7f8", 0x16}], 0x0, &(0x7f0000000240)=ANY=[]) mknod$loop(&(0x7f0000000180)='./file0/file0\x00', 0x0, 0xffffffffffffffff) syz_mount_image$bfs(&(0x7f00000001c0)='bfs\x00', &(0x7f0000000280)='./file0/.ile0\x00', 0xa3, 0x5, &(0x7f0000000600)=[{&(0x7f00000002c0)="542892af4f986699355de8dea97219ceb3e67894df169ba9f58e06e25934a6a581672b9156f0a21b8c35823be3b23a86fa97268293f601353a29e325959a9f3a3324738f9fe183c53d21e68528a0b2156e95579a996d7b67f7e8708cf169ccead25a6bef", 0x64, 0xfffffffffffffff9}, {&(0x7f0000000340)}, {&(0x7f0000000380)="86d75f3b1885c63078ad98da90e034babf9d62e68108c736a871a2510292e6e502b51b335a64172404a4dd9386cf16dba7e4823df734e4ba4b5f3ffefbe3a2b4a45d83e61a3361d448bc17257d14b53775a75e07017e24f892925bcb789134c6558826790c8c3233424cf7d1537b8c6194a836800d6e4a8db4da38ff64a1f9384c05252867b7a076c64eba0ed74e9b1b82ea16bb8683ff0d3106eb054c7e6f20a1964fc7c66d", 0xa6, 0x8}, {&(0x7f0000000440)="3ee0949ab681dc2b762854cba9b454b0282aad4bd28a58d8", 0x18, 0x5}, {&(0x7f0000000500)="a33e08b914a5b9b50f05f87f1a4b9ecc064452330ecc37a6459d063afbe32bf44213ab124c67d6e6cd4d60858d03fa0133d6fde90f5c676910229b97df3a0597d0dff1b3d49f68a78795c7e020540f46edd0dfc7e274785683838b0e1f2a8850760a44200806731a051b25b3a09f39896c97568eb11d976d2455a7ab3027767dca2a15badb7eeff851e5881feb09063041a20392c3040b859e37c5f38bf8db8701b4db3d2c1fd8276968766bcb665daff083c813658b7ed069c5c9d7ab406346b546187ff849792def4755febdb93661d403c180f2a3f1246b22e33ccef7c4073fdfa403a0096b525d7e14000b362f1bfc0dc227", 0xf4, 0x4}], 0x2000000, 0x0) r0 = syz_open_dev$adsp(&(0x7f0000000340)='/dev/adsp#\x00', 0x0, 0x4000) ioctl$KVM_TPR_ACCESS_REPORTING(r0, 0xc028ae92, &(0x7f0000000480)={0x66, 0x80}) creat(&(0x7f0000000140)='./file0/.ile0\x00', 0x0) 05:00:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="fd270004"], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:45 executing program 4: socketpair(0x11, 0x3, 0x7, &(0x7f00000000c0)={0xffffffffffffffff}) getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x1a, &(0x7f0000000140)={0x0, 0xe, "b8cbdafb1123b82ce5ceca6d7692"}, &(0x7f0000000180)=0x16) getsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(r0, 0x84, 0x76, &(0x7f00000001c0)={r1, 0x2}, &(0x7f0000000200)=0x8) r2 = socket$inet6(0xa, 0x1, 0x0) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r3 = syz_open_dev$usbmon(&(0x7f0000000080)='/dev/usbmon#\x00', 0x5, 0x40) ioctl$PIO_FONT(r3, 0x4b61, &(0x7f0000000400)="5a461735aff739c6870d8e6b1e58aae112da0032040655480880d48a6a40ec2a73d6f9caa368091326008e4cfe41a2e05b30b4d801b57e16a8dbad015eb8f9bb5fc1928713d87a60d6929963f06e1e9b66ba2d24a3b093bda1a1bb3bcc8121a272e32b6ee3cfc0ebcb75102b74ff7a508e00fc1bc29cf68544902960c07c40bc8b13e2f7aaf2abf775ba435106d690860394685362eed48ac5b111406d9de6dc28d2656fda15eefd168b36bc2ebfb002771d3d257e03e5206db20e1814c615606bfbc99d302b29d911de65ebb5fd21051efac9c2bf44b1500f415b38ee4ec9fb34cc7b6b52d5a6f3eff19d0ee541a9361ed234e25ecbc03140e4c4da0a7b8e731da0b78d4c5a4e8e48fa006d5a68284746d8cd6effdd") r4 = socket$inet(0x10, 0x3, 0x0) sendmsg(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000009ff0)=[{&(0x7f0000000000)="240000001d0007031dfffd946fa2830020200a0009000300001d85680c1ba3a20400ff7e280000001100ffffba16a0aa1c0009b3ebea8653b1cc7e63975c0ac47b6268e3966cf055d90f15a3", 0x4c}], 0x1}, 0x0) 05:00:45 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xa00}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:45 executing program 6 (fault-call:8 fault-nth:0): r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1041.516852] binder: 28223:28224 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1041.540438] FAULT_INJECTION: forcing a failure. [ 1041.540438] name failslab, interval 1, probability 0, space 0, times 0 [ 1041.551769] CPU: 1 PID: 28235 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1041.558706] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1041.565795] binder: 28223:28224 BC_FREE_BUFFER u0000000000000000 no match [ 1041.568058] Call Trace: [ 1041.568086] dump_stack+0x1b9/0x294 [ 1041.568110] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1041.568130] ? is_bpf_text_address+0xd7/0x170 [ 1041.590929] ? kernel_text_address+0x79/0xf0 [ 1041.595354] ? __unwind_start+0x166/0x330 [ 1041.599504] should_fail.cold.4+0xa/0x1a [ 1041.603554] ? __save_stack_trace+0x7e/0xd0 [ 1041.607868] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1041.612963] ? graph_lock+0x170/0x170 [ 1041.616765] ? save_stack+0x43/0xd0 [ 1041.620378] ? kasan_kmalloc+0xc4/0xe0 [ 1041.624251] ? kasan_slab_alloc+0x12/0x20 [ 1041.628389] ? find_held_lock+0x36/0x1c0 [ 1041.632442] ? __lock_is_held+0xb5/0x140 [ 1041.636591] ? check_same_owner+0x320/0x320 [ 1041.640902] ? rcu_note_context_switch+0x710/0x710 [ 1041.645821] __should_failslab+0x124/0x180 [ 1041.650048] should_failslab+0x9/0x14 [ 1041.653838] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1041.658937] __kmalloc_node_track_caller+0x33/0x70 [ 1041.663870] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1041.668618] __alloc_skb+0x14d/0x780 [ 1041.672320] ? skb_scrub_packet+0x580/0x580 [ 1041.676632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1041.682157] ? ip_generic_getfrag+0x11c/0x2d0 [ 1041.686655] ? ip_reply_glue_bits+0xc0/0xc0 [ 1041.690976] ? raw_getfrag+0x15b/0x220 [ 1041.694848] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1041.699858] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1041.704867] ? raw_destroy+0x30/0x30 [ 1041.708579] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1041.714370] ? ipv4_mtu+0x375/0x580 [ 1041.717987] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1041.723431] ? lock_acquire+0x1dc/0x520 [ 1041.727395] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1041.732919] ? ip_setup_cork+0x4dc/0x7c0 [ 1041.736974] ip_append_data.part.48+0xf3/0x180 [ 1041.741545] ? raw_destroy+0x30/0x30 [ 1041.745250] ip_append_data+0x6d/0x90 [ 1041.749037] ? raw_destroy+0x30/0x30 [ 1041.752739] raw_sendmsg+0x1dae/0x29b0 [ 1041.756622] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1041.761711] ? rcu_report_qs_rnp+0x790/0x790 [ 1041.766130] ? graph_lock+0x170/0x170 [ 1041.769939] ? expand_files.part.8+0x9a0/0x9a0 [ 1041.774516] ? check_same_owner+0x320/0x320 [ 1041.778836] ? lock_downgrade+0x8e0/0x8e0 [ 1041.782977] ? lock_release+0xa10/0xa10 [ 1041.786936] ? check_same_owner+0x320/0x320 [ 1041.791250] ? __check_object_size+0x95/0x5d9 [ 1041.795739] inet_sendmsg+0x19f/0x690 [ 1041.799526] ? __might_sleep+0x95/0x190 [ 1041.803486] ? ipip_gro_receive+0x100/0x100 [ 1041.807795] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1041.813322] ? security_socket_sendmsg+0x94/0xc0 [ 1041.818063] ? ipip_gro_receive+0x100/0x100 [ 1041.822393] sock_sendmsg+0xd5/0x120 [ 1041.826096] __sys_sendto+0x3d7/0x670 [ 1041.829893] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1041.834553] ? wait_for_completion+0x870/0x870 [ 1041.839122] ? __lock_is_held+0xb5/0x140 [ 1041.843179] ? __sb_end_write+0xac/0xe0 [ 1041.847143] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1041.852684] ? fput+0x130/0x1a0 [ 1041.855970] ? ksys_write+0x1a6/0x250 [ 1041.859760] ? __ia32_sys_read+0xb0/0xb0 [ 1041.863808] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1041.869335] __x64_sys_sendto+0xe1/0x1a0 [ 1041.873384] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1041.878387] do_syscall_64+0x1b1/0x800 [ 1041.882258] ? finish_task_switch+0x1ca/0x840 [ 1041.886743] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1041.891661] ? syscall_return_slowpath+0x30f/0x5c0 [ 1041.896583] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1041.901939] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1041.906772] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1041.911950] RIP: 0033:0x4559f9 [ 1041.915122] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1041.934385] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1041.942082] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1041.949337] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1041.956593] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1041.963850] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1041.971106] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000000a [ 1041.990601] binder: 28226:28232 unknown command 67119101 [ 1042.000419] binder: 28223:28224 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:45 executing program 4: capset(&(0x7f0000000000)={0x19980330}, &(0x7f0000000080)) acct(&(0x7f0000000040)='./file0\x00') r0 = gettid() ioprio_get$pid(0x0, r0) 05:00:45 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1042.033403] binder: 28226:28232 ioctl c0306201 20000140 returned -22 [ 1042.034525] binder: 28223:28224 BC_FREE_BUFFER u0000000000000000 no match [ 1042.059307] binder: 28226:28232 unknown command 0 05:00:45 executing program 7: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = dup2(r0, r0) ioctl$KVM_SET_LAPIC(r1, 0x4400ae8f, &(0x7f00000000c0)={"2803043a71135ada48c0acf4a55328038c79d977a29fe1956d120d232d91a3565669b0faa0f4b848f4c5be597422d13547af3d6162564f336a6a4e4f64b69e0ad183384c83a16e6b203f8d29346a7ed80346c2232fd5f45bc3cc8d8fd00b3a427753dfee0c70000e61f9ad91f79fa245b129ba339ca7fd14097bb7d306764e86521876b8674b502c6da10834608a20d2b870d8caf69291cb6a0a47334d8227ec50894e88862bfe1c9635470c25109f8b2992bca9f1de1e5b86dde7cc463e1efd5754ffa8d58847b1c5255a9f32215f2810e9089a67546b97d44c0b049b80feb54bf15a2c41612318f89f97ba3525b2e0cf0304b0e72c0c305b79ab366210c1f6db10ee2e930c4265a13dea3c6112efee375b11d0711859f8e083bb8f1f99953cae9ec5414e896c2ef5f3a0111e2ec579543f780d610905dbe38ba5f95e0cf2b126fb83dcca09dde4fb4a8aa25eaaa46eea9866adc5d924f1f62e5fb7b284e0881d244ec89649da0f80776d2dc95a77d1980604fc867a9456b50c2ad508756acc5a6b05392394f9e29c2867c0d936b8f08ae4db7bc4ede987f1612d0010e88bd4aef59cf8a21efcfa42d5d6ad90fc73abb564efda075794c3e56ee1876f6bc6e6a3a88a06231ecd66b1859ba102a71322bed847a29afaf46a9501f452633a613ecc14891206b9b1e9acd4574134b67d0b7872e3ddf3ddeaea157610cd21c1eaa2a340a8dda91a4a3277b1f99a9a5190c85968648d5f894be5c0323e05b084d55a87b221cfec412538cb43a6951cbca6a603402aa5893a0be370e47e106e4ed59ed1b9541ac0b915328ab5a5c11815de498cafd6db102ab39ab4ec0ed08c0890cc71eed3d7c11fb36db1a222040bda876d02f79bf16877df47228d9b9abf6cb0ce3a4900a4f13ec2891c74659ef7daaab27b98cc678f72c8634dea78cb7778418974c2315e1c32580ac77e8a616a8ec08f1a7018cbcd9779c0c6cf65a6b9cb3feafe9453fc4a0766f5bd93ffd82711b177105edc26ae2132d6e16958a118512e653a3591afedea26620c9d3655dd830c19afa5de80a497851cf3f308a5c45ca3cd95c7fb6a09f2f981205c8336dec04d14355fe999bbc776d10f5e7d40d9b94fe71d58113a16a73b100a1bd1712710ace5438f4c892357d8f984d74842151b72f1985d6c6b07ad530382079fb436212ea5a1d6693b46cce970ac35eb07d1da0bb95a7bdd6ae8538f54d89f286fe27cf7c82883be44f01a1793f06d32429da017360bc738e97ad4a5d53ac29eb9c884e6040db35662adf719a615c26ec3abe98cd1aeff7597716c56c3add78dd7751be62b22da6ff63841234f3826363ce64b17deb36939ae15a7a6f93733fd2e00309cd7f00291d976de5e1b02e868084d91de0be31597ffbba704cfff482932d8d041b84915b0559cd77118c4399e463d6958bb"}) ioctl$EVIOCGKEYCODE(r1, 0x80084504, &(0x7f0000000040)=""/87) setsockopt$ax25_int(r1, 0x101, 0xb, &(0x7f00000004c0)=0x200, 0x4) 05:00:45 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6c000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:45 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r2 = syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0x0, 0x400) ioctl$TIOCCONS(r2, 0x541d) r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$FIDEDUPERANGE(r1, 0xc0189436, &(0x7f0000000140)={0x5, 0x5, 0x3, 0x0, 0x0, [{r3, 0x0, 0x6}, {r1}, {r3, 0x0, 0x5}]}) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$KVM_SET_CLOCK(r3, 0x4030ae7b, &(0x7f0000000080)) [ 1042.106967] binder: 28226:28232 ioctl c0306201 2000dfd0 returned -22 05:00:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000280)='/dev/binder#\x00', 0x0, 0x800) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008916, &(0x7f00000002c0)="295ee1311f16776710705c814e2094860d6937662ddf4d55d8c8126af61b455b9ceadbe79d3f020f57886b5f150b49695cce94cfc470b8665e819b2a8a96068db9237880df65fef7786f8440073751dad5a3541a126af9b30c8fddbb9ab64f257290f547c51147741d548d472ef34bd30e129d0bd6a055e81fc9e778e147b380d5b93af92d38dceaf04fc3128fab6b623c05d1a46403a4e2ce3cbe01e15b8291615e98165d5f217c87c614db8f6dcf374e2ec982d3c3d5dca467f936558a015709882c97de93d5") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="5b1111661a05e84f11874702b3fa18497364218ba21596d40e44bbf0424b070407d68c69f369ca066082540a78dee988bda809447d9c0de11dfbfdfc2b7558daaec7b889778fb616f028a4c6dbb224ad880f7996cadc6d48d1cafe8f68303f3f13ad226db7cda99045b3e620ae8274ce73944e4ceba865bf7bdb215aa05419129847c7337c682261eb535ad586274b840435826ce273cf7ebdf7d2007525815eaab1"], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) r2 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x3, 0x82000) ioctl$SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE(r2, 0xc08c5336, &(0x7f0000000040)={0x9, 0x2, 0x9f0, 'queue0\x00', 0x65}) ioctl$VHOST_SET_VRING_CALL(r2, 0x4008af21, &(0x7f0000000240)={0x0, r2}) 05:00:45 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0x53}], 0x1) 05:00:45 executing program 1 (fault-call:4 fault-nth:11): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1042.195340] binder: 28258:28259 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1042.236887] binder: 28263:28269 unknown command 1712394587 [ 1042.256462] binder: 28258:28259 BC_FREE_BUFFER u0000000000000000 no match [ 1042.279013] binder: 28263:28269 ioctl c0306201 20000140 returned -22 [ 1042.281025] FAULT_INJECTION: forcing a failure. [ 1042.281025] name failslab, interval 1, probability 0, space 0, times 0 [ 1042.296905] CPU: 1 PID: 28273 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1042.301929] binder: 28263:28269 unknown command 0 [ 1042.303839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1042.303846] Call Trace: [ 1042.303873] dump_stack+0x1b9/0x294 [ 1042.303894] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1042.303922] ? unwind_get_return_address+0x61/0xa0 [ 1042.334354] should_fail.cold.4+0xa/0x1a [ 1042.338413] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1042.343517] ? __lock_is_held+0xb5/0x140 [ 1042.347571] ? __kmalloc_node_track_caller+0x47/0x70 [ 1042.352697] ? graph_lock+0x170/0x170 [ 1042.356497] ? __x64_sys_sendto+0xe1/0x1a0 [ 1042.360724] ? find_held_lock+0x36/0x1c0 [ 1042.364784] ? __lock_is_held+0xb5/0x140 [ 1042.368850] ? check_same_owner+0x320/0x320 [ 1042.373185] ? rcu_note_context_switch+0x710/0x710 [ 1042.378109] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1042.383381] __should_failslab+0x124/0x180 [ 1042.387608] should_failslab+0x9/0x14 [ 1042.391396] kmem_cache_alloc_node+0x272/0x780 [ 1042.395969] ? __kmalloc_node_track_caller+0x47/0x70 [ 1042.401090] __alloc_skb+0x111/0x780 [ 1042.404796] ? skb_scrub_packet+0x580/0x580 [ 1042.409110] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1042.414638] ? ip_generic_getfrag+0x11c/0x2d0 [ 1042.419142] ? ip_reply_glue_bits+0xc0/0xc0 [ 1042.423475] ? raw_getfrag+0x15b/0x220 [ 1042.427350] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1042.432361] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1042.437392] ? raw_destroy+0x30/0x30 [ 1042.441113] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1042.446910] ? ipv4_mtu+0x375/0x580 [ 1042.450529] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1042.455979] ? lock_acquire+0x1dc/0x520 [ 1042.459947] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1042.465474] ? ip_setup_cork+0x4dc/0x7c0 [ 1042.469531] ip_append_data.part.48+0xf3/0x180 [ 1042.474104] ? raw_destroy+0x30/0x30 [ 1042.477813] ip_append_data+0x6d/0x90 [ 1042.481607] ? raw_destroy+0x30/0x30 [ 1042.485320] raw_sendmsg+0x1dae/0x29b0 [ 1042.489221] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1042.495003] ? zap_class+0x720/0x720 [ 1042.498720] ? graph_lock+0x170/0x170 [ 1042.502522] ? expand_files.part.8+0x9a0/0x9a0 [ 1042.507127] ? lock_downgrade+0x8e0/0x8e0 [ 1042.511270] ? lock_release+0xa10/0xa10 [ 1042.515232] ? check_same_owner+0x320/0x320 [ 1042.519548] ? __check_object_size+0x95/0x5d9 [ 1042.524044] inet_sendmsg+0x19f/0x690 [ 1042.527835] ? __might_sleep+0x95/0x190 [ 1042.531798] ? ipip_gro_receive+0x100/0x100 [ 1042.536115] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1042.541643] ? security_socket_sendmsg+0x94/0xc0 [ 1042.546392] ? ipip_gro_receive+0x100/0x100 [ 1042.550705] sock_sendmsg+0xd5/0x120 [ 1042.554426] __sys_sendto+0x3d7/0x670 [ 1042.558224] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1042.562890] ? wait_for_completion+0x870/0x870 [ 1042.567492] ? __sb_end_write+0xac/0xe0 [ 1042.571482] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1042.577007] ? fput+0x130/0x1a0 [ 1042.580278] ? ksys_write+0x1a6/0x250 [ 1042.584074] ? __ia32_sys_read+0xb0/0xb0 [ 1042.588127] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1042.593661] __x64_sys_sendto+0xe1/0x1a0 [ 1042.597728] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1042.602748] do_syscall_64+0x1b1/0x800 [ 1042.606624] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1042.611462] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1042.616382] ? syscall_return_slowpath+0x30f/0x5c0 [ 1042.621308] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1042.626669] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1042.631511] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1042.636701] RIP: 0033:0x4559f9 [ 1042.639874] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1042.659205] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1042.666906] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1042.674182] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1042.681441] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 05:00:46 executing program 4: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f00000000c0)={&(0x7f00000001c0)={0x10, 0xf503}, 0xc, &(0x7f0000000100)={&(0x7f0000000000)=ANY=[@ANYBLOB="14000000270001000000000000e3ff00000000000000"], 0x14}, 0x1}, 0x0) 05:00:46 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xf}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1042.688698] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1042.695957] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000000b [ 1042.710339] binder: 28263:28269 ioctl c0306201 2000dfd0 returned -22 [ 1042.720911] binder: 28258:28259 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:46 executing program 7: r0 = socket$key(0xf, 0x3, 0x2) r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f00000008c0)='/dev/snapshot\x00', 0x0, 0x0) close(r1) socketpair$ax25(0x3, 0x5, 0xcf, &(0x7f0000000280)) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000140)={{{@in=@multicast2, @in6=@mcast1}}, {{@in6=@remote}, 0x0, @in6}}, &(0x7f0000000240)=0xe8) r2 = socket$key(0xf, 0x3, 0x2) ppoll(&(0x7f0000000000)=[{r2, 0x200}, {r2, 0x100}, {r0, 0x4400}, {r0, 0x4}, {r0}, {r0, 0x400}, {r0, 0x14}, {r2}], 0x8, &(0x7f0000000040), &(0x7f0000000080)={0x80}, 0x8) ioctl$TCSETAF(r1, 0x5408, &(0x7f00000000c0)={0x5361, 0x8, 0x7000000000, 0x6, 0x2000000000, 0x3cda, 0x3, 0xb3, 0x4, 0x2fe}) 05:00:46 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0x200003f2}], 0x1) [ 1042.736635] binder: 28263:28276 unknown command 0 [ 1042.737194] binder: 28263:28269 unknown command 1712394587 [ 1042.765724] binder: 28263:28276 ioctl c0306201 2000dfd0 returned -22 [ 1042.774958] binder: 28258:28259 BC_FREE_BUFFER u0000000000000000 no match 05:00:46 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x4c00}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1042.793661] binder: 28263:28269 ioctl c0306201 20000140 returned -22 05:00:46 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6800, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1042.932626] binder: 28301:28304 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1042.955382] binder: 28301:28304 BC_FREE_BUFFER u0000000000000000 no match [ 1042.983121] binder: 28301:28304 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1042.997709] binder: 28301:28304 BC_FREE_BUFFER u0000000000000000 no match [ 1043.699502] ALSA: seq fatal error: cannot create timer (-22) 05:00:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0x0, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) fcntl$F_SET_RW_HINT(r0, 0x40c, &(0x7f0000000040)) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:47 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0x7ffff000}], 0x1) 05:00:47 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$sndseq(&(0x7f00000001c0)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, 'port1\x00'}) ioctl$SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT(r0, 0x40505330, &(0x7f0000ec6fb0)={{0x0, 0x1}, {0x80}, 0x0, 0xbf}) r1 = dup(r0) ioctl$VHOST_SET_LOG_BASE(r1, 0x4008af04, &(0x7f0000000040)) 05:00:47 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x23}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:47 executing program 1 (fault-call:4 fault-nth:12): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:47 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = syz_open_dev$audion(&(0x7f0000000040)='/dev/audio#\x00', 0x251, 0x50000) ioctl$SG_GET_SCSI_ID(r1, 0x2276, &(0x7f0000000140)) sendto$ipx(r1, &(0x7f0000000080)="05ed8480eb0a28937372efd90a03531cb65099e6142fea5f0f91af4c18d116511543", 0x22, 0x20000080, &(0x7f00000000c0)={0x4, 0x238b, 0xffffffff, "78d681ddd99b", 0x3}, 0x10) r2 = socket(0x10, 0x3, 0x0) ioctl$sock_ifreq(r2, 0x89f8, &(0x7f0000000000)={"73697430000080000000000000000002", @ifru_ivalue=0x700000}) 05:00:47 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x60}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x7, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1043.867918] ALSA: seq fatal error: cannot create timer (-22) [ 1043.921733] binder: 28317:28319 ERROR: BC_REGISTER_LOOPER called without request [ 1043.924666] FAULT_INJECTION: forcing a failure. [ 1043.924666] name failslab, interval 1, probability 0, space 0, times 0 [ 1043.940669] CPU: 0 PID: 28325 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1043.947608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1043.956974] Call Trace: [ 1043.959587] dump_stack+0x1b9/0x294 [ 1043.963237] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1043.965302] binder: 28317:28319 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1043.968444] ? is_bpf_text_address+0xd7/0x170 [ 1043.968473] should_fail.cold.4+0xa/0x1a [ 1043.968495] ? __save_stack_trace+0x7e/0xd0 [ 1043.976575] binder: 28317:28319 unknown command 0 [ 1043.981042] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1043.981068] ? graph_lock+0x170/0x170 [ 1043.981086] ? save_stack+0x43/0xd0 [ 1044.006744] ? kasan_kmalloc+0xc4/0xe0 [ 1044.010621] ? kasan_slab_alloc+0x12/0x20 [ 1044.014769] ? find_held_lock+0x36/0x1c0 [ 1044.018829] ? __lock_is_held+0xb5/0x140 [ 1044.022890] ? check_same_owner+0x320/0x320 [ 1044.027206] ? rcu_note_context_switch+0x710/0x710 [ 1044.032134] __should_failslab+0x124/0x180 [ 1044.036367] should_failslab+0x9/0x14 [ 1044.040160] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1044.045278] __kmalloc_node_track_caller+0x33/0x70 [ 1044.050213] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1044.054963] __alloc_skb+0x14d/0x780 [ 1044.058668] ? skb_scrub_packet+0x580/0x580 [ 1044.062983] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1044.068511] ? ip_generic_getfrag+0x11c/0x2d0 [ 1044.073003] ? ip_reply_glue_bits+0xc0/0xc0 [ 1044.077327] ? raw_getfrag+0x15b/0x220 [ 1044.081203] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1044.086218] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1044.091235] ? raw_destroy+0x30/0x30 [ 1044.094954] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1044.100750] ? ipv4_mtu+0x375/0x580 [ 1044.104371] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1044.109831] ? lock_acquire+0x1dc/0x520 [ 1044.113801] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1044.119331] ? ip_setup_cork+0x4dc/0x7c0 [ 1044.123385] ip_append_data.part.48+0xf3/0x180 [ 1044.127965] ? raw_destroy+0x30/0x30 [ 1044.131674] ip_append_data+0x6d/0x90 [ 1044.135484] ? raw_destroy+0x30/0x30 [ 1044.139189] raw_sendmsg+0x1dae/0x29b0 [ 1044.143089] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1044.148185] ? zap_class+0x720/0x720 [ 1044.151898] ? graph_lock+0x170/0x170 [ 1044.155700] ? expand_files.part.8+0x9a0/0x9a0 [ 1044.160298] ? lock_downgrade+0x8e0/0x8e0 [ 1044.164440] ? lock_release+0xa10/0xa10 [ 1044.168407] ? check_same_owner+0x320/0x320 [ 1044.172720] ? __check_object_size+0x95/0x5d9 [ 1044.177214] inet_sendmsg+0x19f/0x690 [ 1044.181004] ? __might_sleep+0x95/0x190 [ 1044.184972] ? ipip_gro_receive+0x100/0x100 [ 1044.189287] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1044.194819] ? security_socket_sendmsg+0x94/0xc0 [ 1044.199567] ? ipip_gro_receive+0x100/0x100 [ 1044.203884] sock_sendmsg+0xd5/0x120 [ 1044.207593] __sys_sendto+0x3d7/0x670 [ 1044.211397] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1044.216065] ? wait_for_completion+0x870/0x870 [ 1044.220659] ? __sb_end_write+0xac/0xe0 [ 1044.224627] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1044.230152] ? fput+0x130/0x1a0 [ 1044.233425] ? ksys_write+0x1a6/0x250 [ 1044.237217] ? __ia32_sys_read+0xb0/0xb0 [ 1044.241269] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1044.246802] __x64_sys_sendto+0xe1/0x1a0 [ 1044.250856] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1044.255865] do_syscall_64+0x1b1/0x800 [ 1044.259740] ? finish_task_switch+0x1ca/0x840 [ 1044.264228] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1044.269156] ? syscall_return_slowpath+0x30f/0x5c0 [ 1044.274079] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1044.279438] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1044.284281] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1044.289459] RIP: 0033:0x4559f9 [ 1044.292631] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1044.311991] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1044.319692] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1044.326948] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1044.334204] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1044.341461] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1044.348721] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000000c [ 1044.359763] binder: 28321:28328 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:47 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x2300000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:48 executing program 7: [ 1044.375752] binder: 28321:28328 BC_FREE_BUFFER u0000000000000000 no match [ 1044.392805] binder: 28321:28328 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1044.415726] binder: 28321:28328 BC_FREE_BUFFER u0000000000000000 no match 05:00:48 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x9) 05:00:48 executing program 1 (fault-call:4 fault-nth:13): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:48 executing program 4: 05:00:48 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x700000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1044.429995] binder: 28317:28319 ioctl c0306201 2000dfd0 returned -22 05:00:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) accept(0xffffffffffffff9c, &(0x7f0000000080)=@pppol2tpv3={0x0, 0x0, {0x0, 0xffffffffffffffff, {0x0, 0x0, @rand_addr}}}, &(0x7f0000000000)=0x80) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') r3 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000300)='/dev/rtc0\x00', 0xa400, 0x0) ioctl$KVM_REINJECT_CONTROL(r3, 0xae71, &(0x7f0000000340)={0x5}) sendmsg$IPVS_CMD_SET_CONFIG(r1, &(0x7f00000002c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000280)={&(0x7f0000000200)={0x64, r2, 0x610, 0x70bd2c, 0x25dfdbfb, {0xc}, [@IPVS_CMD_ATTR_SERVICE={0xc, 0x1, [@IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0x87}]}, @IPVS_CMD_ATTR_DAEMON={0x44, 0x3, [@IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @local={0xfe, 0x80, [], 0xaa}}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x3b7d}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'eql\x00'}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x2}]}]}, 0x64}, 0x1, 0x0, 0x0, 0x8080}, 0x4000000) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="0b6300008161cd073c36673df02980d3102818b8f652e4131d7998192b4ab3268120c98ed855900d43ea3f94bd6cd421b658fdb03e51475823288f0f5ff6d16523b2a9dc45aa77db9d8c739d37de76d1e4870e5246ecd862a01fd7403951f8669f35c9c07f1581f57d26fe30dcc106df216229c658aad0bb947227a0bf5aa6c1aad2008f3e68e82cad92f2f2dfeb88fee0f96f1ce29e7b2edbd8f8a934346dfc61eae2d3af7766dae31bbb326444230d977e525950e58fbfc51ab566e7492ebea693b24aa4f1b2b40a"], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) [ 1044.573022] FAULT_INJECTION: forcing a failure. [ 1044.573022] name failslab, interval 1, probability 0, space 0, times 0 [ 1044.584740] CPU: 1 PID: 28352 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1044.591683] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1044.601048] Call Trace: [ 1044.603662] dump_stack+0x1b9/0x294 [ 1044.605126] binder: 28354:28355 ERROR: BC_REGISTER_LOOPER called without request [ 1044.607312] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1044.607333] ? unwind_get_return_address+0x61/0xa0 [ 1044.607351] ? graph_lock+0x170/0x170 [ 1044.607372] should_fail.cold.4+0xa/0x1a [ 1044.630838] binder: 28354:28355 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1044.632960] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1044.632985] ? __lock_is_held+0xb5/0x140 [ 1044.633001] ? __kmalloc_node_track_caller+0x47/0x70 [ 1044.633019] ? graph_lock+0x170/0x170 [ 1044.641134] binder: 28354:28355 unknown command 0 [ 1044.646168] ? __x64_sys_sendto+0xe1/0x1a0 [ 1044.646188] ? find_held_lock+0x36/0x1c0 05:00:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl(0xffffffffffffffff, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:48 executing program 4: 05:00:48 executing program 7: [ 1044.646214] ? __lock_is_held+0xb5/0x140 [ 1044.651055] binder: 28354:28355 ioctl c0306201 2000dfd0 returned -22 [ 1044.655383] ? check_same_owner+0x320/0x320 [ 1044.655401] ? rcu_note_context_switch+0x710/0x710 [ 1044.655418] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1044.655437] __should_failslab+0x124/0x180 [ 1044.655459] should_failslab+0x9/0x14 [ 1044.705565] kmem_cache_alloc_node+0x272/0x780 [ 1044.710162] ? __kmalloc_node_track_caller+0x47/0x70 [ 1044.715291] __alloc_skb+0x111/0x780 [ 1044.719019] ? skb_scrub_packet+0x580/0x580 [ 1044.723358] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1044.728909] ? ip_generic_getfrag+0x11c/0x2d0 [ 1044.733421] ? ip_reply_glue_bits+0xc0/0xc0 [ 1044.737762] ? raw_getfrag+0x15b/0x220 [ 1044.741656] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1044.746695] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1044.751755] ? raw_destroy+0x30/0x30 [ 1044.755498] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1044.761317] ? ipv4_mtu+0x375/0x580 [ 1044.764957] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1044.770434] ? lock_acquire+0x1dc/0x520 [ 1044.774420] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1044.779972] ? ip_setup_cork+0x4dc/0x7c0 [ 1044.784048] ip_append_data.part.48+0xf3/0x180 [ 1044.788646] ? raw_destroy+0x30/0x30 [ 1044.789767] binder: 28363:28365 ERROR: BC_REGISTER_LOOPER called without request [ 1044.792373] ip_append_data+0x6d/0x90 [ 1044.792392] ? raw_destroy+0x30/0x30 [ 1044.792411] raw_sendmsg+0x1dae/0x29b0 [ 1044.792440] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1044.792463] ? rcu_report_qs_rnp+0x790/0x790 [ 1044.820833] ? graph_lock+0x170/0x170 [ 1044.824633] ? expand_files.part.8+0x9a0/0x9a0 [ 1044.829207] ? check_same_owner+0x320/0x320 [ 1044.833530] ? lock_downgrade+0x8e0/0x8e0 [ 1044.837668] ? lock_release+0xa10/0xa10 [ 1044.841629] ? check_same_owner+0x320/0x320 [ 1044.845939] ? __check_object_size+0x95/0x5d9 [ 1044.850424] inet_sendmsg+0x19f/0x690 [ 1044.854212] ? __might_sleep+0x95/0x190 [ 1044.858176] ? ipip_gro_receive+0x100/0x100 [ 1044.862488] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1044.868106] ? security_socket_sendmsg+0x94/0xc0 [ 1044.872852] ? ipip_gro_receive+0x100/0x100 [ 1044.877165] sock_sendmsg+0xd5/0x120 [ 1044.880872] __sys_sendto+0x3d7/0x670 [ 1044.884660] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1044.889321] ? wait_for_completion+0x870/0x870 [ 1044.893891] ? __lock_is_held+0xb5/0x140 [ 1044.897946] ? __sb_end_write+0xac/0xe0 [ 1044.901912] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1044.907438] ? fput+0x130/0x1a0 [ 1044.910707] ? ksys_write+0x1a6/0x250 [ 1044.914501] ? __ia32_sys_read+0xb0/0xb0 [ 1044.918553] __x64_sys_sendto+0xe1/0x1a0 [ 1044.922603] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1044.927614] do_syscall_64+0x1b1/0x800 [ 1044.931489] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1044.936318] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1044.941237] ? syscall_return_slowpath+0x30f/0x5c0 [ 1044.946157] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1044.951514] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1044.956345] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1044.961520] RIP: 0033:0x4559f9 [ 1044.964692] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1044.983942] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1044.991637] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1044.998893] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1045.006147] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1045.013401] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1045.020656] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000000d [ 1045.066257] binder: 28363:28365 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1045.074444] binder: 28363:28365 unknown command 0 [ 1045.102406] binder: 28363:28365 ioctl c0306201 2000dfd0 returned -22 [ 1045.110965] binder: 28363:28370 ERROR: BC_REGISTER_LOOPER called without request [ 1045.200948] ALSA: seq fatal error: cannot create timer (-22) 05:00:48 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x400000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:48 executing program 4: 05:00:48 executing program 7: 05:00:48 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x2) 05:00:48 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x3000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:48 executing program 1 (fault-call:4 fault-nth:14): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:48 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x48}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x40, 0x0) recvfrom$ax25(r2, &(0x7f00000001c0)=""/80, 0x50, 0x0, &(0x7f0000000240)={0x3, {"f09c7917984887"}, 0xfffffffffffffffd}, 0x10) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) select(0x40, &(0x7f0000000040)={0x8001, 0x1, 0x8000, 0x401, 0x6, 0x2, 0x9, 0x7}, &(0x7f0000000080)={0x9, 0x5, 0x4531, 0x4, 0xfffffffffffffff7, 0x100, 0xfffffffffffffffc, 0x9}, &(0x7f00000000c0)={0x9, 0x3, 0x3, 0x3, 0x7fffffff, 0x9, 0x0, 0xd6b}, &(0x7f0000000280)={0x0, 0x2710}) [ 1045.302912] ALSA: seq fatal error: cannot create timer (-22) 05:00:48 executing program 4: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x60}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1045.356945] binder: 28380:28382 ERROR: BC_REGISTER_LOOPER called without request [ 1045.371083] binder: 28384:28389 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1045.380300] FAULT_INJECTION: forcing a failure. [ 1045.380300] name failslab, interval 1, probability 0, space 0, times 0 [ 1045.391585] CPU: 0 PID: 28386 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1045.395789] binder: 28384:28389 BC_FREE_BUFFER u0000000000000000 no match [ 1045.398515] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1045.398523] Call Trace: [ 1045.398549] dump_stack+0x1b9/0x294 [ 1045.398573] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1045.398588] ? is_bpf_text_address+0xd7/0x170 [ 1045.398603] ? kernel_text_address+0x79/0xf0 [ 1045.398621] ? __unwind_start+0x166/0x330 [ 1045.410828] binder: 28380:28382 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1045.414916] should_fail.cold.4+0xa/0x1a [ 1045.414937] ? __save_stack_trace+0x7e/0xd0 05:00:49 executing program 7: syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x0, 0x10080) r0 = socket$inet6(0xa, 0x3, 0x5) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp\x00', 0x100, 0x0) write$binfmt_elf32(r1, &(0x7f0000000140)=ANY=[@ANYBLOB="32d5d947c25460e4438db7d4314a34e83c31aad82b8a95d7ce10dbd83aa24b2e7ea043249dc7e32fa4c4e00e39d576cbcb2a8b258c964180b50c897853537a30df7d3cfe2b32486fcaf27e1947ee93c846b829464f89bd90457d90eb71ac0fe30921ab451a5ecd8b8155ecdcaddc65d62d12be12998c9585708b00b812077e5df6ca6844955bdaf7279ce25fffcb13cf9a2bf4a6b1c1077232570d8e92b51173b14abc58ede87d91e3ff196f2214e0f492000000000000000000000000"], 0x1) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000000040)={r1, &(0x7f0000000200)="d39dd2aa915d995cb343ea6707e004cef31ae42af208290c4239f3a4e264547ba9ce1bb50349664b9c9be2f610a2fff650b11f426b5548592e84c1b89d12563745749c0b2a491bfa4ed05e5b2ee186e45f3394356338736e578f6f16a3d43a38bf8504bc7b874b77359e08129bd4f674d15f2f90a5e95f73421b8898be813775890fa3ef0d05b2fd3707fd230287996c5a521f218ad7da04ad01752f32e2d4fde239da20e03c03af480e0a25c68473d76b5c8b", &(0x7f0000000500)=""/4096}, 0x18) mmap$binder(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x1000002, 0x1013, r1, 0x0) ioctl$int_in(r1, 0x80000000005008, &(0x7f00000004c0)) [ 1045.414958] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1045.414980] ? graph_lock+0x170/0x170 [ 1045.417578] binder: 28380:28382 unknown command 0 [ 1045.421172] ? save_stack+0x43/0xd0 [ 1045.421186] ? kasan_kmalloc+0xc4/0xe0 [ 1045.421206] ? kasan_slab_alloc+0x12/0x20 [ 1045.447453] binder: 28380:28382 ioctl c0306201 2000dfd0 returned -22 [ 1045.451503] ? find_held_lock+0x36/0x1c0 [ 1045.451526] ? __lock_is_held+0xb5/0x140 [ 1045.451553] ? check_same_owner+0x320/0x320 [ 1045.451572] ? rcu_note_context_switch+0x710/0x710 05:00:49 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x600000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1045.451593] __should_failslab+0x124/0x180 [ 1045.451608] should_failslab+0x9/0x14 [ 1045.451627] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1045.461175] binder: 28384:28389 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1045.464840] __kmalloc_node_track_caller+0x33/0x70 [ 1045.464860] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1045.464876] __alloc_skb+0x14d/0x780 [ 1045.464893] ? skb_scrub_packet+0x580/0x580 [ 1045.464909] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1045.464928] ? ip_generic_getfrag+0x11c/0x2d0 05:00:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl(0xffffffffffffffff, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000000), 0x0, 0x0, &(0x7f0000000080)}) r1 = syz_open_dev$amidi(&(0x7f0000000000)='/dev/amidi#\x00', 0x6, 0x2002) setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x1, 0x32, &(0x7f0000000080)=r1, 0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) syz_open_dev$sndpcmp(&(0x7f0000000040)='/dev/snd/pcmC#D#p\x00', 0x4, 0x80) [ 1045.491071] binder: 28384:28389 BC_FREE_BUFFER u0000000000000000 no match [ 1045.491929] ? ip_reply_glue_bits+0xc0/0xc0 [ 1045.491956] ? raw_getfrag+0x15b/0x220 [ 1045.491973] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1045.491995] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1045.492023] ? raw_destroy+0x30/0x30 [ 1045.581913] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1045.587734] ? ipv4_mtu+0x375/0x580 [ 1045.591381] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1045.596853] ? lock_acquire+0x1dc/0x520 [ 1045.600840] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1045.606371] ? ip_setup_cork+0x4dc/0x7c0 [ 1045.610428] ip_append_data.part.48+0xf3/0x180 [ 1045.614999] ? raw_destroy+0x30/0x30 [ 1045.618702] ip_append_data+0x6d/0x90 [ 1045.622489] ? raw_destroy+0x30/0x30 [ 1045.626195] raw_sendmsg+0x1dae/0x29b0 [ 1045.630078] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1045.635186] ? rcu_report_qs_rnp+0x790/0x790 [ 1045.639652] ? graph_lock+0x170/0x170 [ 1045.643457] ? expand_files.part.8+0x9a0/0x9a0 [ 1045.648024] ? check_same_owner+0x320/0x320 [ 1045.652358] ? lock_downgrade+0x8e0/0x8e0 [ 1045.656494] ? lock_release+0xa10/0xa10 [ 1045.660906] ? check_same_owner+0x320/0x320 [ 1045.665216] ? __check_object_size+0x95/0x5d9 [ 1045.669701] inet_sendmsg+0x19f/0x690 [ 1045.673491] ? __might_sleep+0x95/0x190 [ 1045.677452] ? ipip_gro_receive+0x100/0x100 [ 1045.681763] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1045.687288] ? security_socket_sendmsg+0x94/0xc0 [ 1045.692031] ? ipip_gro_receive+0x100/0x100 [ 1045.696343] sock_sendmsg+0xd5/0x120 [ 1045.700044] __sys_sendto+0x3d7/0x670 [ 1045.703837] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1045.708498] ? wait_for_completion+0x870/0x870 [ 1045.713090] ? __lock_is_held+0xb5/0x140 [ 1045.717166] ? __sb_end_write+0xac/0xe0 [ 1045.721151] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1045.726675] ? fput+0x130/0x1a0 [ 1045.729946] ? ksys_write+0x1a6/0x250 [ 1045.733734] ? __ia32_sys_read+0xb0/0xb0 [ 1045.737783] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1045.743621] __x64_sys_sendto+0xe1/0x1a0 [ 1045.747672] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1045.752677] do_syscall_64+0x1b1/0x800 [ 1045.756550] ? finish_task_switch+0x1ca/0x840 [ 1045.761034] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1045.765953] ? syscall_return_slowpath+0x30f/0x5c0 [ 1045.770875] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1045.776229] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1045.781059] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1045.786238] RIP: 0033:0x4559f9 [ 1045.789410] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 05:00:49 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x900}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1045.808675] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1045.816368] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1045.823622] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1045.830879] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1045.838137] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1045.845396] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000000e 05:00:49 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0xfae) [ 1045.864577] binder: 28403:28404 unknown command 0 [ 1045.870378] binder: 28402:28405 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1045.887666] binder: 28402:28405 BC_FREE_BUFFER u0000000000000000 no match [ 1045.903918] binder: 28403:28404 ioctl c0306201 2000dfd0 returned -22 05:00:49 executing program 7: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x200000008912, &(0x7f0000000000)="025cc83d6d345f8f760070") r1 = socket$inet(0x2, 0x2, 0x0) setsockopt$inet_int(r1, 0x0, 0x8, &(0x7f00000000c0)=0xff, 0x4) setsockopt$inet_int(r1, 0x0, 0xb, &(0x7f0000000000)=0xa, 0x1) sendto$inet(r1, &(0x7f0000000280), 0x0, 0x0, &(0x7f0000000180)={0x2, 0x4e22, @local={0xac, 0x14, 0x14, 0xaa}}, 0x10) syz_emit_ethernet(0x22, &(0x7f0000000140)={@dev={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x1d}, @local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0xaa}, [{[], {0x8100, 0x2, 0x3, 0x1}}], {@can={0xc, {{0x2, 0x6, 0x0, 0x6}, 0x8, 0x3, 0x0, 0x0, "34f705df3d795bb4"}}}}, &(0x7f00000001c0)={0x1, 0x3, [0xc26, 0xdf9, 0xe22, 0xf32]}) setsockopt$inet_int(r1, 0x0, 0x400000000c, &(0x7f0000000100)=0x7ff, 0x4) ioctl$sock_inet_SIOCGIFNETMASK(r1, 0x891b, &(0x7f0000000200)={'eql\x00', {0x2, 0x4e22, @broadcast=0xffffffff}}) recvmsg(r1, &(0x7f0000edffc8)={0x0, 0xfffffffffffffe58, &(0x7f0000000000), 0x0, &(0x7f0000000040)=""/81, 0x51}, 0x40002102) [ 1045.944481] binder: 28403:28404 unknown command 0 [ 1045.952661] binder: 28403:28404 ioctl c0306201 2000dfd0 returned -22 [ 1045.959448] binder: 28402:28405 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1045.966800] binder: 28402:28405 BC_FREE_BUFFER u0000000000000000 no match [ 1046.237579] ALSA: seq fatal error: cannot create timer (-22) 05:00:50 executing program 1 (fault-call:4 fault-nth:15): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000), 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f0000000040)={0x0, 0x5, 0x5, [0x6, 0x3, 0x0, 0x80000001, 0xffffffffffff7fff]}, &(0x7f0000000080)=0x12) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r1, 0x84, 0x18, &(0x7f00000000c0)={r2, 0x8}, &(0x7f0000000180)=0x8) 05:00:50 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x3) 05:00:50 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x5000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:50 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x3}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:50 executing program 7: r0 = gettid() r1 = syz_open_dev$vcsn(&(0x7f0000000000)='/dev/vcs#\x00', 0x270, 0x280000) ioctl$int_in(r1, 0x5452, &(0x7f0000000080)=0x3) waitid(0x200000000005, r0, &(0x7f0000000040), 0x7, &(0x7f0000000180)) 05:00:50 executing program 4: r0 = socket$inet6_udplite(0xa, 0x2, 0x88) ioctl$sock_inet_SIOCSIFNETMASK(r0, 0x891c, &(0x7f0000000080)={'ip6_vti0\x00', {0x2, 0x4e22, @dev={0xac, 0x14, 0x14, 0x1a}}}) r1 = socket$inet6(0xa, 0x5, 0x0) sendmmsg(r1, &(0x7f0000002900)=[{{&(0x7f0000000180)=@in={0x2, 0x0, @loopback=0x7f000001}, 0x80, &(0x7f0000001740)=[{&(0x7f00000015c0)='1', 0x1}], 0x1, &(0x7f00000017c0)}}, {{0x0, 0x0, &(0x7f0000002080)=[{&(0x7f0000001fc0)="c4", 0x1}], 0x1, &(0x7f0000004a00)}}], 0x2, 0x4815) r2 = socket$inet(0x2, 0x0, 0xf45) setsockopt$inet_dccp_buf(r2, 0x21, 0x2, &(0x7f0000000000)="0fccdebaba3ebabd3d27b5a1dbd7e7def3d0719797698a2fb82a8844821c7fa42e3264cb04cc68262d6b276e3854b55c3db30333dada8a83125af3b3c2d8c232a38b64", 0x43) 05:00:50 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x100000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1046.407109] ALSA: seq fatal error: cannot create timer (-22) [ 1046.417220] ALSA: seq fatal error: cannot create timer (-22) [ 1046.461408] binder: 28438:28440 unknown command 0 [ 1046.482664] binder: 28444:28447 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1046.485058] binder: 28438:28440 ioctl c0306201 2000dfd0 returned -22 [ 1046.506790] binder: 28444:28447 BC_FREE_BUFFER u0000000000000000 no match 05:00:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x80000001) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) accept$inet6(r1, &(0x7f0000000080)={0x0, 0x0, 0x0, @dev}, &(0x7f0000000180)=0x1c) ioctl$BLKGETSIZE64(0xffffffffffffffff, 0x80081272, &(0x7f00000000c0)) 05:00:50 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x3e80000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:50 executing program 7: r0 = socket(0x11, 0x100000803, 0x0) r1 = syz_open_dev$tun(&(0x7f00000000c0)='/dev/net/tun\x00', 0x0, 0x20000000002) r2 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={"6966623000faffffffffffffff00", 0x5001}) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000000)={'ifb0\x00', 0xa201}) r3 = syz_open_dev$vcsn(&(0x7f0000000180)='/dev/vcs#\x00', 0x2, 0x402) ioctl$TIOCGPTPEER(r3, 0x5441, 0x0) write$tun(r1, &(0x7f0000000100)=ANY=[@ANYBLOB="05266b24411c30711c0060af04ca00443a0000000000000000000000ffffac1414bbff0200000000000000000000000000010420880b0000000000000800f4ff85dd080088be00000000100000000100000000000000080022eb00000000000000000000000800655800000000000000000000000000c05936864d"], 0x76) clock_gettime(0x0, &(0x7f0000000cc0)={0x0, 0x0}) recvmmsg(r2, &(0x7f0000000c00)=[{{&(0x7f0000000700)=@ethernet={0x0, @random}, 0x80, &(0x7f0000000a80)}}, {{&(0x7f0000000ac0)=@in, 0x80, &(0x7f0000000b40), 0x82, &(0x7f0000000b80)=""/76, 0x4c}}], 0x2, 0x62, &(0x7f0000000d00)={0x0, r4+30000000}) 05:00:50 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x10) [ 1046.534260] binder: 28444:28447 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1046.542209] binder: 28444:28447 BC_FREE_BUFFER u0000000000000000 no match [ 1046.599093] binder: 28463:28465 ERROR: BC_REGISTER_LOOPER called without request [ 1046.658148] binder: 28463:28465 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1046.666425] binder: 28463:28465 unknown command 0 [ 1046.679376] binder: 28463:28465 ioctl c0306201 2000dfd0 returned -22 [ 1046.686628] binder: 28463:28465 ERROR: BC_REGISTER_LOOPER called without request [ 1046.689791] binder: 28463:28476 unknown command 0 [ 1046.689810] binder: 28463:28476 ioctl c0306201 2000dfd0 returned -22 [ 1046.750766] FAULT_INJECTION: forcing a failure. [ 1046.750766] name failslab, interval 1, probability 0, space 0, times 0 [ 1046.762075] CPU: 0 PID: 28457 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1046.769656] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1046.769663] Call Trace: [ 1046.769684] dump_stack+0x1b9/0x294 [ 1046.769708] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1046.790506] ? __schedule+0x809/0x1e30 [ 1046.794418] should_fail.cold.4+0xa/0x1a [ 1046.798510] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1046.803634] ? __lock_is_held+0xb5/0x140 [ 1046.807709] ? __kmalloc_node_track_caller+0x47/0x70 [ 1046.812828] ? graph_lock+0x170/0x170 [ 1046.816635] ? __x64_sys_sendto+0xe1/0x1a0 [ 1046.820881] ? find_held_lock+0x36/0x1c0 [ 1046.824944] ? __lock_is_held+0xb5/0x140 [ 1046.829001] ? check_same_owner+0x320/0x320 [ 1046.833320] ? rcu_note_context_switch+0x710/0x710 [ 1046.838246] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1046.843538] __should_failslab+0x124/0x180 [ 1046.847777] should_failslab+0x9/0x14 [ 1046.851578] kmem_cache_alloc_node+0x272/0x780 [ 1046.856173] ? __kmalloc_node_track_caller+0x47/0x70 [ 1046.861267] __alloc_skb+0x111/0x780 [ 1046.865048] ? skb_scrub_packet+0x580/0x580 [ 1046.869367] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1046.874894] ? ip_generic_getfrag+0x11c/0x2d0 [ 1046.879380] ? ip_reply_glue_bits+0xc0/0xc0 [ 1046.883726] ? raw_getfrag+0x15b/0x220 [ 1046.887608] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1046.892633] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1046.897647] ? raw_destroy+0x30/0x30 [ 1046.901356] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1046.907144] ? __schedule+0x809/0x1e30 [ 1046.911026] ? ipv4_mtu+0x375/0x580 [ 1046.914654] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1046.920109] ? lock_acquire+0x1dc/0x520 [ 1046.924096] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1046.929638] ? ip_setup_cork+0x4dc/0x7c0 [ 1046.933705] ip_append_data.part.48+0xf3/0x180 [ 1046.938301] ? raw_destroy+0x30/0x30 [ 1046.942026] ip_append_data+0x6d/0x90 [ 1046.945818] ? raw_destroy+0x30/0x30 [ 1046.949529] raw_sendmsg+0x1dae/0x29b0 [ 1046.953499] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1046.958592] ? rcu_report_qs_rnp+0x790/0x790 [ 1046.962993] ? graph_lock+0x170/0x170 [ 1046.966802] ? expand_files.part.8+0x9a0/0x9a0 [ 1046.971371] ? check_same_owner+0x320/0x320 [ 1046.975687] ? lock_downgrade+0x8e0/0x8e0 [ 1046.979824] ? lock_release+0xa10/0xa10 [ 1046.983785] ? check_same_owner+0x320/0x320 [ 1046.988094] ? __check_object_size+0x95/0x5d9 [ 1046.992576] inet_sendmsg+0x19f/0x690 [ 1046.996363] ? __might_sleep+0x95/0x190 [ 1047.000326] ? ipip_gro_receive+0x100/0x100 [ 1047.004656] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1047.010199] ? security_socket_sendmsg+0x94/0xc0 [ 1047.014952] ? ipip_gro_receive+0x100/0x100 [ 1047.019277] sock_sendmsg+0xd5/0x120 [ 1047.022989] __sys_sendto+0x3d7/0x670 [ 1047.026790] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1047.031459] ? wait_for_completion+0x870/0x870 [ 1047.036052] ? __lock_is_held+0xb5/0x140 [ 1047.040128] ? __sb_end_write+0xac/0xe0 [ 1047.044102] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1047.049630] ? fput+0x130/0x1a0 [ 1047.052900] ? ksys_write+0x1a6/0x250 [ 1047.056687] ? __ia32_sys_read+0xb0/0xb0 [ 1047.060741] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1047.065577] __x64_sys_sendto+0xe1/0x1a0 [ 1047.069631] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1047.074647] do_syscall_64+0x1b1/0x800 [ 1047.078518] ? finish_task_switch+0x1ca/0x840 [ 1047.083010] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1047.087930] ? syscall_return_slowpath+0x30f/0x5c0 [ 1047.092857] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1047.098221] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1047.103055] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1047.108229] RIP: 0033:0x4559f9 [ 1047.111399] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1047.130590] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1047.138288] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1047.145552] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1047.152817] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1047.160072] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1047.167326] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000000f [ 1047.340752] ALSA: seq fatal error: cannot create timer (-22) 05:00:51 executing program 4: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$sndctrl(&(0x7f00000000c0)='/dev/snd/controlC#\x00', 0x1ff, 0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_INFO(r0, 0xc4c85512, &(0x7f0000000580)={{0x5, 0x0, 0x0, 0x0, "1a0ab9b1f94c716787e88fae5552770ad6a9b54e0679918e0a88af8aacaea63fd56d1dd99812e16bc06df8b8"}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'syz0\x00'}) 05:00:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x60000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:51 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x63) 05:00:51 executing program 1 (fault-call:4 fault-nth:16): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:51 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x12}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:51 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xffffff7f}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x20) syz_open_dev$sndmidi(&(0x7f0000000040)='/dev/snd/midiC#D#\x00', 0x0, 0x200) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:51 executing program 7: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f00001fefe4)={0xa, 0x4e22}, 0x1c) listen(r0, 0x0) accept(r0, 0x0, &(0x7f0000000040)) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) shutdown(r0, 0x1) sendto$inet6(r1, &(0x7f0000000280), 0xfffffdf7, 0x20000004, &(0x7f0000000000)={0xa, 0x4e22}, 0x1c) r2 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r2, &(0x7f00000001c0)={&(0x7f0000000040)={0x10}, 0xc, &(0x7f00000000c0)={&(0x7f0000000140)=@setlink={0x3c, 0x13, 0x311, 0x0, 0x0, {}, [@IFLA_TXQLEN={0x8, 0x18}, @IFLA_IFNAME={0x14, 0x3, 'team_slave_1\x00'}]}, 0x3c}, 0x1}, 0x0) [ 1047.510140] ALSA: seq fatal error: cannot create timer (-22) [ 1047.563752] FAULT_INJECTION: forcing a failure. [ 1047.563752] name failslab, interval 1, probability 0, space 0, times 0 [ 1047.575063] CPU: 1 PID: 28491 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1047.582013] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1047.591386] Call Trace: [ 1047.594002] dump_stack+0x1b9/0x294 [ 1047.597654] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1047.597983] binder: 28497:28507 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1047.602856] ? perf_trace_lock_acquire+0xe3/0x980 [ 1047.602878] ? kernel_text_address+0x79/0xf0 [ 1047.602899] ? __unwind_start+0x166/0x330 [ 1047.610442] binder: 28492:28494 ERROR: BC_REGISTER_LOOPER called without request [ 1047.614669] should_fail.cold.4+0xa/0x1a [ 1047.614694] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1047.614721] ? graph_lock+0x170/0x170 [ 1047.614739] ? save_stack+0x43/0xd0 [ 1047.614759] ? kasan_slab_alloc+0x12/0x20 [ 1047.620791] binder: 28492:28494 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1047.623335] ? find_held_lock+0x36/0x1c0 [ 1047.623362] ? __lock_is_held+0xb5/0x140 [ 1047.623394] ? check_same_owner+0x320/0x320 [ 1047.623412] ? rcu_note_context_switch+0x710/0x710 [ 1047.623437] __should_failslab+0x124/0x180 [ 1047.631011] binder: 28492:28494 unknown command 0 [ 1047.635040] should_failslab+0x9/0x14 [ 1047.635059] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1047.635083] __kmalloc_node_track_caller+0x33/0x70 [ 1047.635102] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1047.641086] binder: 28497:28507 BC_FREE_BUFFER u0000000000000000 no match [ 1047.643992] __alloc_skb+0x14d/0x780 [ 1047.644016] ? skb_scrub_packet+0x580/0x580 [ 1047.644037] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1047.644056] ? ip_generic_getfrag+0x11c/0x2d0 [ 1047.644075] ? ip_reply_glue_bits+0xc0/0xc0 [ 1047.644101] ? raw_getfrag+0x15b/0x220 [ 1047.648042] binder: 28492:28494 ioctl c0306201 2000dfd0 returned -22 [ 1047.651845] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1047.651870] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1047.651896] ? raw_destroy+0x30/0x30 [ 1047.651916] ? perf_trace_lock+0x900/0x900 [ 1047.651942] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1047.651971] ? ipv4_mtu+0x375/0x580 [ 1047.772332] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1047.777786] ? lock_acquire+0x1dc/0x520 [ 1047.781757] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1047.787283] ? ip_setup_cork+0x4dc/0x7c0 [ 1047.791336] ip_append_data.part.48+0xf3/0x180 [ 1047.795918] ? raw_destroy+0x30/0x30 [ 1047.799628] ip_append_data+0x6d/0x90 [ 1047.803422] ? raw_destroy+0x30/0x30 [ 1047.807138] raw_sendmsg+0x1dae/0x29b0 [ 1047.811033] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1047.816138] ? graph_lock+0x170/0x170 [ 1047.819942] ? expand_files.part.8+0x9a0/0x9a0 [ 1047.824551] ? lock_downgrade+0x8e0/0x8e0 [ 1047.828695] ? lock_release+0xa10/0xa10 [ 1047.832666] ? __check_object_size+0x95/0x5d9 [ 1047.837159] inet_sendmsg+0x19f/0x690 [ 1047.840971] ? __might_sleep+0x95/0x190 [ 1047.844939] ? ipip_gro_receive+0x100/0x100 [ 1047.849255] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1047.854783] ? security_socket_sendmsg+0x94/0xc0 [ 1047.859526] ? ipip_gro_receive+0x100/0x100 [ 1047.863839] sock_sendmsg+0xd5/0x120 [ 1047.867545] __sys_sendto+0x3d7/0x670 [ 1047.871343] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1047.876009] ? wait_for_completion+0x870/0x870 [ 1047.880596] ? __lock_is_held+0xb5/0x140 [ 1047.884677] ? __sb_end_write+0xac/0xe0 [ 1047.888646] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1047.894171] ? fput+0x130/0x1a0 [ 1047.897447] ? ksys_write+0x1a6/0x250 [ 1047.901259] ? __ia32_sys_read+0xb0/0xb0 [ 1047.905322] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1047.910871] __x64_sys_sendto+0xe1/0x1a0 [ 1047.914925] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1047.919941] do_syscall_64+0x1b1/0x800 [ 1047.923819] ? finish_task_switch+0x1ca/0x840 [ 1047.928306] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1047.933227] ? syscall_return_slowpath+0x30f/0x5c0 [ 1047.938149] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1047.943510] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1047.948348] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1047.953528] RIP: 0033:0x4559f9 [ 1047.956722] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1047.976097] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1047.983799] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1047.991058] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1047.998331] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1048.005590] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 05:00:51 executing program 4: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000280)) creat(&(0x7f0000000440)='./file0\x00', 0x0) mkdir(&(0x7f0000000000)='./file0\x00', 0x10) r1 = perf_event_open(&(0x7f000000a000)={0x6, 0x70}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r1) r2 = getpgid(0xffffffffffffffff) perf_event_open(&(0x7f0000000080)={0x4, 0x70, 0x8, 0x0, 0x101, 0x2, 0x0, 0x5d18, 0x10, 0xa, 0x100000001, 0x4, 0xffffffffffff188e, 0x8000, 0x3, 0x3a4ff1b7, 0xfffffffffffffffe, 0x5, 0x6, 0x1, 0xc0000, 0x5, 0x3, 0xfffffffffffffff9, 0x0, 0x0, 0x3, 0x2, 0x80, 0x953a, 0xffff, 0x8, 0x9, 0x100, 0x0, 0x101, 0x10001, 0xffffffffffffffc0, 0x0, 0xfffffffffffffffb, 0x4, @perf_bp={&(0x7f0000000040), 0x4}, 0x2ec44, 0x7fffffff, 0x1, 0x4, 0x80000001, 0xaf02, 0x4}, r2, 0x1, r0, 0x8) 05:00:51 executing program 5: r0 = openat$cuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cuse\x00', 0x80400, 0x0) ioctl$DRM_IOCTL_MARK_BUFS(r0, 0x40206417, &(0x7f0000000040)={0xffffffffffff8001, 0x0, 0x5, 0x1, 0x3}) r1 = pkey_alloc(0x0, 0x1) pkey_free(r1) r2 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) dup2(r3, r2) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x40000, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="0b630000946c47962b006afde074a2d5f00ccc54c6ae7faf74104442e5addbcd96c2943bc4c9705d4dfce97c1ddbfc9fd719bd68ad2ce91ddccee05776f4c44dbdc2941236ee9dc90f2a5d6766dd100d1ea521be6ef39b925ea9af5656a675f233a12e476d2e84fa3836077957901d29e7d29e04550c1acd18bd8c9ccde34d091c745528b76e4763f7fd48678622213df25d9e3c174d211e38472dd64926e8ec58b961769bdeea670540d4a2cc2eab2a346c4afbc7f90d7075e917cde624db4491"], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=ANY=[@ANYBLOB="1f630000"], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:51 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xc000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1048.012848] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000010 [ 1048.021533] binder: 28492:28511 ERROR: BC_REGISTER_LOOPER called without request [ 1048.031214] binder: 28497:28507 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1048.087908] binder: 28497:28507 BC_FREE_BUFFER u0000000000000000 no match 05:00:51 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1300) 05:00:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6c00, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:51 executing program 1 (fault-call:4 fault-nth:17): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:51 executing program 4: r0 = userfaultfd(0x0) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000140)={0xaa, 0x40}) r1 = add_key(&(0x7f0000000040)='logon\x00', &(0x7f0000000080)={0x73, 0x79, 0x7a, 0x1}, 0x0, 0x0, 0xfffffffffffffff9) ioctl$UFFDIO_WAKE(r0, 0x8010aa02, &(0x7f0000000000)={&(0x7f0000ffd000/0x3000)=nil, 0x3000}) r2 = add_key$keyring(&(0x7f0000000180)='keyring\x00', &(0x7f00000001c0)={0x73, 0x79, 0x7a, 0x1}, 0x0, 0x0, 0xfffffffffffffffc) keyctl$reject(0x13, r1, 0xffc00000000000, 0x0, r2) read(r0, &(0x7f00000000c0)=""/128, 0x80) r3 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r3, 0x1, r3, &(0x7f0000000200)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000004fe0)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) timer_create(0x3, &(0x7f0000000240)={0x0, 0x6, 0x2}, &(0x7f0000000280)=0x0) timer_delete(r4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x8031, 0xffffffffffffffff, 0x0) [ 1048.250561] FAULT_INJECTION: forcing a failure. [ 1048.250561] name failslab, interval 1, probability 0, space 0, times 0 [ 1048.261963] CPU: 1 PID: 28534 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1048.268902] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1048.278264] Call Trace: [ 1048.280873] dump_stack+0x1b9/0x294 [ 1048.284523] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1048.289726] ? unwind_get_return_address+0x61/0xa0 [ 1048.294651] ? graph_lock+0x170/0x170 [ 1048.298444] should_fail.cold.4+0xa/0x1a [ 1048.302495] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1048.307588] ? __lock_is_held+0xb5/0x140 [ 1048.311639] ? __kmalloc_node_track_caller+0x47/0x70 [ 1048.316734] ? graph_lock+0x170/0x170 [ 1048.320525] ? __x64_sys_sendto+0xe1/0x1a0 [ 1048.324748] ? find_held_lock+0x36/0x1c0 [ 1048.328801] ? __lock_is_held+0xb5/0x140 [ 1048.332878] ? check_same_owner+0x320/0x320 [ 1048.337191] ? rcu_note_context_switch+0x710/0x710 [ 1048.342107] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1048.347375] __should_failslab+0x124/0x180 [ 1048.351601] should_failslab+0x9/0x14 [ 1048.355387] kmem_cache_alloc_node+0x272/0x780 [ 1048.359962] ? __kmalloc_node_track_caller+0x47/0x70 [ 1048.365058] __alloc_skb+0x111/0x780 [ 1048.368763] ? mark_held_locks+0xc9/0x160 [ 1048.372901] ? skb_scrub_packet+0x580/0x580 [ 1048.377212] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1048.382739] ? ip_generic_getfrag+0x11c/0x2d0 [ 1048.387226] ? ip_reply_glue_bits+0xc0/0xc0 [ 1048.391551] ? raw_getfrag+0x15b/0x220 [ 1048.395450] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1048.400475] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1048.405490] ? raw_destroy+0x30/0x30 [ 1048.409200] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1048.414988] ? ipv4_mtu+0x375/0x580 [ 1048.418602] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1048.424051] ? lock_acquire+0x1dc/0x520 [ 1048.428017] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1048.433541] ? ip_setup_cork+0x4dc/0x7c0 [ 1048.437593] ip_append_data.part.48+0xf3/0x180 [ 1048.442164] ? raw_destroy+0x30/0x30 [ 1048.445866] ip_append_data+0x6d/0x90 [ 1048.449656] ? raw_destroy+0x30/0x30 [ 1048.453360] raw_sendmsg+0x1dae/0x29b0 [ 1048.457252] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1048.462342] ? rcu_report_qs_rnp+0x790/0x790 [ 1048.466743] ? graph_lock+0x170/0x170 [ 1048.470540] ? expand_files.part.8+0x9a0/0x9a0 [ 1048.475109] ? check_same_owner+0x320/0x320 [ 1048.479427] ? lock_downgrade+0x8e0/0x8e0 [ 1048.483563] ? lock_release+0xa10/0xa10 [ 1048.487524] ? check_same_owner+0x320/0x320 [ 1048.491835] ? __check_object_size+0x95/0x5d9 [ 1048.496880] inet_sendmsg+0x19f/0x690 [ 1048.500669] ? __might_sleep+0x95/0x190 [ 1048.504632] ? ipip_gro_receive+0x100/0x100 [ 1048.508943] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1048.514468] ? security_socket_sendmsg+0x94/0xc0 [ 1048.519211] ? ipip_gro_receive+0x100/0x100 [ 1048.523519] sock_sendmsg+0xd5/0x120 [ 1048.527223] __sys_sendto+0x3d7/0x670 [ 1048.531027] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1048.535686] ? wait_for_completion+0x870/0x870 [ 1048.540258] ? __lock_is_held+0xb5/0x140 [ 1048.544314] ? __sb_end_write+0xac/0xe0 [ 1048.548290] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1048.553816] ? fput+0x130/0x1a0 [ 1048.557084] ? ksys_write+0x1a6/0x250 [ 1048.560874] ? __ia32_sys_read+0xb0/0xb0 [ 1048.564925] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1048.570454] __x64_sys_sendto+0xe1/0x1a0 [ 1048.574504] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1048.579509] do_syscall_64+0x1b1/0x800 [ 1048.583386] ? finish_task_switch+0x1ca/0x840 [ 1048.587871] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1048.592804] ? syscall_return_slowpath+0x30f/0x5c0 [ 1048.597721] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1048.603076] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1048.607915] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1048.613090] RIP: 0033:0x4559f9 [ 1048.616260] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1048.635503] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1048.643200] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1048.650470] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1048.657730] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1048.665000] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1048.672255] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000011 [ 1048.686848] binder: 28536:28537 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1048.708550] binder: 28536:28537 BC_FREE_BUFFER u0000000000000000 no match [ 1048.733045] binder: 28536:28537 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1048.746092] binder: 28536:28537 BC_FREE_BUFFER u0000000000000000 no match 05:00:52 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x6000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:52 executing program 4: syz_mount_image$vfat(&(0x7f0000000000)='vfat\x00', &(0x7f0000000100)='./file0\x00', 0xe000, 0x1, &(0x7f0000000040)=[{&(0x7f0000010000)="eb3c906d6b66732e66617400020401000200027000f801", 0x17}], 0x0, &(0x7f0000000240)=ANY=[]) r0 = open(&(0x7f0000000140)='./file0/file0\x00', 0x3fffa, 0x0) fallocate(r0, 0x0, 0x0, 0x8004) ioctl$VHOST_SET_VRING_NUM(r0, 0x4008af10, &(0x7f0000000080)={0x0, 0x5}) fcntl$setstatus(r0, 0x4, 0x100000000004800) sendfile(r0, r0, 0x0, 0xffffffff) 05:00:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r1, 0x0, 0x8, &(0x7f00000000c0)=0x1, 0x4) r2 = socket$inet6(0xa, 0x1, 0x0) r3 = syz_open_dev$admmidi(&(0x7f0000000080)='/dev/admmidi#\x00', 0x30000000000, 0x440) getsockopt$inet6_mreq(r2, 0x29, 0x15, &(0x7f0000000180)={@dev, 0x0}, &(0x7f00000001c0)=0x14) sendmsg$can_bcm(r3, &(0x7f0000000300)={&(0x7f0000000200)={0x1d, r4}, 0x10, &(0x7f00000002c0)={&(0x7f0000000240)={0x7, 0x40, 0x7f, {0x0, 0x7530}, {0x0, 0x2710}, {0x4, 0x7fffffff, 0x169, 0x3}, 0x1, @can={{0x0, 0x7, 0x7, 0x7fffffff}, 0x4, 0x2, 0x0, 0x0, "0733b319eb0f96ee"}}, 0x48}, 0x1, 0x0, 0x0, 0x40004}, 0x0) inotify_add_watch(r3, &(0x7f0000000340)='./file0\x00', 0x4) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x90, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=ANY=[@ANYBLOB='@\x00\x00\x00'], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:52 executing program 7: r0 = syz_open_dev$loop(&(0x7f0000000040)='/dev/loop#\x00', 0x0, 0x82) r1 = memfd_create(&(0x7f0000000140)="000000000000000000000000000000768e05f7c155ad7dc6947c573e5a69244e76382c0aa63d575ea3597f8b1728277ef76b30544d7ba92dcf978f1f81dc1b7f8f7b3451dada02ecb4f1ddcc8b5241da8945666e0073c25a6287c64dbea37a", 0x0) pwritev(r1, &(0x7f0000000940)=[{&(0x7f00000004c0)="725b501cd85f4674c08bf97244c3f2449cb690e4c9ed0ee820d2da1af36cce77056402679de1e7a45b2c62d14d06d9e592bcd17f5cc521d8f4d4c44fdac1772f9698b4b715bc89e6899930c1338da83ea861ae9276de8d8494a39008dbbcb508d2c6e535b4bfc67fb1bbe3b94be44c2b16da71f824be3f90177a7e180efcc7b5fadcf3f0111e0ff4f687a9c2d34c2a741d27011e63b28887d066d2f5cfa7066d21a8cdecbc3260bf3942e19b2eb0fddabd4cf674122b2afd27e9dfc0d7c28fcc693a8b657d8fbb7c1565", 0xca}, {&(0x7f0000001a00)="aec14779e5fdb1f9c70f8bbd4a589a4a8b7d43ee96b395920e7d9d51067c4a9bb240ddf1ca9bb5cc4632b33445e85e02c0ed2cc103f7ea5b00b3f2fdea36d1a0e34c3212a7a2b3cc48aeab736f3cb0a79249ad4ad8fc12e8100825c9aef44d4f28d4c916a92f856a547f44383095d2cd14907bde8cee85e473faf932fa3440debcae313b9c359a274aa69cf2ca323f87de9a271f7c0ba77009a283035fbeae3766eddfaebe0d06ed3a2ac964194f022f839b9a0b87eb142fc224e783cc9cc6a0b9c8634f3133de37ba2379da6ed734531c4baef872ac259cd3f9bde6f1f466b90848a72fbfecd82654612dacc3d5f486c9f0aec7a8922470b1ecbc6a7b9727fb59b3f442e991e0da9cd2e1081ccf16975993f6fb38ab7d63b5aac9d7a19683b025fc7667acd644ad0d8d95ac4ecd314477a630ee10d990ab53eff487816f5d7c2ac10c8f748b7ebbc2d3a8c1a4f0a3f248b139ef450861ed0f2a4ad9236c166ef388bdbf7502f93ad1f0c9fc8b3dc0b789b43946a564ac9acf726105c2b21df0dc802127f1105e12d3078c0d4b35e34d265ab6209cc06476b6233f87cd12c22afe7c80695ac911876251a2847f1d178387b3e2231ad4bc7a22e3730456d6ce33eba72e16c41da0b4faaeb4dfa8f5c8e96c88ce54cf22029c6e36eba867478f80f2c02818d13bbd42790ad7b2a047a8604f587dd5d22c2476cec1aa0ae480fd3f04fc18526717c94fe5f0f566ec7e995f7adff619390079293a82d3eac56a875fdeb425bb7c7953134f4d95e459c7e3fad9f8f54067df55e18bde8ff3713efe6e3c2a93392cf7f14ca58bdde370d46761ddf6cd10ebba84c093ef33c2cf698351b3902a1eecf70128fd9be79431beb7a1eb367654730b9508b76e41d079d6d973f767a504e25a30f3cd82a6a6ed20b4ddde0942241edc6c5fc5c50576431cd5c79a596d5ec2508cad256196aec37eb95473abc758656db22290871b5078cd6d405750ca8c53a03e10f9661ba39928a3e2c46785ba054a0214aff3e0ae14e9d484989ec36a8a6a4a4d430a29b5daa7ce6e1a1adfa42378acc7e4fc0d37704f7e0f4d2e073ce3d8195fa19825c459e6af81da9e07a03d7b478c74cd74c202b21f5328de2f274c1738334db45d41c1f9bea4aa8dac9867a115260c0d3487d9c080eb428128b52d4005aa43b88a53c866c5c75eeaf23ccc5067a33961f5587a98cfc114d239b7a2cb95209274f85092e600dde5aa8c63c96a5ab6d3c672882bb56fdc9d619e232ab7b8a2964d1b909eab1b50192855b5de720584e2c20a28164a9ddf9fea99b7b09d972f326e87aa67e70e1d78d348b267243e9bd76f3bba1bdaecaddd316b3c5b5fa783125a83a68e3984f7f491966ff1003b0e825b6bdd56b7197f63e58f77cb635cd61c3c012ce3f837fbdf4fbe602befe000718292f7c79dd1ccea9b83396e35000e1986808d5488d206c3305221109f533c42149c7c9a28199b2809b4ccbede30413a28ad1db8cb9b8bdbf632fe494fb4a76a385cc4895179b164d2a57dd425e38e30e4c0d4ce8220cf44c057fae152b7d46beec26fd3c5a5c9c3773d5953959f4d932fc7e1d714f84aa10aeb72b81bf5cfa3665fbdbb1a45df920b6508dc1c7da90469abcb500eaf48d493a206028099448125408ccf9c19577aac6281acd0beab0fc0a57afc7eac7ad56dfb8471345e2a1f66315713ea39c2aea3f135a9684d3c36bf046d78d27bd8e45486de48f1675ef2542bfd7d67ac7c5e9a9678ca21f30891290159fe0b94f789a60aad5338c2229c21b34448b8c0d1544cad81b1b89d06620731567581f24578b1f4e9a62057919534d7f95ac2c92a568dbca6c24fb04da25eb836a53d0bdd03aec3b916c0f2e0341bd6c2068c4f332a9e60bd68949cf7b293ed366b57bf94cb4377c9f680ecc78b3e1b30234d916dfe4bfc3ad3fbb1586c91b21c5583477f68cb187bd59a22131b08f1ca94f6672028d032378af04f428400a721b77abef06d3ea4cdaaf1438ab738f0848cd0faf2cafc49d047082addfc0c7908f3946478426ce82ed21473f80d05192013cc3fc04c0f249d500655f09f17b6c33d14c81f6d3a06bb9f041f2102a9473022e7af193a8277b0960194fdac0de4c9a898b8c6a4b44f75ebd0a6d6ca9b5118a49bea34e2235dbb4bea68f49123cb1a2c57d638a49cff15a6ef5475769dc24c30622ecf77e3ee4f494da36aec19db6632dfbabebcedfdada6fd5e32a80e3c0eedbebd6ec392258f1d73970e1c3647babb3d882f83e8fe8cac49940e7a448ab5d43d24aa2f4f7de5fff68e064e0ccc70b9f653559e506d0dda2737f36d090d4d446f1e6f881c98d65a06dc5c3cc925a995308243165bce7c863e98ba7ae0c43172302b23c213bc79f38d80746f770dbe06aca03fb221f72a22fedc96cbbf7b4cce985e27ef80c63cc471620727d5e7f0340b16e0cb3782dcb945d6f956fed472de83f45a2bd342e2d81dad248aad75973fd23084addc887a312f451523ec99b466c1f033730635fc46aa7bb59670154e965016c0a1dda7cff0aa15875bc27bdf05651984db96d2a97df32b8b347a0a3b1fab3b1223fdc23641b1ac95be171658cedf5b18585266c7cf9906ef5caa683a1981b64715ce4079c8df953330cf7b8f737b0fdc7b316aaf444a4ff616ac9a0036c6839d5b243823065787243a260527338320a9e25bf7305c8a74da51253fb38a4f4d211e4cd6ae974ce61178138b2c36e563ace17718371023364a4d6717308832c4f6673addb2fae0550bb38ba8300c981a9f8bae5ccb26d35749287ddcd1cf1518c7f308fb9cd7e6857d10189f7be79c2b3eb0fd6f0ccd08875af9fe208bec9d736199cfa1ecd41ca8645c7a32016839c4fa81f6adcf825c0c42219cf58c49ca3933a05c340711baa288baaf90281ad61163cfc67af8d6459bb59e1185b8f4cd8587bee25272ad9d142e347cab2d22cfc575959aae5838d5af59a2a3e1bef186a500cca7c85197766fd18aadc20cd604b6986a738a8b6430d42657fce9a7e74ab4b3797b46109f98bfc694d8f8ca636595fa804a748171a9c2733d158c3706ed41dc96e0099d2dbabd1ce88e342c7148be11b343dcf3212e5b0247bfcd466abe14e795e003c581a431b08ed81deb6eadddf446e41fdca989e6a4177ffb61265fedb8eff8bb37f25dc7c55335ca2041ee85a1e48cde55a2b343c14635c135ab6adf419a7f79f64a65c2023bbe3093bc17c036755549947a549117dc693938ae0979761c7921cfce5ff2d8019ce9c325a7f229b36698f97973c1ca5ea1a0c53431b6dc9b51a2343eac3ff1b37384643be928b05a01c42b8f5bc19edcaa13eaff535372521e15df887dead2463c574780e2b9180602a30efc132b0641a0fc595decc4577612427a3679b72fe9d2dcef0d00ce8f4a4b25c303cb23f3419f1318769e78b9f74280b5331e3f808b546e5b176206992ffca7d83734aa19c750c84eae288fd4e0f3bda4d3b7628bd2c24f41c2799a9018ff90480fd09b485c29d853b1f14a38187f08253431ad21ca1da62fe54708d014e72818c2663719ea92e955708e10a3edba3a76a289c4bbd4d262f71a0f17c1b8b2b7891a80af106a52efb8c5810e277052084374cf5f44a2849a45d1c8a80425794447a325a91b56dd6eb9d93d6fe631af0270dffff1d2e2fd1d88625f7067da0a5d703cc50738f0d4fe7001af4bc180fbee984737c01e190eac7c24c44ed569ffee973c95bf0c6f3bc9a012b9155a753b0ab4c89e9be6b6d2c9172f6e50941df10a18c0d12e56416f8bd0bc92878d719cbdd26118fa586feccc36e73b130d54a59bb98ae277e2236c1260e1bc62d340f74e3f4ea70534c78a5d9f5264c1f9476a7f21d5a8deb987bc6a368b762d140b5e0f30e0ce972f2055f33bb947ebcb828c0179cff6a5eb365755ad1d26249fb01d8456d37f8320a71fbe5a9d2fa0c3e7caae5ca4fe8c0c7ba219ccb62ff6aca2bc78382e4c313ee8873e5d66a275540c902fb2cc5b7477c49ee6c1a4be8198fde1b036a46aeafc5021feafa75ede53721005a52423c03807a433c8f342a10ae75400a8d6ffc742f72067bb87c2e5c017c99068ecd84f9c8853475a859d3b6a4e8acebcf62f6dc1a958ffef4804e2c9c00e3483288a69f9885798fd48e64bebe5c02548c5ffc3e2c9c6d3c7b9e542e28f36c74d2d23b7d60283d6cc8a3aae652c6985233675b4be1f7bb392429bd568d5e4064a527aad47d5c3e3ba8c17bc370b89e4b59a8dd8c78c64ab77375a06775f302213fc04c2d8ce346d6ada3200e20e034234980e77303fa5b26c1023bf539c58f5bc8b7d994a71706d6d832c0380b7a46f821406895ececae3db4650bf0eac33048709ca948e68c1dbf04eb0db8ed314b663e37a7c3e946bcecb09ad8e957f25f9729ddc83d58e3a766e3db701cc0ead86a82ee8de950a699c4ed80a045abd9ede1b2985103195e6d92d3c95e95612200c04384c1df220229818222ea160e392d271e2a04ac39f1712d92db7ea1479c37e1382195c4bf7a6dffa5db84e25f54330620ecd38b3b6c836d47604a7c2de7dcf0f85ee41d0e5affffa90d80f17651a00c1b8f68223f9e81bc54c57f54aa3e098cee9ee61641a9edb1329dcabda2816a2a586c9e31a361734670abfe878141d03832bf65c32c49b6b55a5ed405488a9bccd1610f19b9c5105942872f6ff4beb97446390b260d4ce0fc0d144264aeb37c6442af2c0111a38016e527364cb6dbb63e556a0fab4e45cfd9437397c5e1bd48e855a8865b396e918ebf12d4d3fb2047ccdf220fc2bf54d94149dde7be996bc092ba6bbf559382436527dceb7a61635d70c675bc4f9b9d34340d0b2eaf6e641d2d95facc3e19007e43dd7a4c69e4293c877dccd9c9be49dc6b9370b0a5d257e69a236435264ef2b6ed23dfec33579f6ec0662d60f2fd41d83bd965cc5be8c6ee6bce8d48ac9242c098597cb425ea233d6f7f026b82b7cf9d863ca2f21b658d863c15952e8eabbb29c23f974c7919a4e5e68a449abade009dfee4d4da177aedc6b31a6e2cc5fb59a67f59054536cbd0dcdf343cace101650e44830fedbcce45136eabf11d88724b8899cd78d7b31d4d0ec60d102ba4c75c5b038c958ebc4fc8fce5fe91878c9e952c6d7c6381c8a625e082694d1b8a4584955280eb181ea97a8c0074b8b6b6e9b62ba1840a15f338d053f1d313019c3241cff7ca23ddd63d91bbde0d6fbe92cba94c391f1ab41bd0a9da5b553dceb584c5ed2edeb653946c43b0666535fa32ad55b0c047139d8180aab27988b15d95cce8b7946dd415880d45711158c7208a515ae4ac05380b3d7df99721e0805c6abecbd452cb3392c26f074a5b9973bea57428ed2051bb5439a7ad7ebe6dab59ee0909badf9dc4799bdd4cbb06d35dcfd627516de55f3f4107ff57eebf01fe8b3b20eb595f8cda06bb886becf86e9c5eec8f9321630a026497fac7d2020d82176f226ffcbb2788268a4477775732ab51df164aa2dbaf8b1d000e2ff13fa56464b3c6454a76cc5068ca4331f2b1e37856c55f65edd7e9b05b1cdd52fed2498fdeb403cab228c5c66eb4a6a534a6910f24234fc268a51f007084a1f3d001380d0b0ce88b729fbcb6d0a5c919822ff3eb88f81416549c41a38a5ec4a4009f886508b98786a6faae2ed226fd514d6cd53806f128104def71594e76fb5ab647871516bc17859ee1a723d769a19b172d2cbcce757b2d0fa1cd17ad76ebab9ec818634d6cff408480a11261268", 0x1000}, {&(0x7f00000007c0)="25553cebe0c6b4fb8037bf67c5afb62434b585bee6820bc09baac01f40e1295eab2a010cba43e93f1d14407c05380489e71a85464b2b501f526ac5d65f844bea2181cbba28f56590923560fa43d98a559e942445ee65f036ef8391164dfb96f933fa94d6b195a35b577943f7192f11a19ccc52bcff0dc0fde8cda21315f6", 0x7e}, {&(0x7f0000000880)="90cbdfd189bca462276757057adcaf04ede8f3307735feedc7bb54f6bf8b2b8be6b8f63d3c4c5246a8162a5d2669f86c822fe1527031fb", 0x37}], 0x4, 0x0) setsockopt$IP_VS_SO_SET_FLUSH(r1, 0x0, 0x485, 0x0, 0x0) r2 = socket$inet6(0xa, 0x1, 0x0) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000240)='./cgroup.cpu/syz1\x00', 0x1ff) syz_mount_image$jfs(&(0x7f00000000c0)='jfs\x00', &(0x7f00000001c0)='./file0\x00', 0x80, 0x3, &(0x7f00000003c0)=[{&(0x7f0000000200)="6feb3ce6f155d8912dd451c3822789bd6f4edeca5646ec88c77ea44b38e8ffbee89ce3598b328a8bf950eaaa55ac435e97", 0x31, 0xa81a}, {&(0x7f0000000280)="e1b3d5676741b32b44360169c824c5538205", 0x12, 0xfffffffffffffffb}, {&(0x7f00000002c0), 0x0, 0x7}], 0x20000, &(0x7f0000000480)={[{@nointegrity='nointegrity', 0x2c}, {@uid={'uid', 0x3d, [0x3d, 0x31, 0x32]}, 0x2c}, {@uid={'uid', 0x3d, [0x30, 0x78]}, 0x2c}, {@quota='quota', 0x2c}, {@errors_continue='errors=continue', 0x2c}]}) sendfile(r1, r1, &(0x7f0000000000), 0x3) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") sendfile(r0, r1, &(0x7f0000000080), 0x20000102000007) 05:00:52 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x7a}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:52 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x4) 05:00:52 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x1000000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:52 executing program 1 (fault-call:4 fault-nth:18): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1049.138145] binder: 28563:28564 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1049.150371] binder: 28557:28565 ERROR: BC_REGISTER_LOOPER called without request [ 1049.157366] binder: 28563:28564 BC_FREE_BUFFER u0000000000000000 no match [ 1049.165763] FAULT_INJECTION: forcing a failure. [ 1049.165763] name failslab, interval 1, probability 0, space 0, times 0 [ 1049.177120] CPU: 0 PID: 28554 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1049.184057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1049.193418] Call Trace: [ 1049.196025] dump_stack+0x1b9/0x294 [ 1049.199672] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1049.204882] ? is_bpf_text_address+0xd7/0x170 [ 1049.209398] ? kernel_text_address+0x79/0xf0 [ 1049.213816] ? __unwind_start+0x166/0x330 [ 1049.217971] should_fail.cold.4+0xa/0x1a [ 1049.222022] ? __save_stack_trace+0x7e/0xd0 [ 1049.226337] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1049.231439] ? graph_lock+0x170/0x170 [ 1049.235229] ? save_stack+0x43/0xd0 [ 1049.238841] ? kasan_kmalloc+0xc4/0xe0 [ 1049.242713] ? kasan_slab_alloc+0x12/0x20 [ 1049.246853] ? find_held_lock+0x36/0x1c0 [ 1049.250906] ? __lock_is_held+0xb5/0x140 [ 1049.254964] ? check_same_owner+0x320/0x320 [ 1049.259275] ? rcu_note_context_switch+0x710/0x710 [ 1049.264197] __should_failslab+0x124/0x180 [ 1049.268451] should_failslab+0x9/0x14 [ 1049.272244] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1049.277343] __kmalloc_node_track_caller+0x33/0x70 [ 1049.282259] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1049.287006] __alloc_skb+0x14d/0x780 [ 1049.290708] ? skb_scrub_packet+0x580/0x580 [ 1049.295021] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1049.300549] ? ip_generic_getfrag+0x11c/0x2d0 [ 1049.305035] ? ip_reply_glue_bits+0xc0/0xc0 [ 1049.309372] ? raw_getfrag+0x15b/0x220 [ 1049.313246] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1049.318252] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1049.323261] ? raw_destroy+0x30/0x30 [ 1049.326970] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1049.332761] ? ipv4_mtu+0x375/0x580 [ 1049.336379] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1049.341832] ? lock_acquire+0x1dc/0x520 [ 1049.345798] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1049.351333] ? ip_setup_cork+0x4dc/0x7c0 [ 1049.355384] ip_append_data.part.48+0xf3/0x180 [ 1049.359956] ? raw_destroy+0x30/0x30 [ 1049.363661] ip_append_data+0x6d/0x90 [ 1049.367455] ? raw_destroy+0x30/0x30 [ 1049.371157] raw_sendmsg+0x1dae/0x29b0 [ 1049.375041] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1049.380134] ? rcu_report_qs_rnp+0x790/0x790 [ 1049.384535] ? graph_lock+0x170/0x170 [ 1049.388329] ? expand_files.part.8+0x9a0/0x9a0 [ 1049.392901] ? check_same_owner+0x320/0x320 [ 1049.397225] ? lock_downgrade+0x8e0/0x8e0 [ 1049.401360] ? lock_release+0xa10/0xa10 [ 1049.405324] ? check_same_owner+0x320/0x320 [ 1049.409634] ? __check_object_size+0x95/0x5d9 [ 1049.414119] inet_sendmsg+0x19f/0x690 [ 1049.417906] ? __might_sleep+0x95/0x190 [ 1049.421868] ? ipip_gro_receive+0x100/0x100 [ 1049.426201] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1049.431727] ? security_socket_sendmsg+0x94/0xc0 [ 1049.436476] ? ipip_gro_receive+0x100/0x100 [ 1049.440787] sock_sendmsg+0xd5/0x120 [ 1049.444491] __sys_sendto+0x3d7/0x670 [ 1049.448293] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1049.452954] ? wait_for_completion+0x870/0x870 [ 1049.457527] ? __lock_is_held+0xb5/0x140 [ 1049.461586] ? __sb_end_write+0xac/0xe0 [ 1049.465552] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1049.471075] ? fput+0x130/0x1a0 [ 1049.474350] ? ksys_write+0x1a6/0x250 [ 1049.478143] ? __ia32_sys_read+0xb0/0xb0 [ 1049.482194] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1049.487723] __x64_sys_sendto+0xe1/0x1a0 [ 1049.491771] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1049.496781] do_syscall_64+0x1b1/0x800 [ 1049.500663] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1049.505585] ? syscall_return_slowpath+0x30f/0x5c0 [ 1049.510506] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1049.515861] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1049.520698] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1049.525884] RIP: 0033:0x4559f9 [ 1049.529056] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1049.548294] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1049.556018] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1049.563274] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1049.570528] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1049.577784] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 05:00:53 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x8) [ 1049.585044] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000012 [ 1049.605727] binder: 28563:28564 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1049.608188] binder: 28557:28565 unknown command 64 05:00:53 executing program 7: r0 = socket$inet6(0xa, 0x80004, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="025cc83d6d345f8f760070") setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f00000000c0)={0x2, &(0x7f0000000040)=[{0xb1}, {0x6}]}, 0x10) ioctl(r0, 0x4, &(0x7f0000000100)="ed2342683f3eb86e414a2bc102b5805def01eb647ef9cc6b7c2b2add5860a980f5c821df82702178752356c557629d8e635becdca04d3d774df20300c15e50a6d1d589ab1bb5c1aae31130e72a7a08e8c17c71e875138f96e9e6b373d4db776c142a43efcb03a627a013e308706bda667543862a47b6e938f3f9379354d2a23208d3000f56d89df5565016cae8316654b84548ef87fc8b71cf80bf9f615ca70ff2bc6f9c04c86d96") 05:00:53 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xc}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1049.644347] binder: 28563:28564 BC_FREE_BUFFER u0000000000000000 no match 05:00:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x300000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1049.711936] binder: 28557:28565 ioctl c0306201 2000dfd0 returned -22 05:00:53 executing program 4: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000100)={0x26, 'hash\x00', 0x0, 0x0, 'vmac(des3_ede-asm)\x00'}, 0x46) openat$md(0xffffffffffffff9c, &(0x7f0000000080)='/dev/md0\x00', 0x301080, 0x0) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000000)="d38c27191a01002356ba602dff05000b5a38bc1c60e7be1325655b1471d7b71418d6b1780a58bd35044d374089403d2284ab569ebee9961b6f2c3c82e69a7c4f760500b9b43c0c8f94953534185b2459b46d3f296c640b44266fe39d28dcf6a284d61ba431be770e75b28637", 0x6c) 05:00:53 executing program 6: open$dir(&(0x7f0000000040)='./file0\x00', 0x82080, 0x108) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = ioctl$LOOP_CTL_GET_FREE(r0, 0x4c82) ioctl$LOOP_CTL_REMOVE(r0, 0x4c81, r2) r3 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) setsockopt$inet6_MRT6_ADD_MFC_PROXY(r0, 0x29, 0xd2, &(0x7f0000000240)={{0xa, 0x4e24, 0x6, @mcast1={0xff, 0x1, [], 0x1}, 0x9}, {0xa, 0x4e21, 0x9, @loopback={0x0, 0x1}, 0x4}, 0x2, [0x1, 0x100, 0x1, 0x1, 0x7fff, 0xdc, 0x1000, 0x20]}, 0x5c) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:00:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0x0, 0x802) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") getsockopt$inet_sctp6_SCTP_ASSOCINFO(r1, 0x84, 0x1, &(0x7f0000000040)={0x0, 0x1ff, 0xfff, 0x2, 0xd5, 0x9}, &(0x7f0000000080)=0x14) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffff9c, 0x0, 0x10, &(0x7f00000002c0)={{{@in6, @in6=@ipv4={[], [], @multicast1}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in=@loopback}}, &(0x7f00000003c0)=0xe8) recvfrom$packet(r1, &(0x7f00000001c0)=""/58, 0x3a, 0x40, &(0x7f0000000400)={0x11, 0x15, r3, 0x1, 0xe3ad, 0x6, @remote={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0xbb}}, 0x14) setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r1, 0x84, 0x72, &(0x7f00000000c0)={r2, 0x1, 0x20}, 0xc) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:53 executing program 7: syz_open_dev$usbmon(&(0x7f0000000100)='/dev/usbmon#\x00', 0x0, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x0) mbind(&(0x7f000006b000/0x800000)=nil, 0x800000, 0x0, &(0x7f00008a0000), 0x1, 0x2) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) sendto$inet6(r0, &(0x7f0000000100), 0x0, 0x20000004, &(0x7f000031e000)={0xa, 0x4e22}, 0x1c) r1 = socket$inet(0x10, 0x3, 0x4) sendmsg(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f000000d000)=[{&(0x7f0000008000)="4c0000001200ff09fffefd956fa283b724a6008000004e22000000683540150024001d001fc41180b598bc593ab6821148a730de33a49868c62b2ca654a6613b6aabf35d0f1cbc882b079881", 0x4c}], 0x1}, 0x0) r2 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rfkill\x00', 0x80200, 0x0) ioctl$TIOCLINUX7(r2, 0x541c, &(0x7f0000000040)={0x7, 0x2}) getsockopt$IP_VS_SO_GET_SERVICES(r1, 0x0, 0x482, &(0x7f00000001c0)=""/229, &(0x7f00000000c0)=0xe5) ioctl$KDGETLED(r2, 0x4b31, &(0x7f0000000080)) 05:00:53 executing program 1 (fault-call:4 fault-nth:19): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1049.828918] binder: 28598:28600 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1049.858894] binder: 28601:28604 ERROR: BC_REGISTER_LOOPER called without request 05:00:53 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1e00000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1049.882143] binder: 28598:28600 BC_FREE_BUFFER u0000000000000000 no match [ 1049.903520] binder: 28601:28604 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1049.911792] binder: 28601:28604 unknown command 0 [ 1049.929228] binder: 28601:28604 ioctl c0306201 2000dfd0 returned -22 [ 1049.949151] FAULT_INJECTION: forcing a failure. [ 1049.949151] name failslab, interval 1, probability 0, space 0, times 0 [ 1049.960473] CPU: 0 PID: 28614 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1049.967427] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1049.976795] Call Trace: 05:00:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r2 = syz_open_dev$audion(&(0x7f00000001c0)='/dev/audio#\x00', 0x401, 0x44002) ioctl$KDMKTONE(r1, 0x4b30, 0x100000000) r3 = syz_genetlink_get_family_id$fou(&(0x7f0000000240)='fou\x00') sendmsg$FOU_CMD_ADD(r2, &(0x7f0000000300)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f00000002c0)={&(0x7f0000000280)=ANY=[@ANYBLOB, @ANYRES16=r3, @ANYBLOB="000429bd7000fddbdf2501000000040005000800030000000000080002000a00000004000500"], 0x2c}, 0x1, 0x0, 0x0, 0x4000800}, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x1c, 0x0, &(0x7f0000000440)=ANY=[@ANYPTR64=&(0x7f0000000340)=ANY=[@ANYRES32, @ANYRES32=r2], @ANYRES64=r0, @ANYPTR64=&(0x7f00000003c0)=ANY=[@ANYRES16=r2, @ANYBLOB="9f2d2f045cd4b9358e5bc5837307239ed67c53f687cbda8c8f49a3fad868a72c76fe5d7a0a17c4ea5d7627da9a16d441f2f9875d73919dd057611a9d2e611793840172b3d41e4945f6c9a530e413906d", @ANYPTR64=&(0x7f0000000380)=ANY=[@ANYPTR, @ANYBLOB="02673d27c7", @ANYRES64=r3, @ANYPTR, @ANYBLOB="f485d3", @ANYRES64, @ANYRES64=r2, @ANYRES16=r3, @ANYPTR]], @ANYRES32=r1], 0x0, 0x0, &(0x7f0000008f37)}) r4 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000080)={0x73, 0x79, 0x7a, 0x3}, 0x0, 0x0, 0xfffffffffffffff9) r5 = add_key$keyring(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000180)={0x73, 0x79, 0x7a, 0x3}, 0x0, 0x0, 0xfffffffffffffffc) keyctl$link(0x8, r4, r5) [ 1049.979411] dump_stack+0x1b9/0x294 [ 1049.983060] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1049.988267] ? unwind_get_return_address+0x61/0xa0 [ 1049.993212] ? graph_lock+0x170/0x170 [ 1049.994370] binder: 28598:28600 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1049.997027] should_fail.cold.4+0xa/0x1a [ 1049.997048] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1049.997070] ? __lock_is_held+0xb5/0x140 [ 1050.013526] binder: 28598:28600 BC_FREE_BUFFER u0000000000000000 no match [ 1050.017362] ? __kmalloc_node_track_caller+0x47/0x70 05:00:53 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xffffff3f}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1050.017386] ? graph_lock+0x170/0x170 [ 1050.017407] ? __x64_sys_sendto+0xe1/0x1a0 [ 1050.017426] ? find_held_lock+0x36/0x1c0 [ 1050.017450] ? __lock_is_held+0xb5/0x140 [ 1050.017464] ? tcf_proto_lookup_ops+0x70/0x110 [ 1050.017487] ? check_same_owner+0x320/0x320 [ 1050.026231] ALSA: seq fatal error: cannot create timer (-22) [ 1050.029509] ? rcu_note_context_switch+0x710/0x710 [ 1050.029527] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1050.029549] __should_failslab+0x124/0x180 [ 1050.029568] should_failslab+0x9/0x14 [ 1050.029583] kmem_cache_alloc_node+0x272/0x780 [ 1050.029596] ? __kmalloc_node_track_caller+0x47/0x70 [ 1050.029616] __alloc_skb+0x111/0x780 [ 1050.091956] ? skb_scrub_packet+0x580/0x580 [ 1050.096271] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1050.101801] ? ip_generic_getfrag+0x11c/0x2d0 [ 1050.106287] ? ip_reply_glue_bits+0xc0/0xc0 [ 1050.110611] ? raw_getfrag+0x15b/0x220 [ 1050.114485] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1050.119492] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1050.124499] ? raw_destroy+0x30/0x30 [ 1050.128205] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1050.133992] ? ipv4_mtu+0x375/0x580 [ 1050.137609] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1050.143054] ? lock_acquire+0x1dc/0x520 [ 1050.147015] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1050.152540] ? ip_setup_cork+0x4dc/0x7c0 [ 1050.156588] ip_append_data.part.48+0xf3/0x180 [ 1050.161156] ? raw_destroy+0x30/0x30 [ 1050.164861] ip_append_data+0x6d/0x90 [ 1050.168651] ? raw_destroy+0x30/0x30 [ 1050.172357] raw_sendmsg+0x1dae/0x29b0 [ 1050.176243] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1050.181336] ? rcu_report_qs_rnp+0x790/0x790 [ 1050.185742] ? graph_lock+0x170/0x170 [ 1050.189540] ? expand_files.part.8+0x9a0/0x9a0 [ 1050.194111] ? check_same_owner+0x320/0x320 [ 1050.198432] ? lock_downgrade+0x8e0/0x8e0 [ 1050.202586] ? lock_release+0xa10/0xa10 [ 1050.206548] ? check_same_owner+0x320/0x320 [ 1050.210858] ? __check_object_size+0x95/0x5d9 [ 1050.215343] inet_sendmsg+0x19f/0x690 [ 1050.219129] ? __might_sleep+0x95/0x190 [ 1050.223091] ? ipip_gro_receive+0x100/0x100 [ 1050.227403] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1050.232931] ? security_socket_sendmsg+0x94/0xc0 [ 1050.237678] ? ipip_gro_receive+0x100/0x100 [ 1050.241992] sock_sendmsg+0xd5/0x120 [ 1050.245702] __sys_sendto+0x3d7/0x670 [ 1050.249502] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1050.254162] ? wait_for_completion+0x870/0x870 [ 1050.258736] ? __lock_is_held+0xb5/0x140 [ 1050.262794] ? __sb_end_write+0xac/0xe0 [ 1050.266760] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1050.272283] ? fput+0x130/0x1a0 [ 1050.275552] ? ksys_write+0x1a6/0x250 [ 1050.279341] ? __ia32_sys_read+0xb0/0xb0 [ 1050.283391] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1050.288918] __x64_sys_sendto+0xe1/0x1a0 [ 1050.292968] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1050.297974] do_syscall_64+0x1b1/0x800 [ 1050.301847] ? finish_task_switch+0x1ca/0x840 [ 1050.306335] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1050.311251] ? syscall_return_slowpath+0x30f/0x5c0 [ 1050.316173] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1050.321525] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1050.326357] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1050.331533] RIP: 0033:0x4559f9 [ 1050.334705] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1050.353945] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1050.361642] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1050.368897] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1050.376152] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1050.383406] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1050.390661] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000013 05:00:54 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x2000000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:54 executing program 7: r0 = epoll_create1(0x0) fcntl$lock(r0, 0x7, &(0x7f0000000080)) socketpair$inet_udplite(0x2, 0x2, 0x88, &(0x7f0000000040)={0xffffffffffffffff}) r2 = memfd_create(&(0x7f0000000140)='\'\x00', 0x1) getsockname$ax25(r2, &(0x7f0000000180), &(0x7f00000001c0)=0x10) setsockopt$IP_VS_SO_SET_DEL(r1, 0x0, 0x484, &(0x7f0000000100)={0x0, @remote={0xac, 0x14, 0x14, 0xbb}, 0x4e24, 0x1, 'lblc\x00', 0x2, 0x9, 0x16}, 0x2c) fcntl$lock(r0, 0x25, &(0x7f00000000c0)) fcntl$lock(r0, 0x7, &(0x7f0000000000)) 05:00:54 executing program 1 (fault-call:4 fault-nth:20): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:54 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x4000000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:54 executing program 4: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000200)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000140)=0x3) ioctl$TIOCCONS(r0, 0x541d) ioctl$FIONREAD(r0, 0x541b, &(0x7f0000000040)) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000240)={0x1f, 0x9c0, 0x1003, 'queue0\x00', 0x2}) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/snat_reroute\x00', 0x2, 0x0) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, &(0x7f0000000080)={[{0x2, 0x9, 0x2, 0x7f, 0xfffffffffffffffd, 0x5, 0x8, 0x2, 0x8, 0x8, 0xfffffffffffffff7, 0x81}, {0x9, 0x51, 0x2, 0x4d, 0x1ff, 0x972, 0x6, 0x7, 0x8, 0x1f, 0x5, 0x0, 0x1fe}, {0x81, 0x6, 0x0, 0x81, 0x3, 0x8, 0x80000000, 0x101, 0x6, 0x8, 0x8, 0x5, 0x2}], 0x1a}) 05:00:54 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xf5ffffff}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:54 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4400008911, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) getsockopt$inet_sctp_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f0000000040)={0x0, 0x101, 0xfff, 0x5674}, &(0x7f0000000140)=0x10) getsockopt$inet_sctp6_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f00000001c0)=@assoc_value={r4, 0x8}, &(0x7f0000000240)=0x8) readv(r2, &(0x7f0000000080)=[{&(0x7f0000000600)=""/242, 0xf2}], 0x1) 05:00:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) r2 = syz_open_dev$loop(&(0x7f0000000080)='/dev/loop#\x00', 0x2, 0x800) syz_open_dev$loop(&(0x7f00000000c0)='/dev/loop#\x00', 0x5, 0x800) ioctl$LOOP_SET_BLOCK_SIZE(r2, 0x4c09, 0x2) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) r3 = syz_open_dev$dmmidi(&(0x7f0000000180)='/dev/dmmidi#\x00', 0x0, 0x200) ioctl$ASHMEM_PURGE_ALL_CACHES(r3, 0x770a, 0x0) r4 = syz_open_dev$amidi(&(0x7f0000000040)='/dev/amidi#\x00', 0x3, 0x10000) syz_open_pts(r4, 0x101000) [ 1050.530705] ALSA: seq fatal error: cannot create timer (-22) [ 1050.603545] binder: 28640:28646 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1050.622536] binder: 28640:28646 BC_FREE_BUFFER u0000000000000000 no match [ 1050.626766] binder: 28644:28645 ERROR: BC_REGISTER_LOOPER called without request [ 1050.638747] FAULT_INJECTION: forcing a failure. [ 1050.638747] name failslab, interval 1, probability 0, space 0, times 0 [ 1050.650042] CPU: 1 PID: 28643 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1050.656980] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1050.666343] Call Trace: [ 1050.668932] dump_stack+0x1b9/0x294 [ 1050.672551] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1050.677734] ? is_bpf_text_address+0xd7/0x170 [ 1050.682220] ? kernel_text_address+0x79/0xf0 [ 1050.686615] ? __unwind_start+0x166/0x330 [ 1050.690754] should_fail.cold.4+0xa/0x1a [ 1050.694805] ? __save_stack_trace+0x7e/0xd0 [ 1050.699116] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1050.704216] ? graph_lock+0x170/0x170 [ 1050.708004] ? save_stack+0x43/0xd0 [ 1050.711615] ? kasan_kmalloc+0xc4/0xe0 [ 1050.715490] ? kasan_slab_alloc+0x12/0x20 [ 1050.719632] ? find_held_lock+0x36/0x1c0 [ 1050.723690] ? __lock_is_held+0xb5/0x140 [ 1050.727753] ? check_same_owner+0x320/0x320 [ 1050.732065] ? rcu_note_context_switch+0x710/0x710 [ 1050.736988] __should_failslab+0x124/0x180 [ 1050.741214] should_failslab+0x9/0x14 [ 1050.745000] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1050.750103] __kmalloc_node_track_caller+0x33/0x70 [ 1050.755022] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1050.759794] __alloc_skb+0x14d/0x780 [ 1050.763498] ? skb_scrub_packet+0x580/0x580 [ 1050.767813] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1050.773338] ? ip_generic_getfrag+0x11c/0x2d0 [ 1050.777825] ? ip_reply_glue_bits+0xc0/0xc0 [ 1050.782141] ? raw_getfrag+0x15b/0x220 [ 1050.786015] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1050.791025] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1050.796033] ? raw_destroy+0x30/0x30 [ 1050.799744] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1050.805534] ? ipv4_mtu+0x375/0x580 [ 1050.809152] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1050.814598] ? lock_acquire+0x1dc/0x520 [ 1050.818563] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1050.824104] ? ip_setup_cork+0x4dc/0x7c0 [ 1050.828157] ip_append_data.part.48+0xf3/0x180 [ 1050.832735] ? raw_destroy+0x30/0x30 [ 1050.836438] ip_append_data+0x6d/0x90 [ 1050.840225] ? raw_destroy+0x30/0x30 [ 1050.843927] raw_sendmsg+0x1dae/0x29b0 [ 1050.847812] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1050.852904] ? rcu_report_qs_rnp+0x790/0x790 [ 1050.857304] ? graph_lock+0x170/0x170 [ 1050.861116] ? expand_files.part.8+0x9a0/0x9a0 [ 1050.865686] ? check_same_owner+0x320/0x320 [ 1050.870005] ? lock_downgrade+0x8e0/0x8e0 [ 1050.874140] ? lock_release+0xa10/0xa10 [ 1050.878100] ? check_same_owner+0x320/0x320 [ 1050.882409] ? __check_object_size+0x95/0x5d9 [ 1050.886895] inet_sendmsg+0x19f/0x690 [ 1050.890683] ? __might_sleep+0x95/0x190 [ 1050.894645] ? ipip_gro_receive+0x100/0x100 [ 1050.898955] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1050.904483] ? security_socket_sendmsg+0x94/0xc0 [ 1050.909251] ? ipip_gro_receive+0x100/0x100 [ 1050.913560] sock_sendmsg+0xd5/0x120 [ 1050.917261] __sys_sendto+0x3d7/0x670 [ 1050.921051] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1050.925711] ? wait_for_completion+0x870/0x870 [ 1050.930283] ? __lock_is_held+0xb5/0x140 [ 1050.934339] ? __sb_end_write+0xac/0xe0 [ 1050.938304] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1050.943829] ? fput+0x130/0x1a0 [ 1050.947098] ? ksys_write+0x1a6/0x250 [ 1050.950888] ? __ia32_sys_read+0xb0/0xb0 [ 1050.954934] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1050.960461] __x64_sys_sendto+0xe1/0x1a0 [ 1050.964510] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1050.969516] do_syscall_64+0x1b1/0x800 [ 1050.973388] ? finish_task_switch+0x1ca/0x840 [ 1050.977872] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1050.982791] ? syscall_return_slowpath+0x30f/0x5c0 [ 1050.987711] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1050.993066] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1050.997901] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1051.003078] RIP: 0033:0x4559f9 [ 1051.006248] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1051.025489] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1051.033185] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1051.040439] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1051.047696] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 05:00:54 executing program 4: shmctl$SHM_INFO(0x0, 0xf, &(0x7f0000000000)=""/83) r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000080)='/dev/zero\x00', 0x20100, 0x0) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(0xffffffffffffffff, 0x84, 0x6d, &(0x7f00000000c0)={0x0, 0x1000, "785cbc981b1c90697b35f6c0e0a65b00715af48ecda6d3cb1a20f20f3f9b6a28a949aa7f10005fb1ab355c54281ccc52cdfbf7251af5229eb1fb928bea1af0d2347e183a80fea96d8bc2a259a4730996d6286404431f93ed0b53e72df5eaecefde48df3e00aab9c5a27f5b6e121cdce24e106d615cf0cf585aa6c7654e4f7fdf2d74dabbee8125936aad13b0c180bdb4e2c842b2f4ff9f5f1f5a48b4cd4d603f9031292d92a5af1444b624f2a374e23b73da5b95766900450b012408e3ed0130c9456e7f921f84994c847e9173137a6cff870fcfe958c2b60a4a74fc51fcf0bcd038a76fac4bc1e98c9ed7c4c343653000ac1cde43cd6541cbe8d31a87fb6281e727b1744f26c42936a636b51c55dfc93936d4ca0dcda3c846787c16161ce9c80ab0e5d3db17406a1c7a9dd9e955729b1929b8a92314571883f1c478d7ecd7a4f0d377ceed89667f69b857fde48306790bbba84c505d1483eb885ab11f25722d6d6d2ed0885454dcd82524f6ea3cb448d023976274a75418357a2cc554928b352fbfe4ff9b1ee90f776dca13a552a604d591d67b0785d70285a3ce8753013b39bebdaf42eb793ee2d5d836edc9a168d179fb5ff23412010f59a463663be5f240c1566c3d18b6b4b72162f5aaded5ef8446c6f5f521faa19101a846ed398be99104e321f25c031de2f5fe4b6663c96ea1355c219e0e9c27aa9b13c9773a8c2b18315d66697ea21a543f6e7043da2c999943bb370aaed40271f0b201737e0f4b0f1bd31bdf56834dacff2045cdb0342f38d85fed055741bd44c592c7db3e60a1e2ab68d8f0da2fc7e4c744c4539b2f679a491ffd2eaf799630c07c50d6c20a8c7ed5c854c369e1c790b8e2483a577b26e38861fbfb765c206ffdcb35639154655e927aa3a762d459ff4d91ce54e121e5593126e4fef5bebd9a0b0af8b42e9524db83eecc577ab1f263c427fd72fb5d98116122c1f3627f664a36bd062bd7b591461a5939609deed7a38fb413758218c840502eb7c92ee80f0e5ee9c743f95db41cf82081e476468e0b3f1459086df73fcb59479515f2fc623c3d3eb318b4c408fed25e8ab444bdb16b60bf056ceb1cc79ff38cf2ddd37fe8255663765430dc5d63dfb23bca29326d4ef56f447587f87b4b972ba30437193a58f6731c97c9a1f0007180ce9a50192b49e39d578b1ea391a18ec8461cbd407093cc9b5f4b4ffdb14fc1fb934d5573a3ccd7f7326d2ca2d3c5b4aa9261900ca90d0935f85e57414331936d34d712b7c63de99aa41eb804f07e874b24c6bbbaecddf1120aa640b9c5d52ca8f5d2885b3d27536208dd38340e30972b3a1db58e35deec1fd91c986e8a057f8ff34a48b75c3f6f5ab3f0688cfe616ab2bbae08f2060c1ebb7967080e4ef800352e53e818f7877c28fd6c95a06289aecf9c89694e4913af0d9cac09a831fe89098a818e30df3715732b7cba1c9682f93251bec646cc0a10c3254152de5d89f560ca0b93873709884b0d55292060a42ad5a75cc5cac36ff73b5c7e007189802eb81eff0854fc305741da80613842265c921fdd3778c3c65dad1491184abcc2fef432c5bfd895af013dde3978e897f50af905412157e4937fd96bb07c77b1ef99cf89e9e5deb9a82e4f02a99386791c9081738c18cffc8ccfb175e27f59e69ce7603bfef6839eb421b566a5d6a8530ff429d7a44c1f8cfea4a439cbe7c4b3e4f8ebeea4fe7c1fedc0345a3198be5113667a8b6aa66827590aa5bd4545cdea91dc0d591d8261f2549eed0f5b89ed677f1fe5342311a6b3029175dc2b02ba7be5787a27163b5bb20e3bac7f9809a2b992214bfced01f57b15f41b9f03324b63b1db3393efac9de95cbf2339a8591b1fadb8ad2af9f3a29695f24f8e07b3dd3d58c4acb91ea253d603845044ca75403de3c7c4ce10fb6a91396f0a5a8e456a371585e646639ae8e42386631a00aee0e9af4ff0d10544a7feeb1377910f15d64c76a745c42e748fa6d903c44ef3a8f8c3491b3cd4c0022036b01c4ae6cc4a8487ea9c5f1bc4a54419df2a273d948611fa74642d7cf93f66166b4f8001b5a387f7150a88762c18efec63f5d611656dbb8a678e8b4c7fb1a88a2822b993b172dbf0e5819b529d216da510f3afc47549364c71dc00d415d86f3ee366a89350144ec3942714b8bc7f4fcd06659a52156010ea1211b398dca5703a9e2d14c9180694a73822149545a45d35ea6fa80c088f31accd6396e19ce1b2aa0817388b42b6a71320e2e7001211eb2913bdefbb24a81567eb286036236deb67851020fc4e72a63ec6ec51455c41daa2a7ad9b8714aadbec3148d6a50daa67f2f4e7aca46dde0c69de101afb648d7bb0863721ccba30757a764c4ea289f938fe9d1560424f643278f201393cdc15fe508df2f7cb48058caae47dbc3c523c690a778d3eb955de42d3f96996f33cd1d41617a82eba799d3a7d020f10ca9883fc836c3c60878edd1fab24371775325d6b51b87725622638ecf88066f4286b6d1dfa75c1699143cf2fd233d117ffca9976236098cc4e69f8685db7bdffb904dc0b4e71aa9e653ada13f5e3fe00579658c45efad3874661d758a70db3ad7f3cadcbb63f902ced52d579c289dbbdb464fdd30748f52694142f1e263206160a12b8c4eebb889a1abede24fbdf664f77717f1ff9a23290b906f02c396011e93e4652bcf097c34c9eb95f0e8dc764dbc552ab94c3b1182155fe88feb9228b3a13ef072411a3d5c6297f986dce3f23056d45dccf3b83ee592ab88fa11540b6cf4a3847a738c0984c8510b23ca22fcbc420d63a218d91daa73e6835c7f223ea3a9c38e3cfc02a8f393ecf50eab12448d33f3e2829d686308b532f86a068c6610cd87752931b6d035ef2adabbfd795df82b8ceaf87fd249cfffe1855caa436614e113f31afe173e19a82f1f1f07e6840342bd1f3c86e4348bb04d2f6647b836f4b7f093ee2ec81b46639b93dc73e28a9054ba0a952dcaaee54a2368822ea9e8aafd38cd43cb76df18977a962f2b24e47bed3896286ca5455dbaf7bcec9360d92ff2b1de2b9be27b7fca9bf9a97655c75a72ee3a487a75f3fd0542deb0cdbf05d4677a705559cdaeaa3630ca69b1e9c098c4c24db3037ce9291ead1950059f6a05929da3043554ca3eba79d5ece680291fc2c8b13e94fe55b1f6030ec9e6dea0670d1ca3e2d16753e7f151d749fa6023de59f29b49455f74c5cf46e45cb61fd73eb5d387627c7ebe772dab862ff926a009de9ee76a3210d65cea6f73a55a455511bd4f437bafe8b625554dc5b28c30ecc558ae21348c78aa29b13202c6ef38d780acdafce7735aba4cf49e1f2a188b29be47ddd748f9b64a6178d71a63547a51dd171b9bea3c89e14809872665a56bcb6897a6c02f89d503a3ff26f11c0aa704d00c3af94b0f875f2ba16898ec3ac350dea9584e141b491aefd5d801842a5190af4e3dcaf5ac6378c2d222aa7ad95b6ad11ab757b0c9e92017eb7932accce24b3149f05e8caebc068ad4fc9f591e0c04617caa8f92ae688dd5cf197ca982e7aecd0437e4803801232f9d9bf3e7965d2c5ccc37c5e01df2e96937d9d1b2dc2313d51d5a64ec5372abd75dc8cdb130a8403e0303a08b2aab545112b6a59783f49394bd63096ae64b959eadf5834dc856f1971f20f16c44bd833a1be8aa44e4cad48688d6eb1d37357c4e06b640ade933c61b749f5d9a4fd6536f8ffd0825a68eabf745cd0708ffd9ec299c438317ecb2627d59f2040bbc7649d1298ed3d0b91b70bc7c8ac1ce46b7eeabc31e3608f28eba479d2b77803f44031f68d0cee09471c808df4d467cec269f8e7b69b47576b4e1f56948d2e8b05b58b2f64ab4c914c1f66819e7fb2327a8f1b78281a86dc1b15e3869d018bb31e409c18281e922c9e73bf7134ad61b8529d84861c8c2f2ff4a3211ab3e706ef62c0e28627c4cc1a6ac3193d74c8d1fadcc9d2f99f233939cacbbe8975b1d78693cabca846728c340aaadd2cba617d5efe4ea1edaf8938c27ad14666d6e91ae593bfd8ba1bccf7a2c68ce0ea3b303d2c39895748be32294b508a93e892420206cbbfb3b84eb12f6bdb0627bef0c01ca090e4d811b061cf15c56987a863d274919d626d6990fe8ed5d31c42fccad7da3f462abaf1eff41501195e0d95aadcf5e36f0d1afedc5e52541da1f57228a02eadaf98107ad87fae77bce300fe6a68640232698085595dd18ffc8820900f5230f729193623a1cb06a24e03a9e1eda1774f83b4cf0de839db304c6915a73632b1832911fbb2a2b6e23f61ab5d55f616ee1649009be20735cfd449ff9705f66342cd27eeed04b1ce7262d017d5c4b3efd4708cdd488a8cc9f0075e7ddf5d8f5e7bc346fc780b713c036df450c2a7d4b48c64e6dcab92847922673c66a289e51fec9bf7c6b9b2795a455c748c59a36799321c5bd01dd5e5d960eb7d8ddb698fe1073a31883490452ac43aefdfe758f8f872c756d5f6037b0ada0f5efeb45dd9f980d84af64d4dc1c5db1344ec8e340ce09c261779cb787c944262af62c79a045bb0683b33ee8562e73ce5917e583f6701452c13e6900f4a5ada17617b585ccedaf862a0f40245be8adb9cb6245dc0b0500ef85bc72cce10ded6975a59cb728d0985e3ce6d7101f149c9041cf1e2e85fae36a6c45a0888bf91c02a5be23851295de4b07f41e8517e4f8c3a2368552c9225ee4883b21d52b0fe60be813799734466224e00a85670a412a60c1c42037d5e1a129a03e315a0290368a1e0b3c2f755366cde016b63c71fb4a9170a5e815671eb0f4f5cda4ce0764674b0208ec9cd6b39940ee62dc9bcf91f132ab73b17501b66679b04ee317b02d15ecfe4cc0ba2b976577115f7c2a68db3cc54e1a5658b47f4df149723b06919b967a1a025d7ca65490dd6af6fc289aaa6df93ec424b59dc06627b27eeeb3c37925218ebb93d49ff84a2d511ecf740711a6f9f80e924bb2e436c95c50e5e93444c60aeb9f82028978a8f552316b91bc326dff0f567ef754e82edf4f1e86c4e5f439ee7a511630a888d5ce53ed4d4e0076d087c0d5be0a3ba8e5f161affc741ae4fde88c343f8647fc31c1861b9d6bf1db6a1aec12b188614bcb6a603cfb53eaa7f43f27532e939af109e3babfe95b8570c42ca4d3d08b80d434cb6df9c4d6afdee88f216a26478b9b3b9363d49dffeaee8a845c8f5527dbd40a921ec2fb75686e92671a79698a7af9629ae987cf9a2b7053e5320a774e05645da3d4dc08a471fb01b09bb832e4aaa338fd7da50d52ac45f15dc2dfac83e63986669a6cd45a8630a915c21c7acda3be44094045c7f3066fbcc42f7d2113542714bf8ab07f0734a4b2ace9e3447feb5af1bb78c135b1f581f60a59b472d2d0833b1a7cfee8e35af05888e53bd02f3d0ffeb2827df6ece359c282f66fe51cb0ccdba70cbcfe41f3be2846af865b8af7eb2f1ff0b1c4485cc8aec94ac2103a9b58ebc78df8e87e79ef34efc088c9da6909a9f851375d1a78874835fe3571a48e8e6b66395b487544918369dac868f3215f2f4ccf8c7eecbb98929ab5a6bcff79da7fb3ce95b9b8ffc0ea72a7c616996e4e08fa9c942a05c692cf543b4ab14f7c2c1312d91ad1d23a61fa71e07e29ec916c323dca9b088a9fbc8c726673dd99f36b982ebb127314c71380f366af7c83477f8a64d97708a3ec7763549983918c740a27f458235d78102c5cbb10e0374caac99e361f06ead7d2617a00b7303bf8ef294c4b3da3d7c74d8bfc000ca72119377160a6017927839db8f9875d19e"}, &(0x7f0000001100)=0x1008) socketpair$inet6_udplite(0xa, 0x2, 0x88, &(0x7f00000011c0)) getsockopt$inet_sctp_SCTP_ASSOCINFO(r0, 0x84, 0x1, &(0x7f0000001140)={r1, 0x2, 0x400000000000000, 0x2, 0x6, 0x3}, &(0x7f0000001180)=0x14) [ 1051.054951] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1051.062203] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000014 [ 1051.072411] binder: 28640:28646 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1051.090606] binder: 28640:28646 BC_FREE_BUFFER u0000000000000000 no match 05:00:54 executing program 7: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket(0x1, 0x1, 0x0) shutdown(r1, 0x0) ioctl$PERF_EVENT_IOC_RESET(r0, 0x2403, 0x20) [ 1051.100373] binder: 28644:28645 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1051.108668] binder: 28644:28645 unknown command 0 [ 1051.125369] binder: 28644:28645 ioctl c0306201 2000dfd0 returned -22 [ 1051.491198] ALSA: seq fatal error: cannot create timer (-22) 05:00:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) getsockopt$inet_sctp_SCTP_MAXSEG(0xffffffffffffffff, 0x84, 0xd, &(0x7f0000000240)=@assoc_value={0x0, 0x40ea}, &(0x7f0000000280)=0x8) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f00000002c0)={r2, 0x100, 0x10}, &(0x7f0000000300)=0xc) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=ANY=[@ANYBLOB="0c840000"], 0x0, 0x0, &(0x7f0000008f37)}) r3 = dup(r0) r4 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080)='IPVS\x00') sendmsg$IPVS_CMD_GET_DEST(r3, &(0x7f0000000200)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x4080}, 0xc, &(0x7f00000000c0)={&(0x7f0000000180)={0x60, r4, 0x100, 0x70bd27, 0x25dfdbfb, {0x8}, [@IPVS_CMD_ATTR_DAEMON={0x28, 0x3, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'ipddp0\x00'}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x100000001}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x7fff}]}, @IPVS_CMD_ATTR_SERVICE={0x24, 0x1, [@IPVS_SVC_ATTR_FLAGS={0xc, 0x7, {0x3c, 0x8}}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3}]}]}, 0x60}, 0x1, 0x0, 0x0, 0x400c004}, 0x40) setsockopt$inet_sctp_SCTP_RECVRCVINFO(r3, 0x84, 0x20, &(0x7f0000000340)=0x9, 0x4) 05:00:55 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1200}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:55 executing program 4: r0 = socket$inet6(0xa, 0x803, 0x80) ioctl(r0, 0x8912, &(0x7f0000000080)="0047fc2f07d82c99240970") r1 = syz_open_dev$sndpcmc(&(0x7f0000004fee)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) link(&(0x7f0000000200)='./bus\x00', &(0x7f0000000240)='./bus\x00') r2 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) getsockopt$inet_sctp_SCTP_PEER_AUTH_CHUNKS(r2, 0x84, 0x1a, &(0x7f0000000480)=ANY=[@ANYRES32=0x0, @ANYBLOB="9a0000008792797f814adcad1e6b769ee5c30860fddd2c2765752fe8eaf45c109aab0d635a0279f71a859884ba197ed72bbd7585742019937c4fc71028eee8dce031e0c75e6a5117c27cd88e874119eb5983e3cb0f87d730217ab5cd4441204dfa8f336380e1a923b196f567885c8fa24e6ac1816b9f04b06840d4ee9beefa92b1752bdd7fb02e5c3adc446debba3c7e7852c33ac77fc424ed0aa22e00000020000000000000000000000000"], &(0x7f0000000000)=0xa2) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f0000000040)={r3, 0x2}, &(0x7f00000000c0)=0x8) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x800002, 0x11, r2, 0x0) write$binfmt_aout(r2, &(0x7f0000000400)=ANY=[@ANYBLOB="a7fbb200142a1045d627072cbe0ef3fc85dc7732a0eb7da7b9ac9499c5f5f33b7717f21f9a084a2609bf600d02c291e7cea9bfc49391b37caf8d6586967aeb43b09e012f73ca68c2d40ec12f154998c3533a4f2cd91cd11f"], 0x1) getresuid(&(0x7f00000002c0)=0x0, &(0x7f0000000300), &(0x7f0000000340)) fstat(r2, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) fchownat(r1, &(0x7f0000000280)='./bus\x00', r4, r5, 0x400) ioctl(r1, 0xc0884113, &(0x7f0000001f64)) 05:00:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x2000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:55 executing program 1 (fault-call:4 fault-nth:21): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:55 executing program 7: mkdir(&(0x7f0000fd5ff8)='./file0\x00', 0x0) mount(&(0x7f0000018000)='./file0\x00', &(0x7f0000027000)='./file0\x00', &(0x7f0000018ffa)='ramfs\x00', 0x50, &(0x7f0000000000)) r0 = creat(&(0x7f0000df1000)='./file0/bus\x00', 0x6857b21ff1155d93) fcntl$lock(r0, 0x7, &(0x7f0000027000)={0x1}) ftruncate(r0, 0x0) 05:00:55 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x48000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:55 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) socket$inet6_sctp(0xa, 0x1, 0x84) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x1) r3 = socket$inet6(0xa, 0x1, 0x0) syz_open_dev$tun(&(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x200) r4 = syz_open_dev$midi(&(0x7f0000000040)='/dev/midi#\x00', 0x1, 0x400) socket$pptp(0x18, 0x1, 0x2) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TIOCGSID(r4, 0x5429, &(0x7f00000001c0)=0x0) setsockopt$inet6_tcp_int(r3, 0x6, 0xc, &(0x7f0000000280)=0x7, 0x4) syz_open_procfs(r5, &(0x7f0000000240)='net/unix\x00') ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1051.659576] ALSA: seq fatal error: cannot create timer (-22) [ 1051.701038] binder: 28683:28684 ERROR: BC_REGISTER_LOOPER called without request [ 1051.715843] FAULT_INJECTION: forcing a failure. [ 1051.715843] name failslab, interval 1, probability 0, space 0, times 0 [ 1051.727166] CPU: 0 PID: 28687 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1051.734109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1051.738160] binder: 28683:28684 unknown command 33804 [ 1051.743466] Call Trace: 05:00:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) getsockopt$inet6_mtu(r1, 0x29, 0x17, &(0x7f0000000040), &(0x7f0000000080)=0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="deff8217e800001e556a"], 0x0, 0x0, &(0x7f0000008f37)}) [ 1051.743496] dump_stack+0x1b9/0x294 [ 1051.743518] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1051.743537] ? unwind_get_return_address+0x61/0xa0 [ 1051.743558] ? graph_lock+0x170/0x170 [ 1051.752775] binder: 28683:28684 ioctl c0306201 2000dfd0 returned -22 [ 1051.754945] should_fail.cold.4+0xa/0x1a [ 1051.754968] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1051.754988] ? __lock_is_held+0xb5/0x140 [ 1051.755007] ? __kmalloc_node_track_caller+0x47/0x70 [ 1051.778055] binder: 28691:28692 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1051.779424] ? graph_lock+0x170/0x170 [ 1051.779445] ? __x64_sys_sendto+0xe1/0x1a0 [ 1051.779468] ? find_held_lock+0x36/0x1c0 [ 1051.795324] binder: 28691:28692 BC_FREE_BUFFER u0000000000000000 no match [ 1051.800720] ? __lock_is_held+0xb5/0x140 [ 1051.800750] ? check_same_owner+0x320/0x320 [ 1051.800769] ? rcu_note_context_switch+0x710/0x710 [ 1051.800783] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1051.800802] __should_failslab+0x124/0x180 [ 1051.817357] binder: 28691:28692 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x7400, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1051.819794] should_failslab+0x9/0x14 [ 1051.819812] kmem_cache_alloc_node+0x272/0x780 [ 1051.819828] ? __kmalloc_node_track_caller+0x47/0x70 [ 1051.819851] __alloc_skb+0x111/0x780 [ 1051.819869] ? skb_scrub_packet+0x580/0x580 [ 1051.819885] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1051.819905] ? ip_generic_getfrag+0x11c/0x2d0 [ 1051.827753] binder: 28691:28692 BC_FREE_BUFFER u0000000000000000 no match [ 1051.828274] ? ip_reply_glue_bits+0xc0/0xc0 [ 1051.828303] ? raw_getfrag+0x15b/0x220 05:00:55 executing program 5: r0 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000240)='/dev/sequencer\x00', 0x2, 0x0) getsockopt$ARPT_SO_GET_INFO(r0, 0x0, 0x60, &(0x7f0000000280)={'filter\x00'}, &(0x7f0000000300)=0x44) r1 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x1, 0x0) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") sendmsg$nl_generic(r1, &(0x7f00000000c0)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0xa000000}, 0xc, &(0x7f0000000080)={&(0x7f0000000180)={0xc0, 0x37, 0x104, 0x70bd25, 0x25dfdbfd, {0x12}, [@generic="5732b978ad5be58c6bde9f4f933984b4cbc3b214f78af1b2dd89f72860891dd02c848aab020c9779059ae8f44ca260066cc0a4daba1b377104af71afa2877d52576ca0725603c5c04aff38c7b7ae0934d968622a03b56c90f65a27fd66769dc7d8cc9e6386eae0c0840a10da2d2d54a3c590ac7264d5f3c2591fb466b8b7b354912921c58d1c5c4f440a330a0cd63fabc1b74c47d1afefe49636553bde504238abe26fb839cd9df184"]}, 0xc0}, 0x1, 0x0, 0x0, 0x40}, 0x800) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=ANY=[@ANYBLOB="8000002e"], 0x0, 0x0, &(0x7f0000008f37)}) [ 1051.834983] binder: 28702:28703 ERROR: BC_REGISTER_LOOPER called without request [ 1051.838491] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1051.838516] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1051.838541] ? raw_destroy+0x30/0x30 [ 1051.838568] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1051.838586] ? ipv4_mtu+0x375/0x580 [ 1051.838606] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1051.855116] binder: 28702:28703 unknown command 394461150 [ 1051.858116] ? lock_acquire+0x1dc/0x520 [ 1051.858137] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1051.858154] ? ip_setup_cork+0x4dc/0x7c0 05:00:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x74, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1051.858174] ip_append_data.part.48+0xf3/0x180 [ 1051.858197] ? raw_destroy+0x30/0x30 [ 1051.869338] binder: 28702:28703 ioctl c0306201 2000dfd0 returned -22 [ 1051.871314] ip_append_data+0x6d/0x90 [ 1051.871334] ? raw_destroy+0x30/0x30 [ 1051.871355] raw_sendmsg+0x1dae/0x29b0 [ 1051.871388] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1051.871404] ? rcu_report_qs_rnp+0x790/0x790 [ 1051.871427] ? graph_lock+0x170/0x170 [ 1051.892298] binder: 28704:28705 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1051.892661] ? expand_files.part.8+0x9a0/0x9a0 [ 1051.892674] ? check_same_owner+0x320/0x320 [ 1051.892701] ? lock_downgrade+0x8e0/0x8e0 [ 1051.896923] binder: 28704:28705 BC_FREE_BUFFER u0000000000000000 no match [ 1051.904122] ? lock_release+0xa10/0xa10 [ 1051.904138] ? check_same_owner+0x320/0x320 [ 1051.904156] ? __check_object_size+0x95/0x5d9 [ 1051.904180] inet_sendmsg+0x19f/0x690 [ 1051.904194] ? __might_sleep+0x95/0x190 [ 1051.904211] ? ipip_gro_receive+0x100/0x100 [ 1051.904231] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1051.904252] ? security_socket_sendmsg+0x94/0xc0 [ 1051.926120] binder: 28704:28705 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1051.927361] ? ipip_gro_receive+0x100/0x100 [ 1051.927380] sock_sendmsg+0xd5/0x120 [ 1051.927397] __sys_sendto+0x3d7/0x670 [ 1051.927415] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1051.927435] ? wait_for_completion+0x870/0x870 [ 1051.927455] ? __lock_is_held+0xb5/0x140 [ 1051.934851] binder: 28704:28705 BC_FREE_BUFFER u0000000000000000 no match [ 1051.938437] ? __sb_end_write+0xac/0xe0 [ 1051.938461] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1051.938475] ? fput+0x130/0x1a0 [ 1051.938494] ? ksys_write+0x1a6/0x250 [ 1051.938515] ? __ia32_sys_read+0xb0/0xb0 [ 1051.938533] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1051.938554] __x64_sys_sendto+0xe1/0x1a0 [ 1051.975541] binder: 28707:28708 ERROR: BC_REGISTER_LOOPER called without request [ 1051.978220] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1051.978243] do_syscall_64+0x1b1/0x800 [ 1051.978259] ? finish_task_switch+0x1ca/0x840 [ 1051.978278] ? syscall_return_slowpath+0x5c0/0x5c0 05:00:55 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x2}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:55 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x2000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:55 executing program 1 (fault-call:4 fault-nth:22): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1051.978297] ? syscall_return_slowpath+0x30f/0x5c0 [ 1051.978324] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1051.984407] binder: 28707:28708 unknown command 771752064 [ 1051.987845] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1051.987869] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1051.987882] RIP: 0033:0x4559f9 [ 1051.987886] Code: 1d ba fb ff c3 66 2e 0f 1f 84 [ 1052.007294] binder: 28709:28710 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1052.007518] 00 00 00 00 00 66 [ 1052.012007] binder: 28707:28708 ioctl c0306201 2000dfd0 returned -22 [ 1052.018597] 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 [ 1052.023098] binder: 28709:28710 BC_FREE_BUFFER u0000000000000000 no match [ 1052.027163] f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1052.027253] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1052.027268] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1052.027281] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1052.053582] binder: 28709:28710 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1052.054085] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1052.054095] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1052.054103] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000015 [ 1052.152117] binder: 28707:28720 ERROR: BC_REGISTER_LOOPER called without request [ 1052.300705] FAULT_INJECTION: forcing a failure. [ 1052.300705] name failslab, interval 1, probability 0, space 0, times 0 [ 1052.308138] binder: 28709:28710 BC_FREE_BUFFER u0000000000000000 no match [ 1052.312970] CPU: 1 PID: 28727 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1052.326831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1052.336193] Call Trace: [ 1052.338798] dump_stack+0x1b9/0x294 [ 1052.342439] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1052.347651] ? is_bpf_text_address+0xd7/0x170 [ 1052.352169] ? kernel_text_address+0x79/0xf0 [ 1052.356592] ? __unwind_start+0x166/0x330 [ 1052.360762] should_fail.cold.4+0xa/0x1a [ 1052.364836] ? __save_stack_trace+0x7e/0xd0 [ 1052.369172] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1052.374275] ? graph_lock+0x170/0x170 [ 1052.378068] ? save_stack+0x43/0xd0 [ 1052.381685] ? kasan_kmalloc+0xc4/0xe0 [ 1052.385563] ? kasan_slab_alloc+0x12/0x20 [ 1052.389702] ? find_held_lock+0x36/0x1c0 [ 1052.393755] ? __lock_is_held+0xb5/0x140 [ 1052.397814] ? check_same_owner+0x320/0x320 [ 1052.402123] ? rcu_note_context_switch+0x710/0x710 [ 1052.407050] __should_failslab+0x124/0x180 [ 1052.411274] should_failslab+0x9/0x14 [ 1052.415064] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1052.420161] __kmalloc_node_track_caller+0x33/0x70 [ 1052.425082] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1052.429827] __alloc_skb+0x14d/0x780 [ 1052.433542] ? skb_scrub_packet+0x580/0x580 [ 1052.437851] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1052.443378] ? ip_generic_getfrag+0x11c/0x2d0 [ 1052.447865] ? ip_reply_glue_bits+0xc0/0xc0 [ 1052.452180] ? raw_getfrag+0x15b/0x220 [ 1052.456063] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1052.461079] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1052.466092] ? raw_destroy+0x30/0x30 [ 1052.469802] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1052.475590] ? ipv4_mtu+0x375/0x580 [ 1052.479204] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1052.484651] ? lock_acquire+0x1dc/0x520 [ 1052.488615] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1052.494728] ? ip_setup_cork+0x4dc/0x7c0 [ 1052.498782] ip_append_data.part.48+0xf3/0x180 [ 1052.503353] ? raw_destroy+0x30/0x30 [ 1052.507075] ip_append_data+0x6d/0x90 [ 1052.510863] ? raw_destroy+0x30/0x30 [ 1052.514576] raw_sendmsg+0x1dae/0x29b0 [ 1052.518463] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1052.523558] ? rcu_report_qs_rnp+0x790/0x790 [ 1052.527961] ? graph_lock+0x170/0x170 [ 1052.531754] ? expand_files.part.8+0x9a0/0x9a0 [ 1052.536321] ? check_same_owner+0x320/0x320 [ 1052.540642] ? lock_downgrade+0x8e0/0x8e0 [ 1052.544808] ? lock_release+0xa10/0xa10 [ 1052.548774] ? check_same_owner+0x320/0x320 [ 1052.553084] ? __check_object_size+0x95/0x5d9 [ 1052.557571] inet_sendmsg+0x19f/0x690 [ 1052.561359] ? __might_sleep+0x95/0x190 [ 1052.565321] ? ipip_gro_receive+0x100/0x100 [ 1052.569636] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1052.575161] ? security_socket_sendmsg+0x94/0xc0 [ 1052.579903] ? ipip_gro_receive+0x100/0x100 [ 1052.584214] sock_sendmsg+0xd5/0x120 [ 1052.587919] __sys_sendto+0x3d7/0x670 [ 1052.591710] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1052.596371] ? wait_for_completion+0x870/0x870 [ 1052.600946] ? __lock_is_held+0xb5/0x140 [ 1052.605004] ? __sb_end_write+0xac/0xe0 [ 1052.608972] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1052.614511] ? fput+0x130/0x1a0 [ 1052.617791] ? ksys_write+0x1a6/0x250 [ 1052.621588] ? __ia32_sys_read+0xb0/0xb0 [ 1052.625649] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1052.631177] __x64_sys_sendto+0xe1/0x1a0 [ 1052.635225] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1052.640229] do_syscall_64+0x1b1/0x800 [ 1052.644101] ? finish_task_switch+0x1ca/0x840 [ 1052.648589] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1052.653506] ? syscall_return_slowpath+0x30f/0x5c0 [ 1052.658426] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1052.663784] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1052.668623] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1052.673799] RIP: 0033:0x4559f9 [ 1052.676974] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1052.696228] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1052.703926] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1052.711181] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1052.718442] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1052.725698] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1052.732954] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000016 [ 1052.817219] ALSA: seq fatal error: cannot create timer (-22) 05:00:56 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xff0f0000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:56 executing program 7: r0 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/qat_adf_ctl\x00', 0x20000, 0x0) recvfrom$ipx(r0, &(0x7f0000000040)=""/187, 0xbb, 0x100, &(0x7f0000000100)={0x4, 0xfffffffffffffffd, 0x0, "2da06b0b15e7", 0x5}, 0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000140)='/dev/audio\x00', 0x290000, 0x0) getsockopt$ARPT_SO_GET_ENTRIES(r0, 0x0, 0x61, &(0x7f0000000180)={'filter\x00', 0x4, "065bebcf"}, &(0x7f00000001c0)=0x28) getsockopt$ARPT_SO_GET_ENTRIES(r1, 0x0, 0x61, &(0x7f0000000200)={'filter\x00', 0x1000, "21bae7c01747fc8f57a85fdac9ac39029974c45b29db0be4f0ed1c807fe6c0b73c96448f657995e2a766afbd9c28deaf68f7d16b4e16aa5563da5457a01c9fe41223543a619927cce2f33e15d107ecdfb0c43159d5b7273192dc0e5de474ca1de180b9c5fcee1f7f4578d983f84b3be090a68a76a369ca6f49aca380d8210ce8a59cdd90f6edd7be33d12a6ec403a83d19289d02d5ad726bb6d0b7f3f0c525361c4b820a7ec45dda5bd0ffdd28e93e05347356693f0eb9571cc7e9cc16452aa42a07ae9dd360f64edac44fbcdfe94752fe89e7214cbba17d75db7d03cb4eb964650dc970f34ef4005758ef8600158c0aafc3eab2924ebcd47eb216e1b4b04dde2f954b7a00427ea8ded39b563e42e7de71aa650276d8f1e0a088908955d195fa7e0b5d3a6fb872f5caa360f15cf753d5e17f860f920ba135f68a6e2029768e54f2ee211821374e9d4e9b6ea82a434fa8b81232aa13fe8e7d1df8bd2747385ca425f9b3b9556029f7b1527b70ba8b83bdda511dbe8d69842850f4d5f6a0a8186f71250f3620187a3c61d6d39a592226c4c96cb4fd0a40d4b61660a22940fa4d74f71872daaa37a0f2840c5676f9d6f9c1892b301265a1f685c00b3478324843d712e1279220f05e7567fcc97477ac93c50514efeb55be6bb2f6ff9e80cf000c394e2df116e5fe4b7c1b4c4681cfcbe5b715969fd02ff69c5193e6137b6300986f27e8ea140a2caaa4be760c131ef8659c82f8539e97e1d388a8c49411f5a31d2e5d52b86935b203a29ca19e5ee5cb35b75f7005dfc3f2e5a006f843cbfc71def4e011a1b354f165fd877fdb82dea44a38c2cca1261e7c231e39e37b60ea36de71639fd349f2108ee6267cd386d3803af619e954dc95604519e4ced3fb577b43bf541ee08238234c2b8fffb2711e7e58816743905d4ccb6dde17b52e73b7f90639e71ea71696310cb7a9557574302cd9fd3829724792d26933cf936a3beac4f3db4143f02d0184213cfe9a8f2cc46e29d47d9d58cafceb5fa8220b7da19584943862e3a4e5d82d7c9e83216e6283773d2561ec30c6c45869014cd23f3747f502010298a01e948cd0f72292c33c65a106cce37d522922c483c66ca7422358489c8fa4309627ff8e30ad4cf88174fa3df51cb744740525d630797e19a569ad9e2f9bc528e1f82eb7f23cf8f57e44e0887c8eb7cbc4340111c5e4b09e6190332b827ace0e47a1699c2401f1d539b9a2d2154f1cc9a24922e4f02f6eb6062958687bb8027624c39507560fbd44bf2ff3aa50253fdb2e728dda5942b6fe1fdbe8add24b70885bb2959b69bc7a855e58b707a2be4b1ac8ba1425af2ab0667cbcac8dd1fef6ebe3c7a8bbc91b854a0325c76e81ce2c5e017e9785ad7131d3912fd5dcde9bf98cd478e37727c17ff6a5d6c4bc485ea416e0af25ade393fe264aaf5cd0ec353ed4c6dafe654bee0ea348390d40b78c2c33aa06bf8b119103560bf684a97819ae0a0f7319813aebc3351bbacfeb0ea2a4931cebe56b4026adeb78507406764349a95b5a0470524bc5c49b75359255453165f810efcb0986220b71e14579f8a377a2dfce60abb5835abdb17f8898c8057321adde823c25cdc686e62f5cbf0072a2d533d7fc25868dd00c15ebf48e20da290756e7b57aa85c080110bba1d29f3136e18e8264f3d7e0c29281fe7f33e6951811af7a2fb8b9a2a0f5e5498f9578055e1e64bbcba20bd6a683ed4f3de683eae84bc87828edd5ade958465aa00a2dd6ed0ce13aa1e3b13d70e345b0ae2e5e45de8aea204451563e77ad6a5dd0caf5307c4b2c76e132648de8749a7bdb36ce245fb01b59ad67981a8279de33fd011cf8cf1d60ac8be0c7102c9382cf64ae7df5b706d50c5e792a5cf740d7b13e632470864978f4196109c4471c4efbc8b22cd8307a7020b26d719f1e05fbe26b389457ddd2838d9dc0c22b19e647d7824c46db20c9cc0293e472222b9de009c825286c360948ac6cb3ea72c547fae06c52dbb8b717db58ad2c9e04a67676c2892329e5030a00849fa8b7a0528645f1441e6057fcfa158f9429d7887e2322b42902aeb4a35fb3181753baaa77daae871ba4e595cf0068869fbcd1798dadac45b8b99f85610c0e5d7f7efd92f2a8883905f12f6db11b7f6e14fa26673c90bf2d5e8179cece3a3d7fbbad0ed0c4d60621647289404b4506419b905c15f364304608ad35c4104278c41476831d65859ea5a17fcf4857d09bf8313852f9e3bdc258ac434977828b7fb983853ba9529d169b6d87c2c88766f89ea2fcf408eb92cbabccb4e86aacf6556e85fd5c8042673e092322c4c18b88d84319af52c68124ddcc80fa65f5e6303ce684cdcf35574757aff5d6c8cdff52f52e18add9985d3e986fe7e29625611271dfc8007864c941ebab55de685b4bfc1bef4fa82ed9acc3688b6a3dc2d8f9dcc9763b4aad32452fa3aa4df20721d5503e36553c2180315e090b461b16886a02d865ab2549a286a298a0d3d894c88db7f4c4d727db06930264290ba422664e3f9ee361ecdbe8fabd8e3f61441692df7db56c38754fafc5a91f96b7dd77e85faf00d2e4a7670398e0b36e2d8c981e10d8baa0b2ea236c76abe03eb0cf55bd55380a3cdbe376c3dc296e71860a8828026dacc30bd9c4b357bcfae76663b83e14b3ddd9d1078add7c850da7e29ad9471ac75002d61e18def9219a3b0a3f1a93deec346323e0bf7e5904f4427afef01dfcbc3d9b5fae2ac6752ff8961319464e1678470e8f217221b4ac39602213bac69fd133234d3a9f9669c52356e4e936462dce8ab8af12d348c0f39bebd7b119e2a1c5de5c5aad6cd9d025396bd0755e3e2a1efdaae940aee6c82c3f755e22d3ce9f465a86924a2aef18fc6521c4fcbd97d38d3c936d8ec82d8dd9f3a9486cfb1f6164cf330d3974590c1c71b8420ff8baf19396ccc0f320c78973313b3a9c7247e9c7359f8eb620f4b045266b27cc12f92a1e353a1fb07c1515fee5e630e03c07d9d4a71f37024bb2539c56ccf200d856623fec687119a988895ede5e59efa303831bf5796a2e1c7d41adcc1654175fe989928c6578593b7d6497c73bbbda88726379e4669c76d9a33c1c5ca085c47572a87b75c0219b587c638cca661dd5e2cdb40e17e90b842a5db4805705150a7d66bdf440b921a9bae2fda8ce4778a8aac1cf0511a36702d9556c9dc01be63da70013deac632a2ae2c42028d42e4198425e90204c1558c2d80c24609b2658f44735e1102523860aaef43004a8ba002d580893ee7c8b3c9c6874f1f5645ee70a44f5fb2bda0a7dbb6cb989b0c7beab4a31ce0a2fc9ec09e1745126937f78565125dd49c12ce1c5d858a69649e6f944bb959fb01fe30d62fbb610187a28f08b52468a4678b8090b12ea456fe2dcb8100992b8d417ac25ddc1c86f32a9f4953bd1d802b283edd920d132b45ef51cfaa3ec356fc243333f4f9cc6b12844d6770b1097ddab6eb6bf491239b6ccaa8de3ab0dec77e0543f809ae64eaf395e7331c9d513f78192e8e8f09561a7e3c12839a0ef51982e0df717d73987b30398e3d886933b88ad046935842780325961e03a1ad65aa3bc517a0b1154f157f319bee84888e659d7d82edc37cae48db85ec1bd3a13bbe7071434725d26a118b9545b8ca3367485d71da72c9e10e429688ce13c0f01ede6bbda8835b7e9943cdec21b97340a885bed07dab22cb7c83c7d6509de9a2a1fc523a447bf2bf0c771a3fc6baaf60153682cecb3519c2a2843e90b24705d8671a8ee16abc6427f6bf761e19b1ec809c3844c6be46c18fd8852e263e42f32ad18c1cae7237c8f41c6e2fa856043c6b5e6608ef87d52efcbb2dcb00d2b0657471770b2528dedc194c48c53237780e383644eb7cdbcb19a436ed70d17bccc216dd99712760b52160c13a355b0d87c51ffd9da2abb736f7113b6eb4bcad49fb30e069f02916a05ab5ecabd4fb60165fe8f49021f32119ba769d155e4be80dcbd2b569b67efc139616128980e0f64d7c8b87979db48cd561b18089fc0879bd4354ef8438ae9c10f2e776551c728a8c779b60101c4673db2609aadb564b3f15d307769187b391d337504c4ed9d198c61d2e16000d648c7cec9dae4f8764cb66bd84e0ae757a978efed049f1a394e690c7ba17c6dd3c9202881af38f4a7299f4668f9d8cdb31557ed4e8c4fafe562db3b80578b6182f7c9e854e8e85c2ce07fa4ff5b5497807105e04da5dbca56d8feb6599ed25ee86b5c98ffacda346f2fdb8889763c396663f2997263b2a08102acf89df9708b1a00502b2448c1729871aa7b69876e9b1e5dfac20c38c5df302142dfaf4aecb10eb851b417e4149668dd99ac72eb0729565fb3ab81f5190ab357ef49b2d122d72e4fd7b2cfc3090b5a364904c61950a887d25fa48fa3cc0b37a460226770d6a547f31e4536afaabfb2a762c29ed35abd523f734f0651f2a1cf239b3ae616d040f0aa1554fe5a927c4c5ed7c6748ec867150bbb24f46af29d4dd1d95aa24cd4e205fed517ffd22d07a71a8a790d688737475bffd81116eb17b7c3c0d450f055c5d58ec884a517c9cc14ef407565a01dae05cab6f4d81c5a8b59978b76a652c4818333c2a10a76e8c5d67b485b3dca46c17493319f186ba43b150a4da3914cfa88a44ad00b97fbb695046531dfa6b6ba3a733d7ce06dea2bbbf7f9b571304fe8fc939cb0e98ebe1475ed5b279a26c7bb9e049ba51349dc7168badf5d7d30d739bef613104deff0cd27226f2310b68b68354e39a2eebee2665ebb32b29a039ff47a63fa42d1b7468e17d50b4313316d10d937b2f9caa3006cf976b40c6152e7d679ef63da1ab8d8a6d6604f0059653cb2382fb2e477b626f2a08cb0359f7fee07a4afe261d73dfc09b225e9a50ea89a905fcbc60d038e6523f52f50e104300e6a4c9f850e5f72bfcc50caa821f04bb909d1fef2c13e89690466e6a0501357c6a1f3f7cd9880cfbd15d0d80f0363c4b1391b2afc22b0a6aa9021143f87c3fdb9381a8a95bcb34e51604c64b550b69d6a1aae9efc371f98e7aa9cf8dfa0b23631183c323c26d1c85547589c769eb4cd85e6686e987cfe8e6a896b4dec118038f926a40a6034a5c02311e0989567e7f36d10a022e9ad82b1a2914e29cf67c109271682359e65c7378055fed066ae1c22723a13d85dbc4e097d26bf3818eaf25e1d1f1e91896610aeb897d4d70f607f4c59112cd9a20f5c10d2e2592d5099b22a8813e0880764b33ac0324dd6d6b4fbb9cf968e770f87f17a09074156850b0d7f7f40d753e90b44b33925d69c92127fd78accbc8c13d414b064619b7466e207071cfafa7b1447bf981be650c4bd67c5a2202eb7feb2f28cebc15a62a2b169a5b099943e19ff132282d3b1383c9fb8942c85f18075896dcdc93a68170f2589a1a6f22fef3d6780dc3661b4be8b3955065354df1e06e831ffee22e1a0ef27ec450791066a9b313a877477305fe696484e4b7fba9b373bff4d11655f26eae539f933eef6b4eaf3f5457d673895b45bae0d78c36189c0b27fd2b1633c4cf785d7df6c0a6eceaf88474a0d1df2131a60b211ba19bc23ba379cafed202051b3348d915686180840e9f0ff4cdef905c85161503d92bd621a2af62396a01eee7f8971b89bad4afa89bae03f370920dd4c99993c7b8f5878894cb4ae441f339b8aa8f46567ad04bc20662d8dec563ac1eb74bf4843ba542aac608bfee68bbc7300fa5ce6b3aac5de9960892f89f5747f4b47c0124040f85f042703a288a6c8e1881da3e8a396d291"}, &(0x7f0000001240)=0x1024) getsockopt$netrom_NETROM_IDLE(r1, 0x103, 0x7, &(0x7f0000001280)=0x200, &(0x7f00000012c0)=0x4) fcntl$F_GET_FILE_RW_HINT(r1, 0x40d, &(0x7f0000001300)) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000001340)='/dev/audio\x00', 0x1, 0x0) ioctl$FS_IOC_GETFSLABEL(r1, 0x81009431, &(0x7f0000001380)) setsockopt$inet_dccp_int(r0, 0x21, 0x0, &(0x7f0000001480)=0x6, 0x4) r3 = add_key$keyring(&(0x7f00000014c0)='keyring\x00', &(0x7f0000001500)={0x73, 0x79, 0x7a, 0x0}, 0x0, 0x0, 0xfffffffffffffff8) keyctl$set_timeout(0xf, r3, 0x1) r4 = msgget$private(0x0, 0x2c0) msgctl$MSG_STAT(r4, 0xb, &(0x7f0000001540)=""/155) setsockopt$RDS_GET_MR(r1, 0x114, 0x2, &(0x7f0000001680)={{&(0x7f0000001600)=""/19, 0x13}, &(0x7f0000001640), 0x21}, 0x20) setsockopt$inet_sctp6_SCTP_MAX_BURST(r1, 0x84, 0x14, &(0x7f00000016c0)=@int=0x2, 0x4) ioctl$SG_IO(r0, 0x2285, &(0x7f0000002ac0)={0x53, 0xffffffffffffffff, 0x1000, 0x4, @scatter={0x4, 0x0, &(0x7f00000019c0)=[{&(0x7f0000001700)=""/225, 0xe1}, {&(0x7f0000001800)=""/11, 0xb}, {&(0x7f0000001840)=""/189, 0xbd}, {&(0x7f0000001900)=""/132, 0x84}]}, &(0x7f0000001a00)="5dd3fe00b8e71b1b81fe67263bf2ed6ca2a1de2d23d430136a775415f2017ff22ea4ec9eef542ea5932ad6c122574508e9bc5ec858f5378cf7599aade901f05c6266dcf30aabea2841bf79dadd5f30c33e5fcfb067128427e9d0579bdc311114c5be18d89249b5f615b64a383ced215104389036cb055755409181184b49106bb6dbad7c65749b9d7b736f535ea4d9989944ee31ff99a3381df254a93f432abe3d252c8b8d57c7a1efcdfbac468add2b53c21766956b1a993c4a8b7fc6317be164b4e33dd5e4570286cbfa040fce9ec1b7880688c1e966dc42c9933ddafc31fe49efe0e68e6aca5b60391eae077cf6e6716a0899ab00b0db41366cbd0e0da1b3fb4de4f66ed6487b2c6ac57cf501833beec23225eb9e21154f6ff41c112fe732e909d973e17e823e8b2ed9ded6a58052a391e03996752c0d119d99a470ab9f901606ae71e3b9a749471116be67219ea04a82872ea73e387c7fc8d8821ac64f2f101d59d579b973d5647c8db9b5072835ab66dd06581cbb6e91c30044c1f6ce60890d586e82649f93d0cfe9f9a297fdbfb0d60e49060d68000529772b73c5d26785f07eb01c7458eb7bd8467e569fce28a4c8e19f8c88b4ae549992d945a7130cb4483696b1dd2c2cd97c43ea84ee341d690a7cc5c6f38840a51d9e8b0993b77e4f4d133949f2003c36f28dc120d9a13b4484b87a466ab777285581f69aa6e5f7a3755ec2499e8c62d282e39d24ccef81e500e72996dc308e83b0040aade9f0d1da5f73f701263af8789d0d89cd3242755f110d0ae8368c687d1c2f6da3bd28c8799c4db9fc2dafd1726410750b9c327545ad8fee710f9a925428cedc4256fefb7348834016c35ab97ae6ef13740833f2d1ee4a7da9aaccde4cb99180bb35f956d99705cc5b86c14e996884239c07ffb81ce7d5b164baf197ed6a7dd3fb92f460258dc918f4f136aabf7e03548aa38810c655a1e6c2a19b42bbd37323b068b494e6bda074e9427eca649fd2cfc767f81844457f019c09326cbd5a958e33945aebf91786e239619103b31570fd2fe32c51c23e7e13d3ec2a1e2e8b9ccc044a97de60701045d20e0ba6442302c88077d139b9badbf32d6437c8ad5d01aace9fad5335c93ebd0deddfb7597eb414d94baba859e0e835e068037cc20cdbe785fe308c653ff89c74b392eda19bca36e99aa49a338236f9b9ad08f108de221e83ac502dc329a4fec4ba8ac7fd19a4c4dec692ecbea56d6ede37d8aa296f0200435b3b1cfbaa612cfc2ce8570d259768253b879de8bad09b418794d3ec320cf5ce3b9716bfcb59b86a0c0338a80329e4f499323ee2adbb71572d6db57297001e1bdad3992d202a1a9f367600be498d282bd89d5ffac3c3f890a4b1108d65e494c696c781259db402663c9c023ba753372531530bc108608df0a261962c2a40e4c2014ab14241ee9b872bd7a6f67509f26cd3723ca7410f9ccd86bc6040d7fd476f94848682f0518dd059901145f047859903bd175eb28e04b1952e84d4f809bea791c9faf66c1a3127e1a4396e4fcdfbc0263974101dba3e062c2aba43229265dcce91471091448098450fda73ec7c47eb732e362eaa533adaf5480e77012451adce986c4c329d6f951930514836f9cf3285d19a2e09b54a63889465733c923b264e04013a3573cdc8f1590638fca8189201b0dcc34eb9cbc8059f576177df6b3bf395a58766edd134b2e7e89b62ab75274ecca487789dd4c46b14c3b950c9485d252f77f6ff8f1f7f51f34a781288809cc54ee469fb4f18bc58d38a6db97a4fc9199179988b21547e264c2115307fcb884b121107e328b13d226e93796999ba5b206858fa47b5f9df4c5021ff12a6c5ae67acc9cc01f2ee9602c64e6cda7e7b19f3eeb62ee494c8654299e19945f538a2d3e28c38757fed1e52ffd3c50a1bd245580599e521638c4c12d26fde45eb12dcae084b02eb8472e4d00ebc3774964ae799c763006d686128baaca28d2c15fd9c5977f14d35677ed89896f25d231e7ece631236da27a52afef57636013e727cd5cae93783702e2c7ad1e262e55a1b2cc4e32e7406684c7e8553cc9c71053bbe32cde0534bf4d4cc080c5d10579e62eed1626bc84fe9a49901acc321e950b9ee84e4c21731c69bd1a71325df7c840857bc33db0dafc2b3b924c0917b8d969d6fe8fc58742653fd7981ecdbbfb9164f9ba55be4403132fec8e7b4232cdc0692c492f87f621cbd40469e905cde86e4a76c5b76e9d1668003592a330501f5c012a4ac6dfeb0be8e71846ac7d9c60cda2ab73aec8525cd27100719f6f8f548cffd88a6b895acdbf5bd301309721246dc8d5aa661358a3b537855cc74e154ac7ff9304da4b025158e711af7573f819a96ebbd8e66536d5e67678f5f7cd204412b1edfa507d823539466ac5628b0ba5993a34f4b6712f9c8c8f0c67289ab554e61a2069ff21a5d1f5aa32773cd62439e9557e98dca3a2c86e8646ae6395da547506d9574a2fd9ad1053407219512365d7c8bdf3d88e6fd4da49364c2011a5edc259c9a586d109f5b698d7cbfc417f2f26d02d9627ea2dfda1424312b68d47721658b76ea72ff6cb9ce06c234fb77dc7da54eefeac2707662acddc09891dad4f10f644332a95a52ccb598c0b1fdbd73bb700fdcbd3de6973cdfe2f0aab7e9eef68ca5b2034dfd8d08f6d94d2a8789715ee28958a80e118ff491ee9c7c632a7225eda13cc1522a018c2d410f5892c34d2e2bfa13243c5bde0aaa57d75c9038d9c78fcf8d9170f28be2de5485e15e50970f5dfd6438aaa1bd44b620b3be29988fff44a580fe53b214e44d3bd4978146e3c9e5ac89a067561aca87bbcce1206fef70b392f44204bc8762ed673c027c2bbac866cf3bf987d8d7c1772f32fd98cc1375d0f961aa26bf696d7bd10e36a563ffb9f851617e87e11708a8e813cf8b6089f82e2b35a643d1eed4afe12d3e89792c1583545cd9553a4f555d67076ff71d612d3694d2d4add9a13cfe7d84d3bd715759f96721760db70a14806fbd8043794a0a58e0f7d816b10dea395864dc8676a30446284b0de88d2fbf06bec0014db46577f1a71c5128712d4d35d78c2dd942b156cc59fdb2aa2390828f866b425e94b90d40cfa78122ed196d7c2ec19f355645b3f1470a791796c0b3f2e56d7bda5399660de6a31ccd577db302e734bc303cde6b8d9e4be133deed685da3074978d5f362c315f92d508c6ca93ca1b22320a20a855b71205a95711aeec97dc6b9d4816de6e7457443d1aa2b6b2723865aad5226a6182044c8bd1f88325d424498e1fab2615bfef05498e40071abd05ce131cffe1f4f17b8ffe17057d73819c7679b2fc17d8319c8ffd6f00c548965899d812e7addb916d15abaaa2646d0634085ee1c4e7cf694bf8f87ad1373a2fc2e8198356cb70d3243757bf58c220f6a84cdb1fd98088fbd12bd0d5447fdc5c9f2bc792a310bc6e091dec19ed3d92af56f1e07ae33c1bb0f8ba70dfcf0461b4f3869ffd14f291c1c8de568ba29f9506cd97888234dd259a34a5777a49eb68c400ff4054bb27bef668fb22e5d4c0ea19f6497e7a361cb0dc9609e0b356a1ba96cfc9a0cc6041e5dd73936882f97160013fe435cf9699955e902914d2153f8434f5f24096c91cbe34c7e1fe58feee28cdae2b0f33c526a4c991e987bd204d66e32d9c5dec5c4970de49e57abb2af882d77b17c51213fb2b14359bcbb68d2453e751c449356f8284cbf1250d7adb18484bb63226995a44bd61ac0f81a2417a218de99e5e9edd546cd581247719eb5bb5bb5ccb9e2212e9ae342d9864769ca3b043da90e47dd121c5cec9768f85daaa465cd39ead9da5768a098b53eb763dbd257afc92d905f072c28dd86995e171171b6d8d07be349dba80a14f5a39775a46352b5495fef2b2893faa4b132e5a764a5754d425da86ac3a3220cb7b7235bab81e62ecc3dd999f92e250a7c0ac29cb7faa215ae5a2ec6d345ed05585c23a29c1345c1b23499a1ad5ae05f631a280ed446deb0cb3978a3d39eb287694c776242f0c9c09713ecd1a8df09987a5276693a627a757b529bd12888ad0711efe4175ceb2adf9bd21e5ba79b24d29eee2ed6579cc3042ff0c5013cdf6dc102e4fa0319d9a80b161074903bbc6b1be37e18a35775e55c777bdf9b4f3045beacab2c7210618cb897fe89e1407db29c42baf69f410255cca4443d095b963525ec6d5805b1330aef6abb1954b8107f72f36fe9deaaac359735b749dfdbfec1e86c0d46718ab46de45a68b15001e8da4d8970992398b4ced782fb5d8833b8510c62bf872ca52a6f680abc87da768984b3ea7956f735d677564dd4eb0d5bb53db1b18907b2e2d24ada7fad2b7ef0f0617beac0164d9ced801f3a3b58e77406fd2ab7dbbec6c46187eea5d0842b1ec304413a97a9c371e48f2d587eb64e9db5a869368688e084e4ce761088189ff0865fe73d9a1f7b2d5cfe2922f7cc87f4fc842664eb1081cf9aeb2229395d56cc202bece1e773e8e6a6b48abb094dc6fa88558ab35e501d79c5a7bf225540a4325c14e416575edbfa3dd93d34e81fc893f2c10b59fe22c9e57f787110379b3531a7554875c31b0a8a36ef6d11d450bd9f8f2b406a0e930081c28bce7c1ea51e25a956d330ddacfc2de6693a9e3c8adfebe42bb4d4d1da635f9df177e5cad970a490a5e8745b1c31d10af7a852e397df43162239f2a2dc31c98c854083dd33f33a8492c44a0fa0192399ab1a5662f70727fa04571e8136bbb0eea2ca7f2a67807b6eabaf5d9c82236c3aaec94b4e3a48cf40cfbcf85df2544457125b6a3218b07cc3c02574f9223fda26fa7dd03f4eece4de8bb844613cbc8f731eb15dbc9979e2d55be8408cf9e5c8ad4bb65ba1dc30f57fa89438584ab6d9af664b9da7dbf5a60420d0dc29c88b7ff33b2312be27682ce06426d3fa6fbac6251d74105343c664b7c560fa87d47a65a884a862d538d8159f68572c6fc735e33241067e86648b7a0baa0ebe83b2eb76661f02495cb9f44f6a67037f5c4fbd5db99e0138271dcb5d9d816d6eca701b66b46996bb23d33406dab59156cd61ce65dbfa61636c3850f0c38816a9db8086ddfe23bbf7cdbc0ff1fb6cfed291812acd917d068207b3f8f002478ec8b7a4cf707ec524c5dcb29b39cc7b0e6ee4c9274ddca2b986d329b1d153f4b9354e54272bbcae6030563f7365ba7471ae7cab05122501792afcbd3edc465976785bafd8a90f9259edb6a30d7fdf0012c3ff53be464f9cf186e0cdfaf3fac0e22ce11cbb9a69ddbfca53f679ab4f6e5756640a4d6f4e6a4bac2a5d18ee8cc7a1c0f3759d17c54e406bdcdb38c3e9de2a4c0b09a31451cbade1bf2c05f8418b4a3fa058addb98bdfc10cb4d5f13d0955e6d0fa02cb01e2642588a01ec51634f7d5add374afb36f7d3e958f0b1bd1fa9da6b9194569bde2579ce575805db5b232a5471d7ec0454490c36b429d8df1b03f3253ddc014968cda0d99dece2b947cf9ddc7f8daf1137cc1c430de79edd1cb61b60a21b046c61f5abef9f4c572bdeb4ef6a8b169a324485f59c1db36dc8f48de65b12801eb4b0fc323d634979f7f77ebf814e95cf9ebe3f57dc2204e439e19e77f7af165fc74bd9128354371e7b2b8e5eaf4523c0f9f519e83fc1289c3bc2b6b8401e366113adc548f1e304733d6b74e25079a4e57469cb3a8afb1642f67a440b03fdaf04103576acfd0555bd0e1ed11fb645f0d1516008264fbdef2284a1d6c3a38956325d42e35aa4ecc1f36334a07287359a2020", &(0x7f0000002a00)=""/66, 0x6, 0x34, 0xffffffffffffffff, &(0x7f0000002a80)}) sendmsg(r2, &(0x7f0000002c40)={&(0x7f0000002b40)=@llc={0x1a, 0x311, 0x4d4f03b7, 0x7, 0x20000000, 0x0, @random="4a4ef92c3ceb"}, 0x80, &(0x7f0000002c00)=[{&(0x7f0000002bc0)="054361d8443b5e8924e6d0be81b8d5f8b1cec2d35231e06f0abdcb597b762ca6e961d56da330510a36c2db995d1cd76bf4fffa733a7464f6", 0x38}], 0x1, 0x0, 0x0, 0x4004040}, 0x0) socketpair$inet6_dccp(0xa, 0x6, 0x0, &(0x7f0000002c80)={0xffffffffffffffff, 0xffffffffffffffff}) bind$alg(r1, &(0x7f0000002cc0)={0x26, 'rng\x00', 0x0, 0x0, 'drbg_nopr_hmac_sha384\x00'}, 0x58) geteuid() ioctl$sock_inet_SIOCGIFPFLAGS(r5, 0x8935, &(0x7f0000002d40)={'bpq0\x00', 0x6eb}) getsockopt$inet6_mreq(r1, 0x29, 0x1b, &(0x7f0000002d80)={@loopback, 0x0}, &(0x7f0000002dc0)=0x14) setsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000002e00)={r6, @broadcast=0xffffffff, @remote={0xac, 0x14, 0x14, 0xbb}}, 0xc) sendmsg$kcm(r1, &(0x7f00000041c0)={0x0, 0x0, &(0x7f0000003f80)=[{&(0x7f0000002e40)="d65814a38f6463a012d59d0e31941f0a043721ed518f061cb8e31c458302a5bf45f19b3a01aeae9a666c43d18bf7d792830a6e8a37ee625e97e2b994574a16ee67afc2be5917e40266e23e47adcbae6ae3204ccacd68467c0c28af308ff3eff2ca8253db426c93dffa537379e897d11703d8718eaac3a1fd7fe29f9c9ea52b307637226083225d34139664e439f5b57b275960dd4fc60827c8afae550bc47c94b75ed0bf38dc9d8bad4dbe34442f739edde2", 0xb2}, {&(0x7f0000002f00)="774591ecdc2c824401d3cfdeb28a9a2d3808cf462ef8119d9ccf084ba0ebe9d3395f3e3b8c1c4ea0e6a38859129fb522924bbd6fd63bee7d16d7ff87b2fa1219f34b59e8a94d61ac705e71f4cc1d764accbf183b2d73d427c7e86d7d129ea3eeb512b99abf8e002c6ce0da42cafe2d3ad591502fb9f3a5d3fdc321dc20589e6082f291b20da3d7b7b4db707c77f77439c4c2ea79a18e5cfe9f5a47c5f377e5396b561c39c07401106763119f3c348054f01c26369e91c986f4327c462427c43736e65854d35e8814ec70cd6c3723c4b3c6aa43942b4c9829bf176fc32ee650cd68aa4f7d887c19e3889a35c1752678e7659fcd38966cf461a4a5e02450d6a42c87cb77dd2f91d7e9f6bb069bf1454b320174d822272a4dcd92faff0cc91b3ad2327c6aa88a69579bc183a0c7cc58c1e1850821128ebefcbeaba36fe2d489cb5b0bf3212b12078cf8b4d8b398e5cfd27e0df345cc231eb258fdc161ea572d393c0c2b4f333014f4448df784ec04f02b138da447a90bab853a2aaf5947b3679adbda91fac428a92321bf0558683e3e19ac562122e81c3b55b4da13d7ef34826c5730fc0b246d2add4cbb060d1e1d071b749ecef72e0e5e8332a4866e16d65d22d1e3f739de1abad64c8899f1c237bf62c6e6e481bec0162f130bc3025076a6adfca12909da76e5e0ef73d605d673f0a5aae54cadb65fc7c4c6ae370519e1c1f0454fac1bda60469c83549397aba7a3b2e6981aaa7131a20bc080c8d30a7462d3f5f5a3715805c7c6eb72be2a7644ec7cbef490b07d3eee4e909077ffc7202d3611a78e30e9c23c13088227382741a5490438a87fcf79d13cd0282777907bacba49c39fdf22f8a562b32bcd9f1475f15b7245db717d2c42b19013964225d8edc36572ccdfd4c55a4b6bddb2086ce668892c279800d1ff162739f9be8c0b6351570df7af09cc357de7c5124b07a30caacc3916483738974152a53529831fbcc1f5d1865768b6bd0f8aef137fc938140398f8623426f2d2c08dd410aa76121ad620e4b877978f6298cde4ef7b3f7a48eadf72be8ba3aa69d3e3804abb9bf84e582a100001856e2b60d72b2ac0d6414d6116e16275e3ba6b29cc90b5d1d9bbd26bdbe8cdf06f7ecfb9b6f7304e350b2d39159aa038389da49ef08603e282585d94bae469440d39fa57d2d72bc63874ee99149cb075c6c656b69db7ad634c88fde5d1d1cfb086ae6050ba338c2fc368d6c6debcbe9cc1074c4573f5ad2bd96930b0c38eeeaf83fce784dd7314b45d0e7e99cf486d94de6d92c218f60f4d95ddf5b2c4952048c313d98b0fdb12ac5772db35d065003d7b2deae8d5e58774365ed146e6d865657c684d8b85e09cb915880fe8d48375cd0074624249b49e6cc67ca0aedf72895cf84f9bf6e14dd96812b55034837606db5fb3cab74ca8f7c66b74fdb4410f6ec9b010d547209f8658dab9ff69ccc8def73094ccae937cb298d6ac9e7032f9d89b54fd744276542aa793117b3432c1cd4faf3094ffccc2ba339facb1da35b7c3a913af82858d645c08b8f549023e9f3016fb6d00be1e810e30df1936dedf6448cc4f270cf33af24b440ef32cafcc69ec7a22b7516c113bfb603937cba9bbd45f30f4c7ce1331e5b4d8a21d55ac6eb81e9e2dc2eb35156dea137c7e3cb5ab76d69d7ea0a9a6ca9a1e4874d6833eb6fc3d9f173de4155c37028a3cd21e957f9404df6074d34d9b00b22689ac502cb82bb4d6e3a8aaff1c9976dedfed76d34d464f54a1c6ceadad2767a7d9ace429db060b8a2ef766c230da0c66737507a7427b2610a79531b27d5ff4ff6a781fc9ee5858a602475127ec55c80a77967af53b521f47aeeda4579da7fb7bd1eaaf3668952eff8d26bd021786fea1b9aee79b19ea3965de11c862e4bb3efaaee796914df44367547c826505d81ff700074d74133fa0b68526ced7ea4841e4712d7a4cc041d92b86bb50d884f0c425ffe05f0798995a5bf8f27008634189306b6771e1445c0c98cd9965be9934c73631ffb20f90d7fc2cd72719bd0d403322886a1750515ceb9d63d457475e77fe6ad071bc541086adc44e788e9f48e967c6f21298fd513d30c6e7adba4643492c8c90b95c13bba7db38d3ca2c8772314dd4ed5d87451cbadb2ec23488e6a3bd75fd85ce5fa9bffb4fcf9d0783769d428763d94eabd70d42b8a13d927d069804d42a5d3cbe06a253bed40e50d3d707880fdd92877e4f78b02020bb1030ee0c3c14c1f771998ea9f2f2274f281d9f4ff1ef115609e36a121fc69919a9c8140adb82a96eab9cd8a1bbbef37729c3a2058c30fab100711a3df136d14b51d461549ce11791109dad4698dc2e28fbfec72daf9758367b1591c966e8098b8cf23cca1e7529dd1d42a699080620474f1ef322f53d802c7b02f1aec1eef799d8e6383e1b71123cbf49f6b499293bc470c8913aa9bc0c5dfd2188befc00cf7b9fe49fda4449a0febebc54d1b16d258eb5c0eb2cf722cea9e565cbccda4508fbbe0042f55d44ca52291233bbf35859cf6cda5381c105e9d3080d15a5fd9b670c821cdfaea0ccc336f8e42a6b1222191610e019074a2b5dd7ad697731572aa17db94fef707e67eecb085acc96c805c2e689bdde1673e4ed6edc9b7595b47c201eb5eb4d7a5c5863875db125e538306d2f4a5c4574fedaed218e758a31f961c03bc850aff7cd96a8902cf6ac6c5d39e5bff0a972094f18b3024047054275986955e6fd154e2c5050071e162e7c03cbc71b53efd6f80819231073ae8f9bdd6f5a9cc9b523cc42ed3d877af015304f78731e67b0d0817fffe33fb70c09378ec5aff615484c81fecfbcedbc05b9221857f8c1eba748e16474b5086fa001b1de493bbef4745a20f32e54cd5cf5f6a3c8061d30157b0d82297fcd346a7a638fa790bb2e26b439cb7f2bd65b905c1d9b53c1eadf9a2265c91566bfd6cff535689cd80ac7d057236233d6bb1634c1241f0d90fd6ba941c220be52554b534d778671f7c7f66e70609b8b7069bccd855a71e4841a28a22b889001c031b13235be689eda6d00ad51f44a48293829e09417deefce70110ea0583806ab292f0f7b6f5c8d7df5f6efdeb5ae1d1110259ccff0f8359ce79272854d063d3da75aea89284e429ce470e368f9b17bb288cfad4c504a59d0e684606cbaaffc3c9e3ef8942d076721c3c5f2c9046d639791f3dd6552a214bceeabf4dd76fc18560637034ecf1f0b22e284b3287266568d51d24a163909b7fe918adde8964f5d745acfd04da4b792c0a0f5164dba28f43cbc8c7e602ffdb8e3552cf6b8eee3878c88d47c181b199b223c89c439fca912b6647e9323c7e7d6c167bf87bb831a840280a17cff8dfe64168bbb6beb361f6588a57f5d86096adfcac633d1c1f122a1744471c9e32b570c4b909d4582da295dc5f629965da0d18bb8f07ee0c6583f75a501e69258c66f08914b2960fe10d6a0f577328adb1237614f637fb4cdf428920b80ecc01165a57455bb9d7dbfffa95fa0c4050b106f617eb0cb2ecc29dcf88c68d31644387e4aac1a0cafd510648846a5cdcb34a4008a404de0b36e64d253851699d13ae3a8c83a7e12d4a80a2ba24d695e254d31cad2ebd23d367489217a807a9ec580d9b11678129b5a4000b4d93d9bfbd4c0e67ef42f05df07a6e7ce3a28d77c73988898bdc268d96a744339edb2437945d9363b337194e427310c1a611ec7bed41e94d5a63111805b33e2dc7748d8cfdc9672a356058246a037786e5f9f32bd0ff9c115b1fb9af9ede70a8d714d77d0d5cee77f7e18f62b2abfaa4bef8f1c9bc51fccc63caa957fc0d504298c1530bc35a7b677d30006fdf56a231fcf29f640ca7f0262832e2946d2ef15698099fbc74d721b824a298f7d5dc8064f006a9052f73aca790e3becb0787fc1732422c491b4aa5c166e181c2b1b4f2d496a346fd4dd47a3018d083543d0922313f065963b36a12bdbdd6422108459f61168e0f4c348ae76800c6ecf43219e6d3b9c2c08494b12d0240be75f97fcc6fbb0b116dbd9f468edede615f3cbd1d1aa5431d1b9cb59d8eb2aac7ab013ce47ea3f5244b97b7c93a856465654199750a37371ef709909ea579e8ca5c29c5d44ca3139eba3a8a02a3b2a3517a5785cedf2a1639b5bbe3c7029bece9450c6efa5d6ed14fdd64c4deee9011aa15580f064bc535da6f49b2fe9e7b39cfe1155077c581ead8e96d2383535b5dce98bc268e1a1428458ce759e50896c414ef55d1794e1370af5de6d91319e738f95b92cc3dfa32facc660b9e855db9b05c62b6b913fd800e9c923aa240c70cb1fff64468c196003e960aba15fb959db62dd6cb4f89d874ca5fbe583fc4706d150321fbf8e4459a07008a5facf591ed7ffbd3afe104b7b66c705001e8e83901ad025f40e6c0c2a83f756e4a70d9969782e33f6a73936a3fdda486b8b053c80b3652a8d85bcd8738d8cbca2dec9ae5e7a4219938a8d21711df3eb8d361ae29c6e169f411cdc5ef8a46ed4e7786886a92f593bf6ad1e43bc2cc93a17cf57c408e680366dbb3b33dfc3a058771c2684291c72af857db1fd7f1e712564c8b9c4be8ee4ad7e6d88e958d067865e7269aad98cba5e302cf9e15000e2b716de6f5f653a67dc47e2452221528582c5b43b79b01d8c86c1e4ec6d2a92bfc96226d9b41b17459b46ec40956865161a855952db8343cc25fc59b0b0392f2ddfa07521611cdd098b233fa40d0607e6a1c233f518ca50fadfb07c8895945a0a005b9c3599d32c13ec6db27dd1bf9f898c97b4c8ea9aff33ed510f5d995595b8662bc2eeb19af7816477c7395d4993627083a12d31175e17873b11dfb2e9db6d8180eb8d402f6ae9115cb529fb5d0e4afc35d948eb07a75575373de3d70faabb4aaedbe056748f454d06c87ec898eefd830571a842eeb46131493c032672320859d3f4afcedb7072c6c81dcd5470f00de1bf6db211624b33a74adbb1531b92bb0b2fff9da4d40ea360d78c1aec83b39c3d75524e981d33cfb7a337871b10364f5bce12a2247acbbee107b148a8c08838b3649110c068b71657f04e6899b416f4acecbe8f88905f2d57e7653a51f2bd88fb553ec5abce5d2bfee83ad4854411fcc50e5464938c5ae6b40c745c2bc541206bba44f11035d8f33e57fff256d1a869ad37bbc039b6b9fe9733de29be9d3ff563088b7b488cfcd4ed196f65c0aaef8f48f380e9340267913746ca5638525ae4127b4f44ab172e28230f6c00a46124134b1ac35cd906d7cd4a84a34a0e5b06009ff1bc744acfa2c33cf540fe22c67236680e0bad29f654dfeeb6051576b3ffeeaa379da20e491d890651553e3f7264dc9b17d9504f7f78eb75c4263aaaf78967a283988546d42e4a9a0df6d0d6184dedb40dcd17577f9e6a3d73df6a67dfb08ec777f496cc41ed7a435fb8aec8c732ad9d7c1e55cf4e4d6594c47938c1691c9d521f556868144bbe5d83e1468b52d5759edac59e2be6353a73e12d5df6d8c993c1794acd15b118e1a899f8e186bd850b829293f80d287a733a2a97955abbe8c2ef068a96447d82dffbf0e48e62edca1f96d82aec97259688f72cbd7c6bc89090527be998b385fd4741b3ce60ea925d5a3fafb1e818d82a1a95d68d3ebf44eab1aa00e3aef6d839c51f59e23d9fa4136d2b61e06d0f4150063b032f9e47b629e2ba0a3c3dc5870edb1a0095b8fe5121816e95c5ddd278332fe6bb7b509b4dbd60127460c557f6d5ee22b2a7fe4954b2d4157e63eff9d61a7c50628cbf68c516d0f325b50f060ce1cfb4", 0x1000}, {&(0x7f0000003f00)="05dd99e70962bb27c3723cb4b343602c0d1fb8d4146c0b2f30b71b82f4af7076cc53532527cc52bcfa3d76b8ab95ea9ececa3eef12ebf1295dbb5eb5eddeaa69496d2c272561d41b6e47e06ffae859e2a1a20ef6397014a25461c43ed2648893314970b094aead951227a3abdac7602b36812076c674", 0x76}], 0x3, &(0x7f0000003fc0)=[{0x68, 0x11b, 0x3, "9fa6e07c240e6bb153b60ffa252bb3c91583a0c11ef0cc697295c8e41067ae97e966c11d64b0d7d1f9fd82a0dbdf9a7775b6dd29fa0c163d20aa68f048374571d63af3703f2d184522e556cd0b593633fcbeda71f501"}, {0x78, 0x10d, 0x2, "097bd5d13acb2fc41f73c6fcb65a4f5552c6d1f3aebe9c9957719161ae85dbfb7fdfffd3de065aebd085b98eecb9dc889241005e350d8fc6bb05989f6c808395702c465b7eaf3007f7b8d6aa20c3ddbbc8aa65d703cf6bc052b98bbb74e6172ca3"}, {0x28, 0x53870880926c01ac, 0x0, "d0291dbbef9d566be7b0355bb359a108aa68d4bc"}, {0xe8, 0x10a, 0x7, "97ddc0559b650d03b30416fe277361095da8a7b688569514a13a73c8bbf030c5769f8ff61b8a1085cfe973f52e3def134b4c9796b8ab37365ba97cadea98640694092a22a0f82a9d9e73fd059ae68fd2c2dd8ce48ea6fe304f9fa3744e90950d6ade27d4b8d8c797edbfd3a7f53c755af8f145416068b376e2ada7f349201c362dcc917c649c710b095e83c71305f4e37955039c5a6dbc80b4a73f02f00ea3d55ba02fa965afbeb5891b3c9866143606d01b728d3eda5df72807dd30ae40bead7781e93aba3de4a7e48c0bb275851f29aa60d4"}], 0x1f0, 0x8000}, 0x4000) ioctl$VHOST_GET_VRING_ENDIAN(r0, 0x4008af14, &(0x7f0000004200)={0x0, 0x5}) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r2, 0xc08c5332, &(0x7f0000004240)={0x0, 0x101, 0x40, 'queue1\x00'}) getsockopt$inet_sctp_SCTP_ASSOCINFO(r2, 0x84, 0x1, &(0x7f0000004300)={0x0, 0xffffffff, 0x6, 0x5, 0x101, 0x5}, &(0x7f0000004340)=0x14) setsockopt$inet_sctp_SCTP_RESET_ASSOC(r0, 0x84, 0x78, &(0x7f0000004380)=r7, 0x4) setsockopt$IP_VS_SO_SET_DELDEST(r2, 0x0, 0x488, &(0x7f00000043c0)={{0x11, @remote={0xac, 0x14, 0x14, 0xbb}, 0x4e22, 0x3, 'dh\x00', 0x2, 0x8, 0xf}, {@loopback=0x7f000001, 0x4e20, 0x2003, 0x1, 0x1f, 0x8001}}, 0x44) 05:00:56 executing program 4: r0 = socket$alg(0x26, 0x5, 0x0) r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwrng\x00', 0x101402, 0x0) getsockopt$IP6T_SO_GET_INFO(r1, 0x29, 0x40, &(0x7f0000000100)={'nat\x00'}, &(0x7f0000000180)=0x54) bind$alg(r0, &(0x7f00009f3fa8)={0x26, 'aead\x00', 0x0, 0x0, 'echainiv(ccm(aes))\x00'}, 0x58) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/expire_nodest_conn\x00', 0x2, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'rng\x00', 0x0, 0x0, 'ansi_cprng\x00'}, 0x58) 05:00:56 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6800000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcs\x00', 0xb0000, 0x0) r3 = openat$ion(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ion\x00', 0x103040, 0x0) ioctl$DRM_IOCTL_ADD_CTX(0xffffffffffffff9c, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r2, 0xc0086421, &(0x7f00000000c0)={r4, 0x1}) fsetxattr(r3, &(0x7f0000000100)=ANY=[@ANYBLOB='Ltrfs\x00\x00\x00\x00\x00\x00\x00\x00n\x00'], &(0x7f00000001c0)='/dev/ion\x00', 0x9, 0x3) ioctl(r1, 0x401, &(0x7f0000000180)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100), 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:56 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x6c00}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:56 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000240)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x7, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:00:56 executing program 1 (fault-call:4 fault-nth:23): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1052.986597] ALSA: seq fatal error: cannot create timer (-22) [ 1053.042113] binder: 28748:28750 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1053.053794] binder: 28749:28755 unknown command 0 [ 1053.059910] FAULT_INJECTION: forcing a failure. [ 1053.059910] name failslab, interval 1, probability 0, space 0, times 0 [ 1053.071233] CPU: 0 PID: 28747 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1053.078169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1053.087524] binder: 28749:28755 ioctl c0306201 2000dfd0 returned -22 [ 1053.088181] QAT: Invalid ioctl [ 1053.094011] Call Trace: [ 1053.094039] dump_stack+0x1b9/0x294 [ 1053.094062] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1053.094082] ? unwind_get_return_address+0x61/0xa0 [ 1053.094102] ? graph_lock+0x170/0x170 [ 1053.094121] should_fail.cold.4+0xa/0x1a [ 1053.094153] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1053.094173] ? __lock_is_held+0xb5/0x140 [ 1053.094187] ? __kmalloc_node_track_caller+0x47/0x70 [ 1053.094199] ? graph_lock+0x170/0x170 05:00:56 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x1000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1053.094218] ? __x64_sys_sendto+0xe1/0x1a0 [ 1053.097759] binder: 28748:28750 BC_FREE_BUFFER u0000000000000000 no match [ 1053.099986] ? find_held_lock+0x36/0x1c0 [ 1053.100014] ? __lock_is_held+0xb5/0x140 [ 1053.100040] ? check_same_owner+0x320/0x320 [ 1053.100060] ? rcu_note_context_switch+0x710/0x710 [ 1053.108633] binder: 28748:28750 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1053.108860] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1053.108886] __should_failslab+0x124/0x180 [ 1053.108907] should_failslab+0x9/0x14 [ 1053.108928] kmem_cache_alloc_node+0x272/0x780 [ 1053.114403] QAT: Invalid ioctl [ 1053.117644] ? __kmalloc_node_track_caller+0x47/0x70 [ 1053.117671] __alloc_skb+0x111/0x780 [ 1053.117691] ? skb_scrub_packet+0x580/0x580 [ 1053.117713] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1053.117731] ? ip_generic_getfrag+0x11c/0x2d0 [ 1053.117748] ? ip_reply_glue_bits+0xc0/0xc0 [ 1053.117774] ? raw_getfrag+0x15b/0x220 [ 1053.122897] binder: 28748:28750 BC_FREE_BUFFER u0000000000000000 no match [ 1053.126913] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1053.126939] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1053.126963] ? raw_destroy+0x30/0x30 [ 1053.126989] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1053.127010] ? ipv4_mtu+0x375/0x580 [ 1053.127032] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1053.143989] QAT: Invalid ioctl [ 1053.144196] ? lock_acquire+0x1dc/0x520 [ 1053.167611] QAT: Invalid ioctl [ 1053.168454] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1053.168472] ? ip_setup_cork+0x4dc/0x7c0 [ 1053.168494] ip_append_data.part.48+0xf3/0x180 [ 1053.287446] ? raw_destroy+0x30/0x30 [ 1053.291174] ip_append_data+0x6d/0x90 [ 1053.294990] ? raw_destroy+0x30/0x30 [ 1053.298692] raw_sendmsg+0x1dae/0x29b0 [ 1053.302575] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1053.307665] ? rcu_report_qs_rnp+0x790/0x790 [ 1053.312083] ? graph_lock+0x170/0x170 [ 1053.315878] ? expand_files.part.8+0x9a0/0x9a0 [ 1053.320445] ? check_same_owner+0x320/0x320 [ 1053.324770] ? lock_downgrade+0x8e0/0x8e0 [ 1053.328910] ? lock_release+0xa10/0xa10 [ 1053.332868] ? check_same_owner+0x320/0x320 [ 1053.337182] ? __check_object_size+0x95/0x5d9 [ 1053.341667] inet_sendmsg+0x19f/0x690 [ 1053.345457] ? __might_sleep+0x95/0x190 [ 1053.349428] ? ipip_gro_receive+0x100/0x100 [ 1053.353741] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1053.359279] ? security_socket_sendmsg+0x94/0xc0 [ 1053.364022] ? ipip_gro_receive+0x100/0x100 [ 1053.368334] sock_sendmsg+0xd5/0x120 [ 1053.372050] __sys_sendto+0x3d7/0x670 [ 1053.375842] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1053.380503] ? wait_for_completion+0x870/0x870 [ 1053.385087] ? __lock_is_held+0xb5/0x140 [ 1053.389144] ? __sb_end_write+0xac/0xe0 [ 1053.393110] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1053.398631] ? fput+0x130/0x1a0 [ 1053.401899] ? ksys_write+0x1a6/0x250 [ 1053.405693] ? __ia32_sys_read+0xb0/0xb0 [ 1053.409754] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1053.414587] __x64_sys_sendto+0xe1/0x1a0 [ 1053.418636] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1053.423655] do_syscall_64+0x1b1/0x800 [ 1053.427543] ? finish_task_switch+0x1ca/0x840 [ 1053.432027] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1053.436944] ? syscall_return_slowpath+0x30f/0x5c0 [ 1053.441863] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1053.447218] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1053.452052] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1053.457243] RIP: 0033:0x4559f9 [ 1053.460419] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1053.479699] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c 05:00:57 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x401f}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:57 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'bpq0\x00', 0x1}) [ 1053.487395] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1053.494652] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1053.501907] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1053.509162] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1053.516417] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000017 05:00:57 executing program 1 (fault-call:4 fault-nth:24): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:57 executing program 7: capset(&(0x7f00000fc000)={0x19980330}, &(0x7f000047efe8)) r0 = socket$netlink(0x10, 0x3, 0x0) setsockopt$sock_int(r0, 0x1, 0x20, &(0x7f0000000080), 0x4) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000000)=0x0) ioctl$TIOCGPGRP(0xffffffffffffff9c, 0x540f, &(0x7f0000000040)=0x0) r3 = syz_open_dev$vcsn(&(0x7f00000000c0)='/dev/vcs#\x00', 0x80, 0x200480) setsockopt$ipx_IPX_TYPE(r3, 0x100, 0x1, &(0x7f0000000100)=0x7fff, 0x4) tgkill(r1, r2, 0x28) 05:00:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) r2 = syz_open_procfs(0x0, &(0x7f0000000040)='fd\x00') setsockopt$netrom_NETROM_T1(r2, 0x103, 0x1, &(0x7f0000000080)=0x4, 0x4) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r2, 0xc01064b5, &(0x7f0000000180)={&(0x7f00000000c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x7}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r2, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffd000/0x3000)=nil, 0x3000}, &(0x7f0000000200)=0x10) socket$alg(0x26, 0x5, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) [ 1053.585050] binder: 28767:28770 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1053.616654] binder: 28767:28770 BC_FREE_BUFFER u0000000000000000 no match [ 1053.665570] FAULT_INJECTION: forcing a failure. [ 1053.665570] name failslab, interval 1, probability 0, space 0, times 0 [ 1053.676891] CPU: 0 PID: 28779 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1053.683224] binder: 28783:28784 ERROR: BC_REGISTER_LOOPER called without request [ 1053.683822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1053.683828] Call Trace: [ 1053.683854] dump_stack+0x1b9/0x294 [ 1053.683878] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1053.683900] ? is_bpf_text_address+0xd7/0x170 [ 1053.683922] ? kernel_text_address+0x79/0xf0 [ 1053.692098] binder: 28783:28784 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1053.700814] ? __unwind_start+0x166/0x330 [ 1053.700841] should_fail.cold.4+0xa/0x1a [ 1053.700859] ? __save_stack_trace+0x7e/0xd0 [ 1053.700880] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1053.700905] ? graph_lock+0x170/0x170 [ 1053.700920] ? save_stack+0x43/0xd0 [ 1053.700931] ? kasan_kmalloc+0xc4/0xe0 [ 1053.700942] ? kasan_slab_alloc+0x12/0x20 05:00:57 executing program 7: perf_event_open(&(0x7f0000000200)={0x2, 0x70, 0x3e4}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) getsockopt$IP_VS_SO_GET_SERVICE(r0, 0x0, 0x483, &(0x7f0000000180), &(0x7f0000000280)=0x68) r1 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/autofs\x00', 0x4000, 0x0) setsockopt$XDP_TX_RING(r1, 0x11b, 0x3, &(0x7f0000000080)=0x4, 0x4) [ 1053.700962] ? find_held_lock+0x36/0x1c0 [ 1053.703575] binder: 28783:28784 unknown command 0 [ 1053.707166] ? __lock_is_held+0xb5/0x140 [ 1053.707194] ? check_same_owner+0x320/0x320 [ 1053.713362] binder: 28783:28784 ioctl c0306201 2000dfd0 returned -22 [ 1053.716857] ? rcu_note_context_switch+0x710/0x710 [ 1053.716880] __should_failslab+0x124/0x180 [ 1053.716898] should_failslab+0x9/0x14 [ 1053.716914] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1053.716940] __kmalloc_node_track_caller+0x33/0x70 [ 1053.716959] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1053.813837] __alloc_skb+0x14d/0x780 [ 1053.817552] ? skb_scrub_packet+0x580/0x580 [ 1053.821874] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1053.827447] ? ip_generic_getfrag+0x11c/0x2d0 [ 1053.831945] ? ip_reply_glue_bits+0xc0/0xc0 [ 1053.836268] ? raw_getfrag+0x15b/0x220 [ 1053.840150] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1053.845165] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1053.850201] ? raw_destroy+0x30/0x30 [ 1053.853919] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1053.859717] ? ipv4_mtu+0x375/0x580 [ 1053.863343] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1053.868807] ? lock_acquire+0x1dc/0x520 [ 1053.872778] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1053.878307] ? ip_setup_cork+0x4dc/0x7c0 [ 1053.882360] ip_append_data.part.48+0xf3/0x180 [ 1053.886936] ? raw_destroy+0x30/0x30 [ 1053.890652] ip_append_data+0x6d/0x90 [ 1053.894456] ? raw_destroy+0x30/0x30 [ 1053.898166] raw_sendmsg+0x1dae/0x29b0 [ 1053.902068] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1053.907169] ? rcu_report_qs_rnp+0x790/0x790 [ 1053.911578] ? graph_lock+0x170/0x170 [ 1053.915380] ? expand_files.part.8+0x9a0/0x9a0 [ 1053.919954] ? check_same_owner+0x320/0x320 [ 1053.924297] ? lock_downgrade+0x8e0/0x8e0 [ 1053.928443] ? lock_release+0xa10/0xa10 [ 1053.932406] ? check_same_owner+0x320/0x320 [ 1053.936726] ? __check_object_size+0x95/0x5d9 [ 1053.941218] inet_sendmsg+0x19f/0x690 [ 1053.945018] ? __might_sleep+0x95/0x190 [ 1053.948986] ? ipip_gro_receive+0x100/0x100 [ 1053.953299] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1053.958827] ? security_socket_sendmsg+0x94/0xc0 [ 1053.963576] ? ipip_gro_receive+0x100/0x100 [ 1053.967897] sock_sendmsg+0xd5/0x120 [ 1053.971601] __sys_sendto+0x3d7/0x670 [ 1053.975398] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1053.980065] ? wait_for_completion+0x870/0x870 [ 1053.984643] ? __lock_is_held+0xb5/0x140 [ 1053.988707] ? __sb_end_write+0xac/0xe0 [ 1053.992674] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1053.998201] ? fput+0x130/0x1a0 [ 1054.001474] ? ksys_write+0x1a6/0x250 [ 1054.005270] ? __ia32_sys_read+0xb0/0xb0 [ 1054.009322] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1054.014853] __x64_sys_sendto+0xe1/0x1a0 [ 1054.018910] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1054.023921] do_syscall_64+0x1b1/0x800 [ 1054.027800] ? finish_task_switch+0x1ca/0x840 [ 1054.032289] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1054.037219] ? syscall_return_slowpath+0x30f/0x5c0 [ 1054.042163] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1054.047525] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1054.052370] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1054.057548] RIP: 0033:0x4559f9 [ 1054.060725] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1054.080098] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1054.087797] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1054.095053] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1054.102310] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1054.109588] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 05:00:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000080)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:00:57 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x7a00, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:57 executing program 1 (fault-call:4 fault-nth:25): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1054.116847] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000018 05:00:57 executing program 4: r0 = accept$ax25(0xffffffffffffff9c, &(0x7f0000000000), &(0x7f0000000040)=0x10) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000080)=0x200, 0x4) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) recvmmsg(r1, &(0x7f0000007e40)=[{{0x0, 0x0, &(0x7f0000007d80), 0x0, &(0x7f0000007e00)=""/52, 0x34}}], 0x1, 0x10040, &(0x7f0000008040)) 05:00:57 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) fcntl$getflags(r3, 0x40b) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:00:57 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x400000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1054.194373] binder: 28798:28799 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1054.208861] binder: 28800:28803 ERROR: BC_REGISTER_LOOPER called without request [ 1054.277874] binder: 28798:28799 BC_FREE_BUFFER u0000000000000000 no match [ 1054.292022] FAULT_INJECTION: forcing a failure. [ 1054.292022] name failslab, interval 1, probability 0, space 0, times 0 [ 1054.303325] CPU: 1 PID: 28814 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1054.310694] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1054.320037] Call Trace: [ 1054.322623] dump_stack+0x1b9/0x294 [ 1054.326244] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1054.331428] ? perf_trace_lock_acquire+0xe3/0x980 [ 1054.336261] ? unwind_get_return_address+0x61/0xa0 [ 1054.341183] ? graph_lock+0x170/0x170 [ 1054.344980] should_fail.cold.4+0xa/0x1a [ 1054.349059] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1054.354171] ? __lock_is_held+0xb5/0x140 [ 1054.358220] ? __kmalloc_node_track_caller+0x47/0x70 [ 1054.363312] ? graph_lock+0x170/0x170 [ 1054.367106] ? __x64_sys_sendto+0xe1/0x1a0 [ 1054.371333] ? find_held_lock+0x36/0x1c0 [ 1054.375390] ? __lock_is_held+0xb5/0x140 [ 1054.379448] ? check_same_owner+0x320/0x320 [ 1054.383763] ? rcu_note_context_switch+0x710/0x710 [ 1054.388681] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1054.393950] __should_failslab+0x124/0x180 [ 1054.398172] should_failslab+0x9/0x14 [ 1054.401968] kmem_cache_alloc_node+0x272/0x780 [ 1054.406539] ? __kmalloc_node_track_caller+0x47/0x70 [ 1054.411635] __alloc_skb+0x111/0x780 [ 1054.415347] ? skb_scrub_packet+0x580/0x580 [ 1054.419664] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1054.425193] ? ip_generic_getfrag+0x11c/0x2d0 [ 1054.429682] ? ip_reply_glue_bits+0xc0/0xc0 [ 1054.433998] ? raw_getfrag+0x15b/0x220 [ 1054.437877] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1054.442922] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1054.447947] ? raw_destroy+0x30/0x30 [ 1054.451657] ? perf_trace_lock+0x900/0x900 [ 1054.455899] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1054.461712] ? ipv4_mtu+0x375/0x580 [ 1054.465338] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1054.470809] ? lock_acquire+0x1dc/0x520 [ 1054.474776] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1054.480303] ? ip_setup_cork+0x4dc/0x7c0 [ 1054.484357] ip_append_data.part.48+0xf3/0x180 [ 1054.488934] ? raw_destroy+0x30/0x30 [ 1054.493332] ip_append_data+0x6d/0x90 [ 1054.497128] ? raw_destroy+0x30/0x30 [ 1054.500835] raw_sendmsg+0x1dae/0x29b0 [ 1054.504730] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1054.509831] ? graph_lock+0x170/0x170 [ 1054.513626] ? expand_files.part.8+0x9a0/0x9a0 [ 1054.518220] ? lock_downgrade+0x8e0/0x8e0 [ 1054.522363] ? lock_release+0xa10/0xa10 [ 1054.526342] ? __check_object_size+0x95/0x5d9 [ 1054.530830] inet_sendmsg+0x19f/0x690 [ 1054.534617] ? __might_sleep+0x95/0x190 [ 1054.538593] ? ipip_gro_receive+0x100/0x100 [ 1054.542906] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1054.548438] ? security_socket_sendmsg+0x94/0xc0 [ 1054.553185] ? ipip_gro_receive+0x100/0x100 [ 1054.557496] sock_sendmsg+0xd5/0x120 [ 1054.561203] __sys_sendto+0x3d7/0x670 [ 1054.565010] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1054.569674] ? wait_for_completion+0x870/0x870 [ 1054.574248] ? __lock_is_held+0xb5/0x140 [ 1054.578308] ? __sb_end_write+0xac/0xe0 [ 1054.582271] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1054.587793] ? fput+0x130/0x1a0 [ 1054.591059] ? ksys_write+0x1a6/0x250 [ 1054.594851] ? __ia32_sys_read+0xb0/0xb0 [ 1054.598903] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1054.604448] __x64_sys_sendto+0xe1/0x1a0 [ 1054.608498] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1054.613505] do_syscall_64+0x1b1/0x800 [ 1054.617390] ? finish_task_switch+0x1ca/0x840 [ 1054.621893] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1054.626827] ? syscall_return_slowpath+0x30f/0x5c0 [ 1054.631752] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1054.637106] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1054.641941] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1054.647118] RIP: 0033:0x4559f9 [ 1054.650295] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1054.669573] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1054.677270] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1054.684526] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1054.691782] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1054.699039] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1054.706294] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000019 [ 1054.715121] binder: 28800:28803 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1054.723409] binder: 28800:28803 unknown command 0 05:00:58 executing program 4: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_MAXSEG(r0, 0x84, 0xd, &(0x7f0000000080)=@assoc_value={0x0, 0x1bc}, 0x8) getsockopt$IP6T_SO_GET_INFO(r0, 0x29, 0x40, &(0x7f00000000c0)={'nat\x00'}, &(0x7f0000000140)=0x54) getsockopt$inet_sctp6_SCTP_MAXSEG(r0, 0x84, 0xd, &(0x7f0000000000)=@assoc_id=0x0, &(0x7f0000000040)=0x4) setsockopt$inet_sctp6_SCTP_PR_SUPPORTED(r0, 0x84, 0x71, &(0x7f00000001c0)={r1}, 0x8) [ 1054.737920] binder: 28798:28799 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1054.749936] binder: 28798:28799 BC_FREE_BUFFER u0000000000000000 no match [ 1054.759184] binder: 28800:28803 ioctl c0306201 2000dfd0 returned -22 [ 1054.823842] sctp: [Deprecated]: syz-executor4 (pid 28825) Use of int in maxseg socket option. [ 1054.823842] Use struct sctp_assoc_value instead [ 1054.882968] sctp: [Deprecated]: syz-executor4 (pid 28825) Use of int in maxseg socket option. [ 1054.882968] Use struct sctp_assoc_value instead [ 1055.136455] ALSA: seq fatal error: cannot create timer (-22) 05:00:58 executing program 7: socketpair$inet6_icmp_raw(0xa, 0x3, 0x3a, &(0x7f0000000040)={0xffffffffffffffff}) setsockopt$inet6_buf(r0, 0x29, 0x2b, &(0x7f00000000c0)="f4d0ff357cc71f9cb4ce69788fae37fac37dcef2a368", 0x16) syz_emit_ethernet(0x140, &(0x7f0000000080)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0xaa}, @link_local={0x1, 0x80, 0xc2}, [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0xf401, 0x0, @remote={0xac, 0x1c, 0x14, 0xbb}, @local={0xac, 0x14, 0x14, 0xaa}}, @igmp={0x8, 0x0, 0x0, @broadcast=0xffffffff}}}}}, &(0x7f0000000000)) syz_emit_ethernet(0x102, &(0x7f0000000100)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0xaa}, @local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0xaa}, [], {@x25={0x805, {0x3, 0x3ff, 0xfd, "6488373f2d72cebe3531d882af705d88211b89380f4b7588f0633fcc84af1219de324dc8c4d309f03150917875d7570e61429a36b370a18c9dfb02a6507dd6d9a1533fde6132ad98094e1effdaa49c649a190dad79b62f4f9a659ca6cf623c746201fe51b1c26a35a5753915a79fa316a44a8d727631595e481d1e98f618509a0eb0d3ce6fd016cf07bd98cb6de083857a2535d1db051fcaa314b7a1a7994850a8420e53c32481b83bd9524931694ae69aeaf0085cf6c1f24e86c3ca91af06386d2750be017ddadcd61d1ee7f343719c004b7c1fe13cac2111489cf9d2bf5a7fbdeb05e25b341ae2a07e60caa98801582c"}}}}, 0x0) 05:00:58 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x3f00}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:58 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/ar]\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f00000001c0)='/dev/net/tun\x00', 0x0, 0x210000) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x400000890e, &(0x7f0000000000)="295ee1bfc9868c29668e94") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:00:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) socket$inet6(0xa, 0x1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) getresuid(&(0x7f0000000040), &(0x7f0000000080), &(0x7f00000000c0)) accept4$vsock_stream(0xffffffffffffffff, &(0x7f00000001c0)={0x28, 0x0, 0x2710, @hyper}, 0x10, 0x80800) 05:00:58 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x100000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:00:58 executing program 1 (fault-call:4 fault-nth:26): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:00:58 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xa00000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:00:58 executing program 4: r0 = openat$vsock(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/vsock\x00', 0x0, 0x0) ioctl$KDGKBMETA(r0, 0x7b9, &(0x7f0000000480)) setsockopt$EBT_SO_SET_COUNTERS(r0, 0x0, 0x81, &(0x7f0000000080)=ANY=[@ANYBLOB="73656375726974790000000000000000000000000000000000005a000000000000000000000000000000000000000000000000ffea00000000"], 0x48) setsockopt$inet_dccp_buf(r0, 0x21, 0xcc, &(0x7f0000000040)="45e4066727bdca145c125bd5170360acb98c588e22cac057c13995c8b53791d8fdbcf7e064f5a6848d000000000000000000000000", 0x35) getsockopt$inet_sctp6_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000000)={0x0, 0x6}, &(0x7f0000000100)=0x8) fcntl$getownex(r0, 0x10, &(0x7f00000000c0)={0x0, 0x0}) ioctl$TIOCSPGRP(r0, 0x5410, &(0x7f0000000240)=r2) getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x1f, &(0x7f0000000140)={r1, @in6={{0xa, 0x4e21, 0x3ff, @empty, 0x1}}, 0x10000, 0x1f}, &(0x7f0000000200)=0x90) [ 1055.305847] ALSA: seq fatal error: cannot create timer (-22) [ 1055.339984] binder: 28837:28838 ERROR: BC_REGISTER_LOOPER called without request [ 1055.350757] Unknown ioctl 21520 05:00:58 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) r4 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x2, 0x0) getpeername$packet(r0, &(0x7f0000000140)={0x0, 0x0, 0x0}, &(0x7f00000001c0)=0x14) ioctl$TUNSETIFINDEX(r4, 0x400454da, &(0x7f0000000240)=r5) [ 1055.354338] binder: 28836:28845 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1055.368805] FAULT_INJECTION: forcing a failure. [ 1055.368805] name failslab, interval 1, probability 0, space 0, times 0 [ 1055.380092] CPU: 1 PID: 28843 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1055.387031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1055.396399] Call Trace: [ 1055.399008] dump_stack+0x1b9/0x294 [ 1055.402657] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1055.407870] ? is_bpf_text_address+0xd7/0x170 [ 1055.412385] ? kernel_text_address+0x79/0xf0 [ 1055.416826] ? __unwind_start+0x166/0x330 [ 1055.421004] should_fail.cold.4+0xa/0x1a [ 1055.425086] ? __save_stack_trace+0x7e/0xd0 [ 1055.429436] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1055.434565] ? graph_lock+0x170/0x170 [ 1055.438387] ? save_stack+0x43/0xd0 [ 1055.442023] ? kasan_kmalloc+0xc4/0xe0 [ 1055.445924] ? kasan_slab_alloc+0x12/0x20 [ 1055.450090] ? find_held_lock+0x36/0x1c0 [ 1055.454168] ? __lock_is_held+0xb5/0x140 [ 1055.458256] ? check_same_owner+0x320/0x320 [ 1055.462594] ? rcu_note_context_switch+0x710/0x710 [ 1055.467531] __should_failslab+0x124/0x180 [ 1055.471761] should_failslab+0x9/0x14 [ 1055.475556] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1055.480653] __kmalloc_node_track_caller+0x33/0x70 [ 1055.485585] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1055.490347] __alloc_skb+0x14d/0x780 [ 1055.494054] ? skb_scrub_packet+0x580/0x580 [ 1055.498369] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1055.503896] ? ip_generic_getfrag+0x11c/0x2d0 [ 1055.508396] ? ip_reply_glue_bits+0xc0/0xc0 [ 1055.512720] ? raw_getfrag+0x15b/0x220 [ 1055.516596] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1055.521605] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1055.526613] ? raw_destroy+0x30/0x30 [ 1055.530326] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1055.536117] ? ipv4_mtu+0x375/0x580 [ 1055.539732] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1055.545177] ? lock_acquire+0x1dc/0x520 [ 1055.549140] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1055.554664] ? ip_setup_cork+0x4dc/0x7c0 [ 1055.558716] ip_append_data.part.48+0xf3/0x180 [ 1055.563312] ? raw_destroy+0x30/0x30 [ 1055.567029] ip_append_data+0x6d/0x90 [ 1055.570820] ? raw_destroy+0x30/0x30 [ 1055.574523] raw_sendmsg+0x1dae/0x29b0 [ 1055.578428] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1055.583519] ? rcu_report_qs_rnp+0x790/0x790 [ 1055.587924] ? graph_lock+0x170/0x170 [ 1055.591720] ? expand_files.part.8+0x9a0/0x9a0 [ 1055.596291] ? check_same_owner+0x320/0x320 [ 1055.600613] ? lock_downgrade+0x8e0/0x8e0 [ 1055.604747] ? lock_release+0xa10/0xa10 [ 1055.608711] ? check_same_owner+0x320/0x320 [ 1055.613023] ? __check_object_size+0x95/0x5d9 [ 1055.617508] inet_sendmsg+0x19f/0x690 [ 1055.621298] ? __might_sleep+0x95/0x190 [ 1055.625260] ? ipip_gro_receive+0x100/0x100 [ 1055.629572] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1055.635101] ? security_socket_sendmsg+0x94/0xc0 [ 1055.639842] ? ipip_gro_receive+0x100/0x100 [ 1055.644155] sock_sendmsg+0xd5/0x120 [ 1055.647860] __sys_sendto+0x3d7/0x670 [ 1055.651666] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1055.656326] ? wait_for_completion+0x870/0x870 [ 1055.660907] ? __lock_is_held+0xb5/0x140 [ 1055.664965] ? __sb_end_write+0xac/0xe0 [ 1055.668932] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1055.674452] ? fput+0x130/0x1a0 [ 1055.677724] ? ksys_write+0x1a6/0x250 [ 1055.681516] ? __ia32_sys_read+0xb0/0xb0 [ 1055.685562] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1055.691091] __x64_sys_sendto+0xe1/0x1a0 [ 1055.695144] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1055.700147] do_syscall_64+0x1b1/0x800 [ 1055.704023] ? finish_task_switch+0x1ca/0x840 [ 1055.708515] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1055.713433] ? syscall_return_slowpath+0x30f/0x5c0 [ 1055.718356] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1055.723728] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1055.728563] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1055.733736] RIP: 0033:0x4559f9 [ 1055.736913] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1055.756163] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1055.763860] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1055.771116] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1055.778371] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1055.785627] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1055.792899] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000001a 05:00:59 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x500}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:00:59 executing program 4: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="025cc83d6d345f8f760070") r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback={0x0, 0x1}}, 0x1c) ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000040)=0x0) r3 = getpgrp(0x0) kcmp(r2, r3, 0x2, r1, r1) listen(r1, 0xffefffffffffff7f) r4 = socket$inet6_sctp(0xa, 0x0, 0x84) sendto$inet6(r4, &(0x7f0000e33fe0)='X', 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback={0x0, 0x1}}, 0x1c) setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r4, 0x84, 0x72, &(0x7f0000000080)={0x0, 0x2, 0x30}, 0xffffffffffffff3e) write$binfmt_misc(r4, &(0x7f0000000240)=ANY=[@ANYBLOB="005c9227"], 0xfec7) [ 1055.808810] binder: 28836:28845 BC_FREE_BUFFER u0000000000000000 no match [ 1055.823416] binder: 28837:28860 ERROR: BC_REGISTER_LOOPER called without request 05:00:59 executing program 7: r0 = perf_event_open(&(0x7f0000000200)={0x2, 0x70, 0x3e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_fanout(r1, 0x107, 0x12, &(0x7f0000000000)={0x0, 0x6}, 0x4) close(r0) [ 1055.859921] binder: 28836:28845 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:00:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = dup3(r0, r0, 0x80000) ioctl$EVIOCGKEYCODE(r1, 0x80084504, &(0x7f00000001c0)=""/27) r2 = socket$inet6(0xa, 0x1, 0x6) r3 = syz_open_dev$midi(&(0x7f0000000080)='/dev/midi#\x00', 0x200, 0xc4000) r4 = geteuid() ioctl$FIBMAP(r3, 0x1, &(0x7f0000000180)=0x17) ioctl$TUNSETOWNER(r3, 0x400454cc, r4) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB='\x00 \x00\x00'], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)=ANY=[], 0xe8, 0x0, &(0x7f0000000440)="6d468d291b42b407eeaee7a386b724499073b282ae72564d688d53c1d0307633d2143a1a33824ab420a729f99c4d6ea22a102ad20c79db3de07958df29647add281fc0526d7ac998a7752806752359a191ed143e32b5e218a20f43b131cf840859f7ed4c89824417fe4d39e3690b63d6f399350b59a73ee74fb36d0b52d7bd6cb24fe69816fae51abc084ed34f964b5e70b0b392c5b118aaf11c38fc88e466d07e45d2dccca7e02c647103b34fad4b8eb9ed2036abf8a2c79b6eab5f065bdfa193b2282fbe7e34e4a368999d65b15d4e4be65b9c59bafa7150065b9ffe76080000a359a38f171e55"}) poll(&(0x7f0000000040)=[{r2, 0x9000}, {r0, 0xa}, {r2, 0x1000}], 0x3, 0xffffffffffffff7f) ioctl$SNDRV_SEQ_IOCTL_PVERSION(r3, 0x80045300, &(0x7f00000000c0)) 05:00:59 executing program 1 (fault-call:4 fault-nth:27): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1055.902934] binder: 28836:28845 BC_FREE_BUFFER u0000000000000000 no match [ 1056.025494] FAULT_INJECTION: forcing a failure. [ 1056.025494] name failslab, interval 1, probability 0, space 0, times 0 [ 1056.036928] CPU: 1 PID: 28882 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1056.043868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1056.053217] Call Trace: [ 1056.055806] dump_stack+0x1b9/0x294 [ 1056.059444] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1056.064628] ? perf_trace_lock_acquire+0xe3/0x980 [ 1056.069459] ? unwind_get_return_address+0x61/0xa0 [ 1056.074376] ? graph_lock+0x170/0x170 [ 1056.078173] should_fail.cold.4+0xa/0x1a [ 1056.082232] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1056.087330] ? __lock_is_held+0xb5/0x140 [ 1056.091397] ? __kmalloc_node_track_caller+0x47/0x70 [ 1056.096490] ? graph_lock+0x170/0x170 [ 1056.100284] ? __x64_sys_sendto+0xe1/0x1a0 [ 1056.104514] ? find_held_lock+0x36/0x1c0 [ 1056.108571] ? __lock_is_held+0xb5/0x140 [ 1056.112628] ? check_same_owner+0x320/0x320 [ 1056.116951] ? rcu_note_context_switch+0x710/0x710 [ 1056.121872] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1056.127141] __should_failslab+0x124/0x180 [ 1056.131368] should_failslab+0x9/0x14 [ 1056.135158] kmem_cache_alloc_node+0x272/0x780 [ 1056.139734] ? __kmalloc_node_track_caller+0x47/0x70 [ 1056.144831] __alloc_skb+0x111/0x780 [ 1056.148535] ? skb_scrub_packet+0x580/0x580 [ 1056.152847] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1056.158376] ? ip_generic_getfrag+0x11c/0x2d0 [ 1056.162867] ? ip_reply_glue_bits+0xc0/0xc0 [ 1056.167184] ? raw_getfrag+0x15b/0x220 [ 1056.171060] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1056.176068] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1056.181079] ? raw_destroy+0x30/0x30 [ 1056.184782] ? perf_trace_lock+0x900/0x900 [ 1056.189054] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1056.194849] ? __schedule+0x809/0x1e30 [ 1056.198731] ? ipv4_mtu+0x375/0x580 [ 1056.202347] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1056.207796] ? lock_acquire+0x1dc/0x520 [ 1056.211762] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1056.217293] ? ip_setup_cork+0x4dc/0x7c0 [ 1056.221353] ip_append_data.part.48+0xf3/0x180 [ 1056.225928] ? raw_destroy+0x30/0x30 [ 1056.229635] ip_append_data+0x6d/0x90 [ 1056.233433] ? raw_destroy+0x30/0x30 [ 1056.237142] raw_sendmsg+0x1dae/0x29b0 [ 1056.241029] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1056.246132] ? graph_lock+0x170/0x170 [ 1056.249928] ? expand_files.part.8+0x9a0/0x9a0 [ 1056.254514] ? lock_downgrade+0x8e0/0x8e0 [ 1056.258659] ? lock_release+0xa10/0xa10 [ 1056.262623] ? __check_object_size+0x95/0x5d9 [ 1056.267268] inet_sendmsg+0x19f/0x690 [ 1056.271057] ? __might_sleep+0x95/0x190 [ 1056.275019] ? ipip_gro_receive+0x100/0x100 [ 1056.279445] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1056.284975] ? security_socket_sendmsg+0x94/0xc0 [ 1056.289721] ? ipip_gro_receive+0x100/0x100 [ 1056.294033] sock_sendmsg+0xd5/0x120 [ 1056.297741] __sys_sendto+0x3d7/0x670 [ 1056.301535] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1056.306214] ? wait_for_completion+0x870/0x870 [ 1056.310789] ? __lock_is_held+0xb5/0x140 [ 1056.314847] ? __sb_end_write+0xac/0xe0 [ 1056.318812] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1056.324334] ? fput+0x130/0x1a0 [ 1056.327602] ? ksys_write+0x1a6/0x250 [ 1056.331395] ? __ia32_sys_read+0xb0/0xb0 [ 1056.335449] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1056.340981] __x64_sys_sendto+0xe1/0x1a0 [ 1056.345032] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1056.350041] do_syscall_64+0x1b1/0x800 [ 1056.353915] ? finish_task_switch+0x1ca/0x840 [ 1056.358401] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1056.363324] ? syscall_return_slowpath+0x30f/0x5c0 [ 1056.368247] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1056.373612] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1056.378445] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1056.383619] RIP: 0033:0x4559f9 [ 1056.386792] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1056.406098] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1056.413797] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1056.421053] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1056.428311] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1056.435565] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1056.442823] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000001b [ 1056.459587] binder: 28879:28883 unknown command 8192 [ 1056.476834] binder: 28879:28883 ioctl c0306201 20000140 returned -22 05:01:00 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x6800000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:00 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x5800}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:00 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x7400000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:00 executing program 4: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x3, 0x101080) socketpair(0x1, 0x80000, 0x802, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) r4 = fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff) socketpair$inet(0x2, 0x5, 0x1, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$FIDEDUPERANGE(r0, 0xc0189436, &(0x7f0000000140)={0x392e, 0xa8, 0x5, 0x0, 0x0, [{r1, 0x0, 0x9}, {r2, 0x0, 0x2246095b}, {r3, 0x0, 0x1}, {r4, 0x0, 0x401}, {r5}]}) r6 = socket$inet6(0xa, 0x1, 0x0) ioctl(r6, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r7 = socket$nl_route(0x10, 0x3, 0x0) syz_open_dev$sndpcmc(&(0x7f00000000c0)='/dev/snd/pcmC#D#c\x00', 0x1, 0x401) sendmsg$nl_route(r7, &(0x7f00000004c0)={&(0x7f0000000100)={0x10}, 0xc, &(0x7f0000000200)={&(0x7f0000000500)=ANY=[@ANYBLOB="40000000100007000000000000000000000000007ab8c83523e4ee071a3867d1f6872ffcf3c2fc2a520095766a2b99f8626acb154b07000000a27f3ef0f620e24c79ffab2cfb827715cd57969da3085f4b9f179cdb6d545b92be25dc68fbc41c7cfa5a1eb02aefa2589ae3357ed5d10c8c01b02878c96baaab7c727a99c3f914375cb9ba6d35b1d60259229ef2a98bd0339f582884ed1a46ca49c3412156bbb1baaadc684f8d4d73a6d0ce571dcb92dd741f1c3a15a591ae8d93526b16a09569844c01d42d67f729c8d2572d336c308dd11ea1a36a0a999241726ba7716fe04ed7a5c31726b9c4db04df6e5341de793ee86c89afd54b183c5e2c85ce37af95ae3191c288d9ff31d0af55cf8414f7bea99d", @ANYRES32=0x0, @ANYBLOB="0000000000000000140003006c6f00000000000000000000000000000c000100aaaaaaaaaa000000"], 0x40}, 0x1}, 0x0) setsockopt$inet_tcp_TCP_MD5SIG(r5, 0x6, 0xe, &(0x7f0000000240)={@in6={{0xa, 0x4e22, 0x5, @remote={0xfe, 0x80, [], 0xbb}}}, 0xfffffffffffffffc, 0x10000, 0x6, "beebf8826f90cfd01653196b90fe238e35f79972a7e1c060e387c8dda1ff7bbd0e03aaa1710e3d48fdc1d01a3a91d1c8aaa5a27fed5db1ab9e1a35ad369613f893f756fb801b2db9751cda3cfa7fa277"}, 0xd8) 05:01:00 executing program 7: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text64={0x40, &(0x7f0000000500)="0f0866b8ed008ec066ba4000b000eed2a807000000410f01cab98e0b0000b862000000ba000000000f30b90b0800000f320fc72a8f2a60128f00000000003000000fc7aa00100000", 0x48}], 0x1, 0x5d, &(0x7f0000000580), 0x0) ioctl$KVM_SET_CPUID(0xffffffffffffffff, 0x4008ae8a, &(0x7f0000000000)=ANY=[@ANYBLOB="00eaf17c"]) ioctl$SNDRV_RAWMIDI_IOCTL_PARAMS(r1, 0xc0305710, &(0x7f0000000040)={0x1, 0x4, 0xc96, 0x1}) ioctl$KVM_RUN(r2, 0xae80, 0x0) 05:01:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="2bc5df63000065cff200131c20d5401d57cb5997b17223506df2fb5c62b231162de531c81ac33f2f5dba1a4eab0cb6d0247784cd0fa38383786f20fbe349de8f4af885e0c9130b4012866923ce810dcd6561a409698caf45f369dcbba6d992e9c31f9bc21c55bb1b43d42290c11e01ab7c22227f75f42ea50d6152cdaac38c1f0c4505473f75336fbd3730"], 0x0, 0x0, &(0x7f0000000040)}) ioctl(r1, 0x5, &(0x7f0000000040)="8d470785278abc485f7f49ae9e8db6b7ba4d2eee416b10f6f3271ab93942927b6ec68fb83c7bfb0b8f06ab") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:01:00 executing program 1 (fault-call:4 fault-nth:28): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:00 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) getpeername$inet6(r0, &(0x7f0000000040)={0x0, 0x0, 0x0, @mcast2}, &(0x7f0000000080)=0x1c) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) getsockopt$inet_sctp6_SCTP_STATUS(r0, 0x84, 0xe, &(0x7f0000000240)={0x0, 0x7, 0x800, 0x4a3f, 0x9, 0x8, 0x7, 0x4, {0x0, @in={{0x2, 0x4e24, @rand_addr=0xa700}}, 0x6, 0x8, 0xffff, 0x1, 0x200}}, &(0x7f0000000140)=0xb0) getsockopt$inet_sctp_SCTP_RESET_STREAMS(r0, 0x84, 0x77, &(0x7f00000001c0)={r4, 0x4, 0x1, [0x7cb]}, &(0x7f0000000300)=0xa) [ 1056.579463] binder: 28898:28905 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1056.602900] FAULT_INJECTION: forcing a failure. [ 1056.602900] name failslab, interval 1, probability 0, space 0, times 0 [ 1056.614301] CPU: 0 PID: 28908 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1056.621237] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1056.630602] Call Trace: [ 1056.633216] dump_stack+0x1b9/0x294 [ 1056.636861] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1056.642044] ? is_bpf_text_address+0xd7/0x170 [ 1056.646531] ? kernel_text_address+0x79/0xf0 [ 1056.650928] ? __unwind_start+0x166/0x330 [ 1056.655066] should_fail.cold.4+0xa/0x1a [ 1056.659114] ? __save_stack_trace+0x7e/0xd0 [ 1056.663424] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1056.668534] ? graph_lock+0x170/0x170 [ 1056.672324] ? save_stack+0x43/0xd0 [ 1056.675952] ? kasan_kmalloc+0xc4/0xe0 [ 1056.679827] ? kasan_slab_alloc+0x12/0x20 [ 1056.683963] ? find_held_lock+0x36/0x1c0 [ 1056.688013] ? __lock_is_held+0xb5/0x140 [ 1056.692071] ? check_same_owner+0x320/0x320 [ 1056.696382] ? rcu_note_context_switch+0x710/0x710 [ 1056.701312] __should_failslab+0x124/0x180 [ 1056.705543] should_failslab+0x9/0x14 [ 1056.709331] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1056.714447] __kmalloc_node_track_caller+0x33/0x70 [ 1056.719365] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1056.724111] __alloc_skb+0x14d/0x780 [ 1056.727813] ? skb_scrub_packet+0x580/0x580 [ 1056.732123] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1056.737647] ? ip_generic_getfrag+0x11c/0x2d0 [ 1056.742134] ? ip_reply_glue_bits+0xc0/0xc0 [ 1056.746448] ? raw_getfrag+0x15b/0x220 [ 1056.750323] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1056.755345] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1056.760353] ? raw_destroy+0x30/0x30 [ 1056.764085] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1056.769881] ? ipv4_mtu+0x375/0x580 [ 1056.773501] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1056.778950] ? lock_acquire+0x1dc/0x520 [ 1056.782915] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1056.788438] ? ip_setup_cork+0x4dc/0x7c0 [ 1056.792488] ip_append_data.part.48+0xf3/0x180 [ 1056.797078] ? raw_destroy+0x30/0x30 [ 1056.800785] ip_append_data+0x6d/0x90 [ 1056.804575] ? raw_destroy+0x30/0x30 [ 1056.808281] raw_sendmsg+0x1dae/0x29b0 [ 1056.812171] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1056.817269] ? rcu_report_qs_rnp+0x790/0x790 [ 1056.821673] ? graph_lock+0x170/0x170 [ 1056.825466] ? expand_files.part.8+0x9a0/0x9a0 [ 1056.830036] ? check_same_owner+0x320/0x320 [ 1056.834356] ? lock_downgrade+0x8e0/0x8e0 [ 1056.838492] ? lock_release+0xa10/0xa10 [ 1056.842453] ? check_same_owner+0x320/0x320 [ 1056.846765] ? __check_object_size+0x95/0x5d9 [ 1056.851251] inet_sendmsg+0x19f/0x690 [ 1056.855035] ? __might_sleep+0x95/0x190 [ 1056.858995] ? ipip_gro_receive+0x100/0x100 [ 1056.863303] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1056.868830] ? security_socket_sendmsg+0x94/0xc0 [ 1056.873571] ? ipip_gro_receive+0x100/0x100 [ 1056.877883] sock_sendmsg+0xd5/0x120 [ 1056.881584] __sys_sendto+0x3d7/0x670 [ 1056.885388] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1056.890049] ? wait_for_completion+0x870/0x870 [ 1056.894641] ? __lock_is_held+0xb5/0x140 [ 1056.898699] ? __sb_end_write+0xac/0xe0 [ 1056.902663] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1056.908194] ? fput+0x130/0x1a0 [ 1056.911460] ? ksys_write+0x1a6/0x250 [ 1056.915252] ? __ia32_sys_read+0xb0/0xb0 [ 1056.919299] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1056.924840] __x64_sys_sendto+0xe1/0x1a0 [ 1056.928891] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1056.933896] do_syscall_64+0x1b1/0x800 [ 1056.937768] ? finish_task_switch+0x1ca/0x840 [ 1056.942253] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1056.947175] ? syscall_return_slowpath+0x30f/0x5c0 [ 1056.952093] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1056.957452] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1056.962284] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1056.967458] RIP: 0033:0x4559f9 [ 1056.970631] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1056.989879] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1056.997663] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1057.004917] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1057.012193] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1057.019459] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1057.026713] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000001c [ 1057.036816] binder: 28898:28905 BC_FREE_BUFFER u0000000000000000 no match [ 1057.048460] binder: 28909:28913 unknown command 1675609387 [ 1057.069752] binder: 28909:28913 ioctl c0306201 20000140 returned -22 05:01:00 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0xaa}}, 0x8000000000008, {0x2, 0x3, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) ioctl$TUNSETQUEUE(r0, 0x400454d9, &(0x7f0000000040)={"72697430000080002700", 0x600}) 05:01:00 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xff0f}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:00 executing program 4: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f00000002c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'pcbc(des3_ede)\x00'}, 0x0) r1 = accept4(r0, 0x0, &(0x7f0000000100), 0x0) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000c18000)="ad56b6c5820fae9d6dcd3292ea54c7beef915d564c90c200", 0x18) openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x20000, 0x0) sendto$llc(r1, &(0x7f00000016c0)="57860e17f91a8bf2cce0b57ca2ab2c045cd3f8c8de9da5a89a518110615c1cbac1353b3f284b5fe5a1769a1fcacb04e9", 0x30, 0x0, 0x0, 0x0) recvmsg$kcm(r1, &(0x7f00000015c0)={&(0x7f0000000480)=@ipx, 0x80, &(0x7f0000000280)=[{&(0x7f00000000c0)=""/26, 0x1a}, {&(0x7f0000000500)=""/185, 0xb9}], 0x2, &(0x7f00000005c0)=""/4096, 0x1000}, 0x0) 05:01:00 executing program 1 (fault-call:4 fault-nth:29): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1057.077148] binder: 28898:28905 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1057.093633] binder: 28898:28905 BC_FREE_BUFFER u0000000000000000 no match [ 1057.107243] binder: 28909:28913 unknown command 0 [ 1057.112499] binder: 28909:28913 ioctl c0306201 2000dfd0 returned -22 05:01:00 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x4800000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4, &(0x7f0000000040)="295ee1471fd516f4776710") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000080)={0x44, 0x0, &(0x7f0000000200)=[@reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x60, 0x28, &(0x7f0000000180)=[@fd={0x66642a85, 0x0, r0, 0x0, 0x4}, @ptr={0x70742a85, 0x1, &(0x7f00000000c0), 0x1, 0x1, 0x38}, @fda={0x66646185, 0x2, 0x1, 0x23}], &(0x7f0000000100)=[0x38, 0x20, 0x78, 0x38, 0x40]}}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$PERF_EVENT_IOC_REFRESH(r1, 0x2402, 0x4) sysfs$3(0x3) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=ANY=[@ANYBLOB="0c63be00"], 0x0, 0x0, &(0x7f0000008f37)}) 05:01:00 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xffffff3f00000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1057.244054] FAULT_INJECTION: forcing a failure. [ 1057.244054] name failslab, interval 1, probability 0, space 0, times 0 [ 1057.255390] CPU: 1 PID: 28931 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1057.262335] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1057.271696] Call Trace: [ 1057.274285] dump_stack+0x1b9/0x294 [ 1057.277907] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1057.283086] ? unwind_get_return_address+0x61/0xa0 [ 1057.288004] ? graph_lock+0x170/0x170 [ 1057.291796] should_fail.cold.4+0xa/0x1a [ 1057.295849] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1057.300939] ? __lock_is_held+0xb5/0x140 [ 1057.304987] ? __kmalloc_node_track_caller+0x47/0x70 [ 1057.310077] ? graph_lock+0x170/0x170 [ 1057.313865] ? __x64_sys_sendto+0xe1/0x1a0 [ 1057.318092] ? find_held_lock+0x36/0x1c0 [ 1057.322146] ? __lock_is_held+0xb5/0x140 [ 1057.326203] ? check_same_owner+0x320/0x320 [ 1057.330511] ? rcu_note_context_switch+0x710/0x710 [ 1057.335434] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1057.340702] __should_failslab+0x124/0x180 [ 1057.344926] should_failslab+0x9/0x14 [ 1057.348719] kmem_cache_alloc_node+0x272/0x780 [ 1057.353290] ? __kmalloc_node_track_caller+0x47/0x70 [ 1057.358385] __alloc_skb+0x111/0x780 [ 1057.362088] ? skb_scrub_packet+0x580/0x580 [ 1057.366403] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1057.371946] ? ip_generic_getfrag+0x11c/0x2d0 [ 1057.376431] ? ip_reply_glue_bits+0xc0/0xc0 [ 1057.380747] ? raw_getfrag+0x15b/0x220 [ 1057.384624] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1057.389637] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1057.394646] ? raw_destroy+0x30/0x30 [ 1057.398356] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1057.404150] ? ipv4_mtu+0x375/0x580 [ 1057.407768] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1057.413222] ? lock_acquire+0x1dc/0x520 [ 1057.417194] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1057.422719] ? ip_setup_cork+0x4dc/0x7c0 [ 1057.426779] ip_append_data.part.48+0xf3/0x180 [ 1057.431352] ? raw_destroy+0x30/0x30 [ 1057.435064] ip_append_data+0x6d/0x90 [ 1057.438853] ? raw_destroy+0x30/0x30 [ 1057.442560] raw_sendmsg+0x1dae/0x29b0 [ 1057.446444] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1057.451556] ? rcu_report_qs_rnp+0x790/0x790 [ 1057.455961] ? graph_lock+0x170/0x170 [ 1057.459754] ? expand_files.part.8+0x9a0/0x9a0 [ 1057.464322] ? check_same_owner+0x320/0x320 [ 1057.468644] ? lock_downgrade+0x8e0/0x8e0 [ 1057.472782] ? lock_release+0xa10/0xa10 [ 1057.476751] ? check_same_owner+0x320/0x320 [ 1057.481066] ? __check_object_size+0x95/0x5d9 [ 1057.485551] inet_sendmsg+0x19f/0x690 [ 1057.489336] ? __might_sleep+0x95/0x190 [ 1057.493298] ? ipip_gro_receive+0x100/0x100 [ 1057.497617] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1057.503146] ? security_socket_sendmsg+0x94/0xc0 [ 1057.507888] ? ipip_gro_receive+0x100/0x100 [ 1057.512198] sock_sendmsg+0xd5/0x120 [ 1057.515901] __sys_sendto+0x3d7/0x670 [ 1057.519697] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1057.524371] ? wait_for_completion+0x870/0x870 [ 1057.528941] ? __lock_is_held+0xb5/0x140 [ 1057.533001] ? __sb_end_write+0xac/0xe0 [ 1057.536971] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1057.542492] ? fput+0x130/0x1a0 [ 1057.545761] ? ksys_write+0x1a6/0x250 [ 1057.549553] ? __ia32_sys_read+0xb0/0xb0 [ 1057.553606] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1057.559135] __x64_sys_sendto+0xe1/0x1a0 [ 1057.563184] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1057.568191] do_syscall_64+0x1b1/0x800 [ 1057.572066] ? finish_task_switch+0x1ca/0x840 [ 1057.576553] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1057.581493] ? syscall_return_slowpath+0x30f/0x5c0 [ 1057.586411] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1057.591768] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1057.596604] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1057.601784] RIP: 0033:0x4559f9 [ 1057.604958] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1057.624198] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1057.631893] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1057.639150] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1057.646422] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1057.653677] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1057.660939] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000001d 05:01:01 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x68000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1057.712921] binder: 28935:28938 got reply transaction with no transaction stack [ 1057.713159] binder: 28934:28936 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1057.720581] binder: 28935:28938 transaction failed 29201/-71, size 96-40 line 2759 [ 1057.743250] binder: 28934:28936 BC_FREE_BUFFER u0000000000000000 no match [ 1057.755008] binder: 28935:28938 got reply transaction with no transaction stack [ 1057.762567] binder: 28935:28938 transaction failed 29201/-71, size 96-40 line 2759 [ 1057.794568] binder: 28934:28936 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1057.831066] binder: 28934:28936 BC_FREE_BUFFER u0000000000000000 no match [ 1057.840535] binder: 28935:28942 unknown command 12477196 [ 1057.862869] binder: 28935:28942 ioctl c0306201 2000dfd0 returned -22 [ 1057.905976] binder: undelivered TRANSACTION_ERROR: 29201 [ 1057.913026] binder: undelivered TRANSACTION_ERROR: 29201 [ 1058.680846] ALSA: seq fatal error: cannot create timer (-22) 05:01:02 executing program 4: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x15, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl(r0, 0x8912, &(0x7f0000000240)="0047fc2f07d82c99240970") r1 = syz_open_dev$evdev(&(0x7f0000000040)='/dev/input/event#\x00', 0x1, 0x240) ioctl$EVIOCGABS2F(r1, 0x40044581, &(0x7f0000000080)=""/124) 05:01:02 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xa000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:02 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x400202, 0x0) r1 = socket$inet_tcp(0x2, 0x1, 0x0) syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r2 = socket$inet6(0xa, 0x1, 0x0) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000140)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:02 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") syz_mount_image$hfs(&(0x7f00000000c0)='hfs\x00', &(0x7f0000000200)='./file0\x00', 0x0, 0x0, &(0x7f00000002c0), 0x0, &(0x7f0000000300)={[{@part={'part', 0x3d, [0x30]}, 0x2c}]}) getsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(r0, 0x84, 0x76, &(0x7f0000000000)={0x0, 0x7}, &(0x7f0000000040)=0x8) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000140)={r1, @in={{0x2, 0x4e20, @multicast2=0xe0000002}}}, &(0x7f0000000080)=0x84) 05:01:02 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x200000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:02 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0xffffff7f, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:02 executing program 1 (fault-call:4 fault-nth:30): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) close(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) [ 1058.850255] ALSA: seq fatal error: cannot create timer (-22) 05:01:02 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x600000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1058.910534] binder: 28963:28971 ERROR: BC_REGISTER_LOOPER called without request [ 1058.918624] binder: 28969:28972 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1058.946126] binder: 28963:28971 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1058.954371] binder: 28963:28971 unknown command 0 05:01:02 executing program 4: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x0, 0x3, &(0x7f0000000840)=ANY=[@ANYBLOB="45965a5c4f0f3547a767c746a63771000030e12924ad83aa307f54faa1fd31e706138e83c0d9910e18d5cdbeb665ab090624fd7760c3e0fbe61ec89a127cfad56439f762faa5dbd3cafc5a3ce36201f2d42fbd54fb0fa6f86b2261a32c94e1c12866b190af3b4350c5154efdcd3bcc898b7758f3abbf96b50f4e9e56c94e6cb1960198aed5c835d4f7d8f3ee70e8559c273f101e684096fd160c6d867e2e8e2f0d2009155cd6e0600bffab865932772cecb43246ee0d63facc70e1260e68187a0fa3fe23b4229406e18fab3d22c2022a61228ad6bfa373971595564398d085dc9dee23a5c6980630def949cabbe451a7c004c55bb6abbebcf87a62918a20c067db1dd8f898cec15dba37d4e60c9661b52600ceb4b5ce45defef715917912e4baeacfb4e2a7a6ea2bbc3d7b2f2bc8d8aeed74c44a9febfa8656e80a2f6a2fd919f40500000000000000000000000000000000000000000000000000"], &(0x7f0000000000)="47504c00bc3047eb525f484f89fc96dd6ca64da40ff023122e66f6", 0x0, 0xce, &(0x7f0000000300)=""/206}, 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0x3, &(0x7f0000000040)=ANY=[@ANYBLOB="180000000000000000000000028000006a0a00fffffff6006118"], &(0x7f0000000080)='syzkalleP\x00', 0x0, 0xce, &(0x7f0000000180)=""/206}, 0x48) bpf$PROG_LOAD(0x5, &(0x7f0000000400)={0xd, 0x5, &(0x7f0000000040)=ANY=[@ANYBLOB="180000049715f7cc2961ca4a362b2a20905c006149914d2ba81560793c3e000000000000400005c5"], &(0x7f0000000280)='GPL\x00', 0x9, 0x27d, &(0x7f0000000480)=""/187}, 0x48) r0 = socket(0x1d, 0x5, 0xffffffffffffffff) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f00000006c0)={{{@in=@dev, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in6=@dev}}, &(0x7f00000007c0)=0xe8) sendto$packet(r0, &(0x7f00000005c0)="9f958d4bf0ebe05e7de7cdc603443732ddc34311282cfc46d640910be2a0b4e31295502f01449e69f05dd74ac407f4ff113378419a9892f08ac2fd6cfc15bc09e796023c3f23f6bcfd4ab6b6111a8af2a5b7b8d4bff64437a9b3cf3b8a67e922fb114ceed34fedcb88d3c1b4cad2afa29357f63cc78becd73508d9b4df168df2829d90309f6461cf6b48815798fa27761d05db5f4504beb7cfdaf54c6e6aec91141a670b4f6c476a8350f5dfbc3ab930069128a90038c940f7d6f0a157c8c173fefe824dc4c98038f3765fc9e0f0ef8994f45069277519d57ca4035cc8b07e005e4acf9cd32ba5e7fecd02ec13dd44c2939b456a17b01bd6cbdcce", 0xfb, 0x20000001, &(0x7f0000000800)={0x11, 0x11, r1, 0x1, 0x0, 0x6, @local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0xaa}}, 0x14) [ 1058.965220] binder: 28969:28972 BC_FREE_BUFFER u0000000000000000 no match [ 1058.991468] binder: 28963:28971 ioctl c0306201 2000dfd0 returned -22 [ 1059.005108] binder: 28969:28972 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:02 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x10be}], 0x10000129) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c, &(0x7f0000000840)=ANY=[@ANYRES32=0x0, @ANYBLOB="3d000000a26d8a3850bfb5ad5f00749e730743030ba5fe5d88ca52907e95458fe77af8682fbf4dcdc5941e9d27de63944afd4a24a8ebf5e7b3d668b5218c45cdb54584d1480c4d"], &(0x7f00000007c0)=0x45) setsockopt$inet_sctp_SCTP_ASSOCINFO(r0, 0x84, 0x1, &(0x7f0000000800)={r1, 0x5, 0x0, 0x722e1c3f, 0x1f, 0xfffffffffffffffd}, 0x14) r2 = socket$inet_tcp(0x2, 0x1, 0x0) r3 = syz_open_dev$tun(&(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x0) connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x400, {0x7, 0x0, 0x1f, 0x7ff, 0x6, 0x4}, 0x8, 0xfffffffffffffff9}, 0xe) r4 = socket$inet6(0xa, 0x1, 0x0) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f00000004c0)={0x0, @in={{0x2, 0x4e23, @rand_addr=0x7}}, 0x7, 0xdf5, 0x2, 0x9, 0x20}, &(0x7f0000000580)=0x98) getsockopt$inet_sctp6_SCTP_MAXSEG(r4, 0x84, 0xd, &(0x7f00000005c0)=@assoc_id=r5, &(0x7f0000000600)=0x4) ioctl(r2, 0x3, &(0x7f0000000640)="f13a175477886a1f20d137cb692218a1d1801d210dc45c0584631d5947c75692a7625a1b245e474bb7533b8788eef6eb938490ea35301592efe2564d73d31c98a0e445cf8b535c8f06b7738644339b70a6a617622c301382975a0feedac86ddea77f6adea59928e39fed36485c9fa307ba1fb9832038a7a2f314e1bef1b3887b8f50a303efa58afcf5e7b0569d77ea0922c2d618e6f66b30bdf6970bd053d97ce7805eefdd0e8e2f9f7872ca3ce7dd4b59cd90026b41d61c42954defea18a22aae29c257ede3") ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r2, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0xd}}, "73797a6b616c6c65723000e7a95d3e00"}) r6 = add_key(&(0x7f00000002c0)='id_legacy\x00', &(0x7f0000000400)={0x73, 0x79, 0x7a, 0x1}, &(0x7f0000000440)="0377f11f7d8a666be32211ed461b2bf25880ec48d6fdd014166e68eed97cc7fb6e745c83bb44c866071f2cba4bae834dd0f49cf90d8542dcd2bdd9f9b3af4d959ef0", 0x42, 0xfffffffffffffff8) add_key$user(&(0x7f0000000000)='user\x00', &(0x7f00000001c0)={0x73, 0x79, 0x7a, 0x1}, &(0x7f0000000240)="7113085f8b027d9cf74048f7feb07f97d04e41dbfdece6eef0cfbf894176f463b1e95b6d8532fcf92943173903ad664083dfd06e5791cea6ca51ba5dc84ccd13f4c3e10951ffb7203e36a633609cad3aa520b245cb19395187cf2d6bb8f92f3fe6ad3833386b81ceb3261f613c3a42c3af472a0a180b3b5b0f92d23b21", 0x7d, r6) readv(r0, &(0x7f0000000080)=[{&(0x7f00000008c0)=""/242, 0xf2}], 0x1) 05:01:02 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xf00}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1059.010610] hfs: can't find a HFS filesystem on dev loop7 05:01:02 executing program 4: r0 = getpid() sched_setattr(r0, &(0x7f0000000040)={0x0, 0x5, 0x0, 0x0, 0x3ff, 0x81, 0x0, 0xffffffffffffffff}, 0x0) pipe2(&(0x7f0000989000)={0xffffffffffffffff}, 0x0) mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0) r2 = userfaultfd(0x0) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000bc8000)={0xaa}) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000d62fe0)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r3 = creat(&(0x7f000009aff8)='./file0\x00', 0x0) write$sndseq(r3, &(0x7f0000011fd2)=[{0x0, 0x0, 0x0, 0x0, @time, {}, {}, @time=@time={0x77359400}}], 0x30) creat(&(0x7f0000000000)='./file0\x00', 0x0) mount(&(0x7f0000434ff8)='./file0\x00', &(0x7f0000abf000)='./file0\x00', &(0x7f0000f4c000)='jfs\x00', 0x1023402, 0x0) dup2(r1, r2) 05:01:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") syncfs(r1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=ANY=[@ANYBLOB="03000000"], 0x0, 0x0, &(0x7f0000008f37)}) [ 1059.056498] binder: 28969:28972 BC_FREE_BUFFER u0000000000000000 no match [ 1059.088706] hfs: can't find a HFS filesystem on dev loop7 05:01:02 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0xfffffdfd, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:02 executing program 7: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f0000deb000)={0x2, 0x4e23, @multicast1=0xe0000001}, 0x10) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000b86000)={0x1, &(0x7f0000f40ff8)=[{0x6, 0x0, 0x0, 0xe8}]}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000000)='bbr\x00', 0x4) sendto$inet(r0, &(0x7f0000a88f88), 0x29f, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @loopback=0x7f000001}, 0x10) writev(r0, &(0x7f0000000480)=[{&(0x7f0000000380)="c4080de14c9ccfb5bc39e3e10fc33d6e4d1466a79d03115d0f09cc2adabf6b697b80c3fe1da8e38a755b239d4b781ec9a56a4ab4d6027b2480645ee2b1128c91663dbaaa4936aaa5679d38021ac8219e2dbd5889042e0b8143f5c60bc14ca7d7f385a2e76b071313901e037ec6c052a633761efdb7c764a4737793a105c238449950a2e4ee1f24d3a944e85fa0ada661db998dbcb67a6ee5c47e7e2ed47a4e8ecb1525045df1323c8f79fbd98e4195f530bc1c3701abf6d4b139d0e6382399e8c99a3e771f8d3c21b0", 0xc9}], 0x1) sendto$inet(r0, &(0x7f0000000180)="db", 0x1, 0x41, &(0x7f0000000100)={0x2, 0x0, @rand_addr}, 0x10) sendto$inet(r0, &(0x7f00000001c0)="f7", 0x1, 0x0, &(0x7f0000000140)={0x2, 0x0, @loopback=0x7f000001}, 0x10) write$binfmt_elf32(r0, &(0x7f0000000b40)=ANY=[@ANYBLOB="7f454c46000000000000000000000000000000000000000000000800380008000000000000000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000fdff00000000"], 0x58) [ 1059.229387] FAULT_INJECTION: forcing a failure. [ 1059.229387] name failslab, interval 1, probability 0, space 0, times 0 [ 1059.236506] binder: 29007:29010 ERROR: BC_REGISTER_LOOPER called without request [ 1059.240789] CPU: 0 PID: 28995 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1059.255154] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1059.255348] binder: 29011:29015 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1059.264512] Call Trace: [ 1059.264540] dump_stack+0x1b9/0x294 [ 1059.264562] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1059.264580] ? is_bpf_text_address+0xd7/0x170 [ 1059.264597] ? kernel_text_address+0x79/0xf0 [ 1059.264610] ? __unwind_start+0x166/0x330 [ 1059.264628] should_fail.cold.4+0xa/0x1a [ 1059.264647] ? __save_stack_trace+0x7e/0xd0 [ 1059.304278] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1059.309378] ? graph_lock+0x170/0x170 [ 1059.313167] ? save_stack+0x43/0xd0 [ 1059.316777] ? kasan_kmalloc+0xc4/0xe0 [ 1059.320651] ? kasan_slab_alloc+0x12/0x20 [ 1059.324788] ? find_held_lock+0x36/0x1c0 [ 1059.328839] ? __lock_is_held+0xb5/0x140 [ 1059.332893] ? check_same_owner+0x320/0x320 [ 1059.337206] ? rcu_note_context_switch+0x710/0x710 [ 1059.342127] __should_failslab+0x124/0x180 [ 1059.346350] should_failslab+0x9/0x14 [ 1059.350138] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1059.355277] __kmalloc_node_track_caller+0x33/0x70 [ 1059.360197] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1059.364941] __alloc_skb+0x14d/0x780 [ 1059.368644] ? skb_scrub_packet+0x580/0x580 [ 1059.372957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1059.378506] ? ip_generic_getfrag+0x11c/0x2d0 [ 1059.382996] ? ip_reply_glue_bits+0xc0/0xc0 [ 1059.387314] ? raw_getfrag+0x15b/0x220 [ 1059.391187] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1059.396193] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1059.401201] ? raw_destroy+0x30/0x30 [ 1059.404910] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1059.410714] ? ipv4_mtu+0x375/0x580 [ 1059.414328] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1059.419772] ? lock_acquire+0x1dc/0x520 [ 1059.423748] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1059.429273] ? ip_setup_cork+0x4dc/0x7c0 [ 1059.433319] ip_append_data.part.48+0xf3/0x180 [ 1059.437889] ? raw_destroy+0x30/0x30 [ 1059.441591] ip_append_data+0x6d/0x90 [ 1059.445379] ? raw_destroy+0x30/0x30 [ 1059.449083] raw_sendmsg+0x1dae/0x29b0 [ 1059.452974] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1059.458068] ? rcu_report_qs_rnp+0x790/0x790 [ 1059.462471] ? graph_lock+0x170/0x170 [ 1059.466271] ? expand_files.part.8+0x9a0/0x9a0 [ 1059.470840] ? check_same_owner+0x320/0x320 [ 1059.475172] ? lock_downgrade+0x8e0/0x8e0 [ 1059.479308] ? lock_release+0xa10/0xa10 [ 1059.483270] ? check_same_owner+0x320/0x320 [ 1059.487581] ? __check_object_size+0x95/0x5d9 [ 1059.492070] inet_sendmsg+0x19f/0x690 [ 1059.495856] ? __might_sleep+0x95/0x190 [ 1059.499816] ? ipip_gro_receive+0x100/0x100 [ 1059.504126] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1059.509654] ? security_socket_sendmsg+0x94/0xc0 [ 1059.514406] ? ipip_gro_receive+0x100/0x100 [ 1059.518717] sock_sendmsg+0xd5/0x120 [ 1059.522416] __sys_sendto+0x3d7/0x670 [ 1059.526203] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1059.530863] ? wait_for_completion+0x870/0x870 [ 1059.535434] ? __lock_is_held+0xb5/0x140 [ 1059.539490] ? __sb_end_write+0xac/0xe0 [ 1059.543452] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1059.548975] ? fput+0x130/0x1a0 [ 1059.552247] ? ksys_write+0x1a6/0x250 [ 1059.556040] ? __ia32_sys_read+0xb0/0xb0 [ 1059.560087] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1059.565612] __x64_sys_sendto+0xe1/0x1a0 [ 1059.569661] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1059.574667] do_syscall_64+0x1b1/0x800 [ 1059.578540] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1059.583458] ? syscall_return_slowpath+0x30f/0x5c0 [ 1059.588378] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1059.593730] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1059.598562] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1059.603736] RIP: 0033:0x4559f9 [ 1059.606908] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1059.626157] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1059.633854] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1059.641107] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1059.648360] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1059.655614] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1059.663382] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000001e [ 1059.689552] binder: 29007:29010 unknown command 3 [ 1059.698482] binder: 29011:29015 BC_FREE_BUFFER u0000000000000000 no match [ 1059.709611] binder: 29007:29010 ioctl c0306201 2000dfd0 returned -22 [ 1059.738058] binder: 29011:29015 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1059.745423] binder: 29011:29015 BC_FREE_BUFFER u0000000000000000 no match [ 1059.771286] ALSA: seq fatal error: cannot create timer (-22) [ 1059.953465] ALSA: seq fatal error: cannot create timer (-22) 05:01:03 executing program 4: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000240)="0047fc2f07d82c99240970") r1 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_fanout(r1, 0x107, 0x12, &(0x7f0000000000)={0x0, 0x6}, 0x4) r2 = request_key(&(0x7f0000000080)='.dead\x00', &(0x7f0000000100)={0x73, 0x79, 0x7a, 0x3}, &(0x7f0000000140)='[eth0@!lo\x00', 0xfffffffffffffffb) keyctl$read(0xb, r2, &(0x7f0000000280)=""/227, 0xe3) setsockopt$packet_fanout_data(r1, 0x107, 0x16, &(0x7f00000000c0)={0x1, &(0x7f0000000040)=[{0x16}]}, 0x10) r3 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r3, &(0x7f0000deb000)={0x2, 0x4e23, @multicast1=0xe0000001}, 0x10) pipe(&(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r5 = syz_open_dev$sndpcmp(&(0x7f00000001c0)='/dev/snd/pcmC#D#p\x00', 0x8, 0x101000) ioctl$VHOST_SET_LOG_FD(r4, 0x4004af07, &(0x7f0000000200)=r5) sendto$inet(r3, &(0x7f00000001c0), 0x0, 0x420000805, &(0x7f0000e68000)={0x2, 0x4e23, @loopback=0x7f000001}, 0x10) 05:01:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x513a7cd9) r2 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000040)='/dev/snapshot\x00', 0x1, 0x0) ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffff9c, 0xc0206434, &(0x7f0000000080)={0x1a, 0x0, 0x10000, 0x7fffffff}) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r4 = socket$alg(0x26, 0x5, 0x0) bind$alg(r4, &(0x7f0000000080)={0x26, 'hash\x00', 0x0, 0x0, 'sha1_mb\x00'}, 0x58) r5 = accept$alg(r4, 0x0, 0x0) r6 = open(&(0x7f00004b8ff8)='./file0\x00', 0x28042, 0x0) fallocate(r6, 0x0, 0x0, 0x73e0) sendfile(r5, r6, &(0x7f00007ed000), 0xffa) ioctl$DRM_IOCTL_AGP_ALLOC(r2, 0xc0206434, &(0x7f00000000c0)={0xb8d, r3, 0x0, 0x1f}) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") getsockopt$inet_sctp6_SCTP_ASSOCINFO(r2, 0x84, 0x1, &(0x7f0000000180)={0x0, 0x4, 0x100000000, 0xffffffffffffffe2, 0x2, 0x5}, &(0x7f00000001c0)=0x14) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r1, 0x84, 0x66, &(0x7f0000000200)={r7, 0x8000}, &(0x7f0000000240)=0x8) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) setsockopt$IP_VS_SO_SET_DELDEST(r2, 0x0, 0x488, &(0x7f0000000280)={{0x33, @rand_addr=0x20, 0x4e22, 0x3, 'rr\x00', 0x0, 0xee4f, 0x4d}, {@multicast1=0xe0000001, 0x4e23, 0x2004, 0x7, 0x2, 0x80000000}}, 0x44) 05:01:03 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x20000) openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rfkill\x00', 0x801, 0x0) socket$inet6(0xa, 0x1, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) getcwd(&(0x7f0000000400)=""/216, 0xd8) 05:01:03 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x900000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:03 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x3, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:03 executing program 1 (fault-call:4 fault-nth:31): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:03 executing program 7: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) keyctl$revoke(0x12, 0x0) r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x80200, 0x0) getsockopt$inet_sctp_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f0000000040), &(0x7f00000000c0)=0x4) 05:01:03 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x6000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1060.119565] binder: 29030:29032 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1060.147737] binder: 29030:29032 BC_FREE_BUFFER u0000000000000000 no match [ 1060.163926] FAULT_INJECTION: forcing a failure. [ 1060.163926] name failslab, interval 1, probability 0, space 0, times 0 [ 1060.175273] CPU: 1 PID: 29038 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1060.182216] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1060.190994] binder: 29030:29032 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1060.191576] Call Trace: [ 1060.191604] dump_stack+0x1b9/0x294 [ 1060.191626] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1060.209940] ? unwind_get_return_address+0x61/0xa0 [ 1060.214892] should_fail.cold.4+0xa/0x1a [ 1060.218953] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1060.224054] ? __lock_is_held+0xb5/0x140 [ 1060.228104] ? __kmalloc_node_track_caller+0x47/0x70 [ 1060.233199] ? graph_lock+0x170/0x170 [ 1060.236995] ? __x64_sys_sendto+0xe1/0x1a0 [ 1060.241225] ? find_held_lock+0x36/0x1c0 [ 1060.245282] ? __lock_is_held+0xb5/0x140 [ 1060.249346] ? check_same_owner+0x320/0x320 [ 1060.253660] ? rcu_note_context_switch+0x710/0x710 [ 1060.258581] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1060.263856] __should_failslab+0x124/0x180 [ 1060.268094] should_failslab+0x9/0x14 [ 1060.271885] kmem_cache_alloc_node+0x272/0x780 [ 1060.276457] ? __kmalloc_node_track_caller+0x47/0x70 [ 1060.281561] __alloc_skb+0x111/0x780 [ 1060.285271] ? skb_scrub_packet+0x580/0x580 [ 1060.289587] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1060.295117] ? ip_generic_getfrag+0x11c/0x2d0 [ 1060.299613] ? ip_reply_glue_bits+0xc0/0xc0 [ 1060.303935] ? raw_getfrag+0x15b/0x220 [ 1060.307812] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1060.312825] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1060.317840] ? raw_destroy+0x30/0x30 [ 1060.321559] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1060.327356] ? ipv4_mtu+0x375/0x580 [ 1060.330980] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1060.336433] ? lock_acquire+0x1dc/0x520 [ 1060.340399] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1060.345930] ? ip_setup_cork+0x4dc/0x7c0 [ 1060.349988] ip_append_data.part.48+0xf3/0x180 [ 1060.354563] ? raw_destroy+0x30/0x30 [ 1060.358280] ip_append_data+0x6d/0x90 [ 1060.362073] ? raw_destroy+0x30/0x30 [ 1060.365781] raw_sendmsg+0x1dae/0x29b0 [ 1060.369678] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1060.374772] ? zap_class+0x720/0x720 [ 1060.378486] ? graph_lock+0x170/0x170 [ 1060.382301] ? expand_files.part.8+0x9a0/0x9a0 [ 1060.386921] ? lock_downgrade+0x8e0/0x8e0 [ 1060.391076] ? lock_release+0xa10/0xa10 [ 1060.395043] ? check_same_owner+0x320/0x320 [ 1060.399358] ? __check_object_size+0x95/0x5d9 [ 1060.403848] inet_sendmsg+0x19f/0x690 [ 1060.407638] ? __might_sleep+0x95/0x190 [ 1060.411602] ? ipip_gro_receive+0x100/0x100 [ 1060.415917] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1060.421446] ? security_socket_sendmsg+0x94/0xc0 [ 1060.426195] ? ipip_gro_receive+0x100/0x100 [ 1060.430511] sock_sendmsg+0xd5/0x120 [ 1060.434216] __sys_sendto+0x3d7/0x670 [ 1060.438009] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1060.442674] ? wait_for_completion+0x870/0x870 [ 1060.447266] ? __sb_end_write+0xac/0xe0 [ 1060.451246] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1060.456770] ? fput+0x130/0x1a0 [ 1060.460045] ? ksys_write+0x1a6/0x250 [ 1060.463840] ? __ia32_sys_read+0xb0/0xb0 [ 1060.467894] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1060.473432] __x64_sys_sendto+0xe1/0x1a0 [ 1060.477483] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1060.482495] do_syscall_64+0x1b1/0x800 [ 1060.486373] ? finish_task_switch+0x1ca/0x840 [ 1060.490862] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1060.496291] ? syscall_return_slowpath+0x30f/0x5c0 [ 1060.501218] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1060.506579] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1060.511443] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1060.516622] RIP: 0033:0x4559f9 [ 1060.519799] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1060.539178] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1060.546899] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1060.554156] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1060.561415] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 05:01:04 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xc00000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:04 executing program 7: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x10be}], 0x10000129) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c, &(0x7f0000000840)=ANY=[@ANYRES32=0x0, @ANYBLOB="3d000000a26d8a3850bfb5ad5f00749e730743030ba5fe5d88ca52907e95458fe77af8682fbf4dcdc5941e9d27de63944afd4a24a8ebf5e7b3d668b5218c45cdb54584d1480c4d"], &(0x7f00000007c0)=0x45) setsockopt$inet_sctp_SCTP_ASSOCINFO(r0, 0x84, 0x1, &(0x7f0000000800)={r1, 0x5, 0x0, 0x722e1c3f, 0x1f, 0xfffffffffffffffd}, 0x14) r2 = socket$inet_tcp(0x2, 0x1, 0x0) r3 = syz_open_dev$tun(&(0x7f0000000140)='/dev/net/tun\x00', 0x0, 0x0) connect$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x400, {0x7, 0x0, 0x1f, 0x7ff, 0x6, 0x4}, 0x8, 0xfffffffffffffff9}, 0xe) r4 = socket$inet6(0xa, 0x1, 0x0) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f00000004c0)={0x0, @in={{0x2, 0x4e23, @rand_addr=0x7}}, 0x7, 0xdf5, 0x2, 0x9, 0x20}, &(0x7f0000000580)=0x98) getsockopt$inet_sctp6_SCTP_MAXSEG(r4, 0x84, 0xd, &(0x7f00000005c0)=@assoc_id=r5, &(0x7f0000000600)=0x4) ioctl(r2, 0x3, &(0x7f0000000640)="f13a175477886a1f20d137cb692218a1d1801d210dc45c0584631d5947c75692a7625a1b245e474bb7533b8788eef6eb938490ea35301592efe2564d73d31c98a0e445cf8b535c8f06b7738644339b70a6a617622c301382975a0feedac86ddea77f6adea59928e39fed36485c9fa307ba1fb9832038a7a2f314e1bef1b3887b8f50a303efa58afcf5e7b0569d77ea0922c2d618e6f66b30bdf6970bd053d97ce7805eefdd0e8e2f9f7872ca3ce7dd4b59cd90026b41d61c42954defea18a22aae29c257ede3") ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r2, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0xd}}, "73797a6b616c6c65723000e7a95d3e00"}) r6 = add_key(&(0x7f00000002c0)='id_legacy\x00', &(0x7f0000000400)={0x73, 0x79, 0x7a, 0x1}, &(0x7f0000000440)="0377f11f7d8a666be32211ed461b2bf25880ec48d6fdd014166e68eed97cc7fb6e745c83bb44c866071f2cba4bae834dd0f49cf90d8542dcd2bdd9f9b3af4d959ef0", 0x42, 0xfffffffffffffff8) add_key$user(&(0x7f0000000000)='user\x00', &(0x7f00000001c0)={0x73, 0x79, 0x7a, 0x1}, &(0x7f0000000240)="7113085f8b027d9cf74048f7feb07f97d04e41dbfdece6eef0cfbf894176f463b1e95b6d8532fcf92943173903ad664083dfd06e5791cea6ca51ba5dc84ccd13f4c3e10951ffb7203e36a633609cad3aa520b245cb19395187cf2d6bb8f92f3fe6ad3833386b81ceb3261f613c3a42c3af472a0a180b3b5b0f92d23b21", 0x7d, r6) readv(r0, &(0x7f0000000080)=[{&(0x7f00000008c0)=""/242, 0xf2}], 0x1) [ 1060.568673] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1060.575931] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000001f [ 1060.586679] binder: 29030:29032 BC_FREE_BUFFER u0000000000000000 no match 05:01:04 executing program 1 (fault-call:4 fault-nth:32): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1060.618673] binder: 29029:29031 ERROR: BC_REGISTER_LOOPER called without request [ 1060.646569] binder: 29029:29031 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 1060.654884] binder: 29029:29031 unknown command 0 05:01:04 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x4c000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:04 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) getsockopt$IP6T_SO_GET_ENTRIES(r0, 0x29, 0x41, &(0x7f0000000240)={'raw\x00', 0x70, "377fa2b5e0d772315b5d832b34cd5e8ed0af558af175fc374732a57381a6de35da6be4b7428ff0c119309fda74f81252a29172e4c61094795c6153a7a8003112fc06e945da1c1bd7da2ce8adc335415926d9d600982d1ffcfe62201a2ee5335ccf27d6e7d30c85a1fbf98223b5e316c0"}, &(0x7f0000000140)=0x94) ioctl$TUNGETVNETHDRSZ(r0, 0x800454d7, &(0x7f0000000040)) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:04 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x100000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1060.702817] binder: 29029:29031 ioctl c0306201 2000dfd0 returned -22 [ 1060.757382] binder: 29064:29066 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1060.774326] binder: 29029:29031 ERROR: BC_REGISTER_LOOPER called without request [ 1060.783407] binder: 29064:29066 BC_FREE_BUFFER u0000000000000000 no match [ 1060.786110] FAULT_INJECTION: forcing a failure. [ 1060.786110] name failslab, interval 1, probability 0, space 0, times 0 [ 1060.801721] CPU: 0 PID: 29065 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1060.808661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1060.818028] Call Trace: [ 1060.820640] dump_stack+0x1b9/0x294 [ 1060.824295] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1060.829505] ? is_bpf_text_address+0xd7/0x170 [ 1060.834025] should_fail.cold.4+0xa/0x1a [ 1060.838100] ? __save_stack_trace+0x7e/0xd0 [ 1060.842454] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1060.847673] ? graph_lock+0x170/0x170 [ 1060.851490] ? save_stack+0x43/0xd0 [ 1060.855128] ? kasan_kmalloc+0xc4/0xe0 [ 1060.859024] ? kasan_slab_alloc+0x12/0x20 [ 1060.863196] ? find_held_lock+0x36/0x1c0 [ 1060.867279] ? __lock_is_held+0xb5/0x140 [ 1060.871364] ? check_same_owner+0x320/0x320 [ 1060.875699] ? rcu_note_context_switch+0x710/0x710 [ 1060.880643] __should_failslab+0x124/0x180 [ 1060.884876] should_failslab+0x9/0x14 [ 1060.888666] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1060.893765] __kmalloc_node_track_caller+0x33/0x70 [ 1060.898688] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1060.903436] __alloc_skb+0x14d/0x780 [ 1060.907140] ? skb_scrub_packet+0x580/0x580 [ 1060.911450] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1060.916976] ? ip_generic_getfrag+0x11c/0x2d0 [ 1060.921469] ? ip_reply_glue_bits+0xc0/0xc0 [ 1060.925790] ? raw_getfrag+0x15b/0x220 [ 1060.929668] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1060.934678] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1060.939695] ? raw_destroy+0x30/0x30 [ 1060.943407] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1060.949197] ? ipv4_mtu+0x375/0x580 [ 1060.952835] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1060.958286] ? lock_acquire+0x1dc/0x520 [ 1060.962253] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1060.967779] ? ip_setup_cork+0x4dc/0x7c0 [ 1060.971839] ip_append_data.part.48+0xf3/0x180 [ 1060.976413] ? raw_destroy+0x30/0x30 [ 1060.980118] ip_append_data+0x6d/0x90 [ 1060.983908] ? raw_destroy+0x30/0x30 [ 1060.987610] raw_sendmsg+0x1dae/0x29b0 [ 1060.991499] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1060.996594] ? zap_class+0x720/0x720 [ 1061.000307] ? graph_lock+0x170/0x170 [ 1061.004105] ? expand_files.part.8+0x9a0/0x9a0 [ 1061.008688] ? lock_downgrade+0x8e0/0x8e0 [ 1061.012834] ? lock_release+0xa10/0xa10 [ 1061.016800] ? check_same_owner+0x320/0x320 [ 1061.021116] ? __check_object_size+0x95/0x5d9 [ 1061.025953] inet_sendmsg+0x19f/0x690 [ 1061.029738] ? __might_sleep+0x95/0x190 [ 1061.033701] ? ipip_gro_receive+0x100/0x100 [ 1061.038030] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1061.043555] ? security_socket_sendmsg+0x94/0xc0 [ 1061.048296] ? ipip_gro_receive+0x100/0x100 [ 1061.052610] sock_sendmsg+0xd5/0x120 [ 1061.056315] __sys_sendto+0x3d7/0x670 [ 1061.060104] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1061.064778] ? wait_for_completion+0x870/0x870 [ 1061.069366] ? __sb_end_write+0xac/0xe0 [ 1061.073334] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1061.078860] ? fput+0x130/0x1a0 [ 1061.082127] ? ksys_write+0x1a6/0x250 [ 1061.085932] ? __ia32_sys_read+0xb0/0xb0 [ 1061.089981] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1061.095509] __x64_sys_sendto+0xe1/0x1a0 [ 1061.099557] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1061.104562] do_syscall_64+0x1b1/0x800 [ 1061.108436] ? finish_task_switch+0x1ca/0x840 [ 1061.112935] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1061.117858] ? syscall_return_slowpath+0x30f/0x5c0 [ 1061.122777] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1061.128134] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1061.132973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1061.138151] RIP: 0033:0x4559f9 [ 1061.141324] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1061.160597] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1061.168294] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1061.175551] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1061.182815] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1061.190072] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1061.197342] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000020 05:01:04 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='comm\x00') exit(0x0) preadv(r1, &(0x7f0000000240)=[{&(0x7f0000000140)=""/202, 0xca}], 0x100000000000028e, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r2 = socket$inet_tcp(0x2, 0x1, 0x0) r3 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp\x00', 0x40100, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000389000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r4 = socket$kcm(0x2, 0x3, 0x2) ioctl$sock_kcm_SIOCKCMUNATTACH(r4, 0x89e1, &(0x7f00000000c0)) memfd_create(&(0x7f0000000080)='lo\x00', 0x3) ioctl$BLKIOMIN(r3, 0x1278, &(0x7f0000000140)) ioctl$VHOST_RESET_OWNER(0xffffffffffffffff, 0xaf02, 0x0) ioctl$sock_inet_SIOCSIFADDR(r2, 0x8916, &(0x7f0000000000)={'lo\x00', {0x2, 0x0, @rand_addr=0xffffffffd5064805}}) 05:01:04 executing program 7: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r0, 0x11b, 0x4, &(0x7f0000000080)={&(0x7f0000000000)=""/21, 0x2000, 0x1000}, 0x18) r1 = syz_open_dev$adsp(&(0x7f0000000040)='/dev/adsp#\x00', 0x9, 0x2000) write$vnet(r1, &(0x7f0000000200)={0x1, {&(0x7f00000000c0)=""/85, 0x55, &(0x7f0000000140)=""/130, 0x3, 0x4}}, 0x68) 05:01:04 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000040)='/dev/snd/pcmC#D#c\x00', 0x8001, 0x103000) ioctl(r3, 0x89, &(0x7f0000000240)="00e9ffffff0000000000005bdd4f4327431039ff497397a1d7dfdb1e22a91eb1af187bc9ac02ff817034cfa949e95574599620f28cd614c24496e34c9df8") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) socket$inet_dccp(0x2, 0x6, 0x0) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1061.215003] binder: 29029:29059 unknown command 0 [ 1061.222742] binder: 29029:29059 ioctl c0306201 2000dfd0 returned -22 [ 1061.229700] binder: 29064:29066 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1061.237550] binder: 29064:29066 BC_FREE_BUFFER u0000000000000000 no match 05:01:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000001c0)=ANY=[@ANYBLOB="00000000a070837e612cf838570d1d7479cfe2b49d9551edb6e416e9918398aa2301a5fa0d5d1bef4a80c906124d6a728bf7cef04690684eae38c040f1377226716f6c0ee8e4e65aab383d5ce4c631a0ff8cf873f39adda3744718fe8a2d906f430a877bdf79f1d4cda3aa90b0d2c4d4eca8c88df6e580976b326ec9360781b51477f02a6493bee25b44bdbd6bdc9748dd0333188b678c57e2d854a3bc9ff063fbdd59116f62126f6a720be952a1b7c502299c306b699f6fd0c8ed5ec235114cbc8f4cc49eb90ba0d860a3b00ddf61274110aa8f34bd1c33cb5427722a3fd16820e4137d413a1106719dd53399138b8e9e120532fe7729d7b72af41831954719d838b3c0a0a53628ec252ba6254093bf08215a17cfe898f290444726e6de94af4148eb64fdf549a5623f880ec6357992ebf27781cd98fe23eaa4eed6717b42da4f66faafac357ef88fa360ecc03ef15576fd586943cf74496600eaae9cd1401ce5490e816675f1319475c30fb2aa13b9fdb53dfff2536e5c29762cdc747c2491c98980d6dc36d8454c348865b9c22c874544b0a317686245b379ba9604c3b7c9840b8e36d5ca"], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:01:04 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0xfdfdffff, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:04 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x500}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:04 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x300}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1061.355532] binder: 29087:29088 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1061.403661] binder: 29089:29094 unknown command 0 [ 1061.411326] binder: 29087:29088 BC_FREE_BUFFER u0000000000000000 no match [ 1061.443988] binder: 29089:29094 ioctl c0306201 20000140 returned -22 [ 1061.460121] binder: 29087:29088 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1061.469846] binder: 29087:29088 BC_FREE_BUFFER u0000000000000000 no match [ 1061.479234] binder: 29089:29094 unknown command 0 [ 1061.495000] binder: 29089:29094 ioctl c0306201 2000dfd0 returned -22 [ 1062.275745] ALSA: seq fatal error: cannot create timer (-22) 05:01:05 executing program 1 (fault-call:4 fault-nth:33): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:05 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX(r3, 0x84, 0x6e, &(0x7f0000000240)=[@in6={0xa, 0x4e23, 0x3, @mcast1={0xff, 0x1, [], 0x1}}, @in6={0xa, 0x4e22, 0x7fffffff, @remote={0xfe, 0x80, [], 0xbb}, 0x3}, @in6={0xa, 0x4e21, 0x8, @loopback={0x0, 0x1}, 0xa8c3}, @in6={0xa, 0x4e22, 0x8, @mcast2={0xff, 0x2, [], 0x1}, 0x4f}], 0x70) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:05 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xfffffff5}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x600, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:05 executing program 7: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) getsockopt$IP6T_SO_GET_ENTRIES(r0, 0x29, 0x41, &(0x7f0000000240)={'raw\x00', 0x70, "377fa2b5e0d772315b5d832b34cd5e8ed0af558af175fc374732a57381a6de35da6be4b7428ff0c119309fda74f81252a29172e4c61094795c6153a7a8003112fc06e945da1c1bd7da2ce8adc335415926d9d600982d1ffcfe62201a2ee5335ccf27d6e7d30c85a1fbf98223b5e316c0"}, &(0x7f0000000140)=0x94) ioctl$TUNGETVNETHDRSZ(r0, 0x800454d7, &(0x7f0000000040)) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f000000fff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="81000000"], 0x0, 0x0, &(0x7f0000000040)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:01:05 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x300}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:05 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) sendmsg(r0, &(0x7f0000001740)={&(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r0, {0x2, 0x4e20, @rand_addr=0x9}, 0x1, 0x0, 0x2}}, 0x80, &(0x7f00000000c0)=[{&(0x7f0000000140)="dddb3624e7ad0a779f371bb783b81e50717fd24388fd2d6c9239e7d9f837f4c925a769fb200651f9406289ff87da1a37203f084cee43b35c43be6e63562e9498cf5f01f2e281de49b990fff4f0100852731e8f760e54f2bf35a01046d816f320584c72ff53e344da44b145cecab3a6e4f563792694af16494cdc8f0cc488b6d041a64ed8757b55d8736b9edb5b814caeef93a6a99ed9f415673ee1b4607d25702c01d246ae4c84941ba3f0b4d3fa43fa5437a07221f0bcbba2067b62da1484216f4e0693e1a712", 0xc7}, {&(0x7f0000000080)="48dbee450dc92a3b7ade6c3f8dca53f7", 0x10}], 0x2, &(0x7f0000000240)=[{0xe8, 0x116, 0x4, "3847158ee82b89df0004120f976f5d3a28a9acb610a753b69dbbe30e1fd938a36942b9df2c38b950bba40d13b5519f81c3d2a791ce88414a22b291384577aac7e660656e032e8fc7e2a7147536c4b4111ecc0a86173f0d1059e681640080e031248a74f42297b640c72b373f119f4b9f5661b4f202cde722318059217326f751602b21165711cc0c6e18b1233161c1b9ba971458b5349c81923884793baa50252b1b2aa0e3b859cab1eb6fc0350b4abf98c11dd86ae1dd81557fe84a34504423bbfcdc1efac161c66191c80de85ee4d4637a291c5fd9caa5"}, {0x100, 0x11b, 0x0, "be81329b370d248eb81844c5f7195341c919f163e4bab12e3200b9f6276abf474b8915d954dc23ebb26cae0b6d28e1bffa8bec0e65030617390b7158f4280c6bda7b385bc6e1675ace6a38f5698da7046ebe0a226b7df66802d0c570f9f19b71af91b27b9e5ce5fd864d3cb62b36fe96a0dd732aab318304bc378f78f6debac43c63b70ead1c8be8c0437c01d8fa6f31432792752cf3151a48c3324d60d9542a1e856ada4fd1cba0466a7f4e8e98b44f3febc44462e1d7ca9b5ce1c00c9055bb3f34245cad6fa5b843f63e68de776e5e521caff845833f1f36fd2d40760ad66869d6ce925dd15b69c3c7"}, {0x38, 0x117, 0x101, "595b5d37b8a8556dcda4a89559dde7c27639d8a11003f152ff7aca46ba51084ecb"}, {0x88, 0x11e, 0x3, "73af92a944d4dc9e92eb3dd1fd2800e993fec50825bef81afb90024384afae5ee75260573db7ac2c6214b0cb12e63c554de0e851b560624ce0086d9defdf5d0318ec95b870476e0f533a4de988e95d5b806652db20cf5f8684cbb91f2a1f80dd783cbac8f262f65f3924adef6118f20172f1bc3c65"}, {0x1010, 0x11e, 0x5, "ca8705f5f2a7dc6b68a71c6c8816424b0d51e0b3fc9be2df06cd6c59d8189b7fac7aaeca92a894c94f8e0add116f2599751bc9dcd29a051593e3db308595df6bd6538ef5690da44f8c074eeb7e45826014277e99c412248b1876538e78e4821b1417cecd000aa26a253acede56236cc75e03bc3aa3d40a58447c312a113d5a159c294fddf33a6e9c61f9f55bfac6fa89f8979a6f0937925fef617b5b0cad6609935c9524ad611d4f55e662b4651f094a1799d468379a899419d78d5a05770acea42744f95caf6609d1c0e7d29dc3eb71006536bdf9943412fe36b05d8a3d8e8c7d6bf3acad7819b60c8f427b43d202fdd34f54623019c9dd504ec85458160acf5959174c62bc9665f5b64eb378a9ab36803a80f79063566d1ee4467951859d9087c47c16b2933cbf5330799ddcdcd4d20f25718d8556e4f8805d3c2668fa30691577f3c44c04de2da80810cf45a0dea39e23b46849932b29ba67571fb71f8ceddf62b6164d14520f505dd93465437fdffcd5235f22bb49d68e81e73d830f676305c7e134a9022726083dc2b56931745743dca059b45ca4456bf457c7b7638ac1dc70455681c8429a99ccb72e7d6608c3414b04ea927b05c5e5aec34a76dc59e2eb279cc5ba371554dad32995a9d0549b5b644214861b900b7f44707a7ce198c8109350738ef6bd34fc91357565affc87a779fbf5ef3127c815f3e2a3d38089af2a3664042d43ff06339e2fb0a50e776d1b3a6285e9529bf3680ea2e36ce9f01a46d475cee0194db4c99f4a98557254fc160b903536ddb3bc9ccb6d3466cf3ecb3248491f7ce76ed7faf34ff863cd1b9416d432abebf3ef720fde8b5178ac5ba82aa418a71026ff94d0d6d3df36f96a9a3fbf16b3b230f358ddbcb6b14d01c22c5aaba0b507b7849964995ff9ada8a8dc7ecfa4b4cfaf18ba0ae46e484a499c4babd2d20a6758ac304cbadfd50d3ac49ee85b0a0968a6535a10ec5a2f12ff821ddb101905f534e62b00b38c1a6de3a3b8e5a8624099c4905ad00cfd3ad303e6f0c4ab41354ff5b7f20474a06b41766b915faa0359ab2055ac9678ed4223cbb98fe33c9ea8560d817cae77a847c3ddcba048fe9e9c9fb6d719ddc0f83428afdc1c945f34be34505b6db450e140a7585bf17f7c916e62152c4ceb79fcd4d6e3fed2670ab83dae5094bf4cdf47b00669cd121b86ab7a3846c4be26c247a80f6e9d74ed2e2094678158e5285e9204fa24e3dce3ab9ca90a67931d7816502564d389f25ebcd6c946eeef4688575a938d22d3d151cb38250cebaf05f6a0c0c7f3dd12be547293f0b8addcc0c21bb3b3e829ec3a6e603a1c9e92816698a4da97f59928a4019f72581dbab5a4b7e921c07291de7ef2ff6f3bc03e0b74ade8f00f29d447a97fc7dc0b42c0eb989793c1676c485b2acd6505f592f33a23e65c3b57cfcb374802a4008522edbbef784da66ba92c8ffadae72730245cd2662b72c11e241cbfb6c8e4c358d3b40bb2ec0656a2057c4a3880d774bad9c55bdbb124ca5e2140206b85cff01f65204a29dd21ef6183d26aa64b63ffa86fd518a9b32e821a318f18f749808bd8bd384cf75c5672edb787dbb8ae4fb30ae70375c1f3cb41feeeeb3f29b058797cc3571b5cbdc2aea597b9d0a0fdeef20da7f9ab8c11f58bc162ccee061a9aeab50c7ac3aaf8469923950e712992861d7fe3a71fec9e4e6d2c6044d116df87074a429e27513d6b8310905f33676317522588101393606e9b6ec135be382a92b576f345d7700e0ce19eb8d2b1c679237babbb5a7af67d05db0cb1089307fca0706c4d3e2487ddc6314891936a20a30cae692b7548cbdcd37db86b2b496a0af4ed1c650a87d319b78c2f02c8d4a55e2a255c1d630fdbbeea412aa6ec6d0fe3c10dc3b090b7604f528f0cd48dd1801688299b40bacde0a1cb64132c3c614ee2ea0c56b5f052c7215b7546f7fc3061f5e71c2b8f95512ab8558a9a9d94a37018e20de75a42702912d50be85749dcbea641c7dc92f0a407d6b9968489968c38aab62ca05d3bb9f76c59a6922a30df098cc51523fbd139ea6c3fefa99132835f57b31b85003c8c484a315268514320b5c17b3112b2d6bc9f688d91e8e31a5192233ae1981478579beabb01299194070f0463b8c162a24ace11cfd4d57bcb9005380c143358971b3d1231b9c4359d43026736bc0effcea4bc2bb75d27e2ba376bc01664cb24e11a00b5fe93f04a49aa3c6a7a2fae5b707f34bb0ac7b5044972546c3b36671d09fca66f8052ad7201163b75e8b79fb7eab49dbc8ba95ed70cd5d325170d4b89fbaa452e47370d3fbc373c360a1a30b388567e39e27a9a62b7b2f846b840efe09a483e310ef89017e8cc24478c9de6adb51e224ddd332d2877b4618e96612cfddc198229c51a1a57f43cd79baa5e9b7676e46c25ef73d72243272889189ed35b47c89640de2da6316ceb32af0abd028876fd80138b304053906dd00e3bf8f56ace327962173328a2b4bb4f8116488892bf056991767c64f57f9a22aaef18c53b264d4315aaf269e4edf4238c568bf7db7884ba8b7f5e1a0907b422896f81ffad2620e228aec7ed8716219b83123beddc38747a6f506d54260882d4cf1ff122f333e08e419da88087b50feb77e7e7f1c298007aac4b8d03b6050812dbe65504dddc719163eed33bf2422d79e0d38038c0d2c78719ac00a2388927423023267f3b3b5b7036c6127c62375c11236b155e53ef76072872399e7c84f8b0e654504d7764166d74dde908bafaf7caeab731a2e6cabdba4d8dd84757b8421fc1a801138cc93e05c79b356bd353a41d10a6442e69ac7180ebcb79ca3ad5dd0315bcf21845f99f0f561f748789304f1312d5188ae50ed50832f99cbcbe2eec6505aeb6a6c34bb771c23808a795d58827e8bf1313967510b9820554849c674c4bd6a7db8c3368c0ceebdee8af5d29bd759dba8233d569c6886fb997ab08d9a845d665ab4f6633d45e367179fee92d17873888e153c53e02f15d1572234b18bb48f78c1b4089ded613ab660fc2a0fa07704998f554d382999d49c115b5f529aded8f459ea519dbd27d85ac9c4aece3c591bc60d181f0ba70167afd7b16c6d48bc84d59d333675096e6877b20ab9f93c06d999df307382c02d2f81e3cc11590ce1ce1f702bb9e910feb02859a17048ef47829dcd9b49be34778e841369822864bebd6509524c8b1eaa28fe45b91b207f92490b3a39fce631cedec8a4c9dfe3e92dea973011566fe90fece4d14f3b0fb06881063492d1ca8b8dd61350f2bebbcfe124086936e5a5e0b5198b0ab85f1879afc5694a9640231e8d45a1b1e3b40cbfacbb195b0ec0108e2289fa3e2395fc3282a5b1eed3d0f6b9c65d4b3d66f7d8450c277504d1d7a1281189c507f56113f3b479e8383f6b80e986292098019ca551d91e0ca98a27af364c14c11af9ccb17c53100cb327bdd8d5542cdf200c2536fb795b1ad82c5b5d048b1b3227d03ccd5bf03b0344b96cc68ca4231157ed7b1a8a59b54eea2d1e4aabd66c0cc5a2e034209aeef6230c38d651828980227d3a12bd0259c505b14eff7537d3efbbe98cf7f986f56ecaee9133fb81315c882d716aab7e079e0001b03e4d190cad6920798f6097c95db15e8df24b8de8ba7956babf21ac8301177d6f65bae807996a1e37e8fda0eb884b5fc1bccdff71c127ae65ace8bafb948acef5da1413ff3cfa2a86b90df0ca0c92095fad71115223b5fa0684c292ed812c4b189c6dd5e9edd5a6b4506ac38818a64e3928acc041df1d41bbe5e8b12ef7a10b75e79dc83407bb9de4287cabb4c62fe6e0b417cd47be3bdb775745c9b96ab1b98afb1ec8cb347f0eaf06af6ef1d92014803b7c2a5c62646c91b881eb78fcb74d574a27b75a941d71fd1b919ef34494376537d470727d6814f58b13099f38e08499e60e29ed5344c13b666bc8d856dd14ccf600dce7bba11846d5b48e5c9291f1639a925408e3574226bd618517d6de8394806b6c9af0797a7976613eb739796b379ef10bb6326bf9afaa06b44a409c613b93dd397c1af2fc369ca7bb05f4ea87dae066e6edb77a32cee54f31b625ce77a52798f2ec9406ca1e7fd6e887fa1de87938bd5df63362f109b6ed43992223fe15a41a43e94ad0945284318ecbf14f9bf429ddc64b4c977c6a2595ae1a699de12e9474d379f5fb6faa93d527c51fc4eff76ee6a1c775d1d1c7b9e9eb8ba84e92a044b17c13f89b76e6e402c6e406aaf7b5b85cf5ff6467d580856cfbd3b13c22de30c040e7f295aa274ef4af9b9ccebbe69b83f9318d6724d671ee23064260ae6d7f4a2b090d6f79f826efc6e3a0832861c1711c1f1f8bdde5a2d5ef81915bfeb7f03ec57550d0d25cb10726c40203ecce3066c779509359aeaa114034ea45b23199218a8bd8af960c5cbc60794001eb60a0dbb11927f47fe430239d19c0e37bcbd661983375d4fb9d7a6346cfc6378eb5f230a5a045b470498f07a03649589bdab4c696187f9a2da03b636044b0af8353c08c11dd5359087d50252d0717411148b2294f8762eb0d1952d08132952883bb42a8641064107228b8849f345719149d688048c58d7fe8568a4cd77ca7f3572f1e1aab59f9af4fd741a78aef8a44e4106278aec51cb613cb69468bf374bcb21a6c08f458939079d293faa975cb73af7ffe68dba77d58de8c1c4b979db80bfb998c48055f881c0e70a795e19003c50363edfbdd8e837c2d96678e5eec48eea348efa7995982d2cdedee500a6b68396924a2a0d934d17598e4b1a3a089156eef984fc30eddc0a9eafc682584b75664ced1618db36cba404b55a8be702fbbb247166e3a7a8b9ab80ba90f0f7b2dae59cc1f216edb9619b03df6babdcee9bfb4903adbb07cd8746939c7b6efadb0e121db2730fa083cc05f9fa5250b2b11f19f2bf1af9906f70195b9e2689496b7011cddbb54358508173e3ef20f911c99424f825d5ac6867c387e799f43dde60990a6090b496203f63a8e01c408d0737c3f26391dee28b3eb5c891039510750f58155eb468f4f82fa44034b1da7cbcfb93abb7b0e66902041794f20987607c74fdc4aac305af85c0dfb0f02f2737e79e84afb7abbc0d3fb31e658fca303635200186bbce409309f9bff3d0a1cd29deb972a141004b89be2669c065c0ac2e4a9f2e9c3dc6ee26acc1c3d3a9201dc3f09353a8ec690427dacc2e89825ee2b8830117bba7a474533afdb5c6d14bcb025c37d218b280c75e8d83c29735ed8180ae2a92f71f6395c563c45781a6596741768fdc2cc827bf2e21330314033dfc8b224ebf56d6af26347dc8cdbfd333445af546cfe9fd2cffbf9d5cacc9787bdf9afd765f1ee2a3713e0def616562eb502b422a6a923f9c9876b3f675f32fb51e935d78abd406eeb373db016d659a27319e239f62e05112dfef35ff70ac62bf39236f026d25f48e39eaf65adc151a5bae54d847f332379ca5b065255ad3ad64499fe6e042d3f1bdd346f9907f7fa2465f99f56d6bcda7628fd0d89232c690fae178c03b71ad9940e6d84335fbf7a8268466a7261fee55d58a6f7ca54383bab49a7cdcf0cfa4df2a48c200c204f162e8d6c7a6479002ef359eeee9d32be2a5b030cba813ba68abfcabd4f1db9a1b258108bb88408180f1a35fc6b240cff5306ddbc08cebf52819df409b64edd707c95dc8e48e1d0ae4c73d93cddd37734d7a63233b0cd02b6caaef42ec79fff8afa9e426bb889971a8218f5f790c9535f501dd5a4b06503c8744b3ac39f980fb6fee8106d1447d"}, {0x18, 0x109, 0x81, "c0b07b09"}, {0x98, 0x113, 0x401, "b84bed0426654aca3aa152b9e2c4af0f988cb4715253c2eb32c6efc8cd3af0eef151d7a9d2a664d0a05e85af5811833756d4a84d82ca82105687ff7dd267786a769d7354e6295d7faae9dd5bcaee00308701daa4ebcab15a85102f5b5533b2e2ec811a61a087509b3887761e2894bc931e0ce7a8ce4cd12fc9a7e7a8c6fb8473d90f"}, {0xb0, 0x100, 0xcb, "ffdcd1af535bb7dcbe46dfc90c88751379164e30cc53e094e2921e061a6893775966ac164ce5a6d8b2883c90cecb93fd449946658073dfe8ddec714dd06f3b962e9d2a64d4e61a90900cb754c23e6316db4e691fd0dae27d05af04e1cd6cfd95ffacea0d282004d3694dba56660cb00beefc481ba6c1d87dae5cbbc6f495ec81ebd07b1db6c14c220909bc084890b31e44af003adab71e0491f05b"}, {0xe0, 0x84, 0xfff, "837ed99517437b60f215f238b5d57a740a2ed4dd61008c86702a3526b28ee69fe079dbb7976aa044b971e449ae845f49cdd72267560aea35892f0398fc81d2625d34914523e23217f59ecada1b2c1479537576ae6000a23a1a6f56f565eb9a4af7c84e3c50cec89ff6534426613756797aa53293d14e46b1cbf9ce2db0ca0cbc2384730ddae007dc6c84da423c73bd9376a9c7e8272a7aa1f776a3f4ca110e932d4893d998453fab0a57bbafa6e6ed15679b82346b7e07020d5947482929acbccf0b96e4ef9f45bb44"}], 0x14f8, 0x8040}, 0x48001) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioprio_set$pid(0x2, 0x0, 0x0) ioprio_get$pid(0x2, 0x0) [ 1062.445091] ALSA: seq fatal error: cannot create timer (-22) [ 1062.501970] FAULT_INJECTION: forcing a failure. [ 1062.501970] name failslab, interval 1, probability 0, space 0, times 0 [ 1062.504225] binder: 29119:29126 unknown command 129 [ 1062.513313] CPU: 1 PID: 29120 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1062.513329] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1062.534612] Call Trace: [ 1062.537224] dump_stack+0x1b9/0x294 [ 1062.540881] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1062.546093] ? unwind_get_return_address+0x61/0xa0 [ 1062.547708] binder: 29119:29126 ioctl c0306201 20000140 returned -22 [ 1062.551036] ? graph_lock+0x170/0x170 [ 1062.551062] should_fail.cold.4+0xa/0x1a [ 1062.551085] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1062.551107] ? __lock_is_held+0xb5/0x140 [ 1062.551124] ? __kmalloc_node_track_caller+0x47/0x70 [ 1062.551139] ? graph_lock+0x170/0x170 [ 1062.551158] ? __x64_sys_sendto+0xe1/0x1a0 [ 1062.566357] binder: 29119:29126 unknown command 0 [ 1062.570590] ? find_held_lock+0x36/0x1c0 [ 1062.570615] ? __lock_is_held+0xb5/0x140 [ 1062.570645] ? check_same_owner+0x320/0x320 [ 1062.570664] ? rcu_note_context_switch+0x710/0x710 [ 1062.570680] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1062.570701] __should_failslab+0x124/0x180 [ 1062.570721] should_failslab+0x9/0x14 [ 1062.623237] kmem_cache_alloc_node+0x272/0x780 [ 1062.627808] ? __kmalloc_node_track_caller+0x47/0x70 [ 1062.632903] __alloc_skb+0x111/0x780 [ 1062.636604] ? skb_scrub_packet+0x580/0x580 [ 1062.640916] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1062.646444] ? ip_generic_getfrag+0x11c/0x2d0 [ 1062.650927] ? ip_reply_glue_bits+0xc0/0xc0 [ 1062.655242] ? raw_getfrag+0x15b/0x220 [ 1062.659117] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1062.664125] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1062.669132] ? raw_destroy+0x30/0x30 [ 1062.672850] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1062.678645] ? ipv4_mtu+0x375/0x580 [ 1062.682321] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1062.687769] ? lock_acquire+0x1dc/0x520 [ 1062.691737] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1062.697264] ? ip_setup_cork+0x4dc/0x7c0 [ 1062.701316] ip_append_data.part.48+0xf3/0x180 [ 1062.705891] ? raw_destroy+0x30/0x30 [ 1062.709595] ip_append_data+0x6d/0x90 [ 1062.713383] ? raw_destroy+0x30/0x30 [ 1062.717084] raw_sendmsg+0x1dae/0x29b0 [ 1062.720967] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1062.726060] ? rcu_report_qs_rnp+0x790/0x790 [ 1062.730471] ? graph_lock+0x170/0x170 [ 1062.734264] ? expand_files.part.8+0x9a0/0x9a0 [ 1062.738832] ? check_same_owner+0x320/0x320 [ 1062.743156] ? lock_downgrade+0x8e0/0x8e0 [ 1062.747297] ? lock_release+0xa10/0xa10 [ 1062.751257] ? check_same_owner+0x320/0x320 [ 1062.755575] ? __check_object_size+0x95/0x5d9 [ 1062.760062] inet_sendmsg+0x19f/0x690 [ 1062.763850] ? __might_sleep+0x95/0x190 [ 1062.767814] ? ipip_gro_receive+0x100/0x100 [ 1062.772129] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1062.777659] ? security_socket_sendmsg+0x94/0xc0 [ 1062.782399] ? ipip_gro_receive+0x100/0x100 [ 1062.786713] sock_sendmsg+0xd5/0x120 [ 1062.790418] __sys_sendto+0x3d7/0x670 [ 1062.794208] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1062.798866] ? wait_for_completion+0x870/0x870 [ 1062.803441] ? __lock_is_held+0xb5/0x140 [ 1062.807500] ? __sb_end_write+0xac/0xe0 [ 1062.811466] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1062.816986] ? fput+0x130/0x1a0 [ 1062.820254] ? ksys_write+0x1a6/0x250 [ 1062.824054] ? __ia32_sys_read+0xb0/0xb0 [ 1062.828104] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1062.833632] __x64_sys_sendto+0xe1/0x1a0 [ 1062.837684] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1062.842694] do_syscall_64+0x1b1/0x800 [ 1062.846569] ? finish_task_switch+0x1ca/0x840 [ 1062.851072] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1062.855993] ? syscall_return_slowpath+0x30f/0x5c0 [ 1062.860913] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1062.866267] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1062.871101] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1062.876277] RIP: 0033:0x4559f9 [ 1062.879449] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 05:01:06 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) rt_sigsuspend(&(0x7f0000000040)={0x7fff}, 0x8) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1062.898788] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1062.906488] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1062.913765] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1062.921020] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1062.928273] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1062.935528] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000021 [ 1062.944847] binder: 29123:29128 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:06 executing program 4: userfaultfd(0x208000000000800) syz_open_dev$evdev(&(0x7f0000000000)='/dev/input/event#\x00', 0x0, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/vs/cache_bypass\x00', 0x2, 0x0) getpeername$llc(r0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @broadcast}, &(0x7f00000000c0)=0x10) close(0xffffffffffffffff) 05:01:06 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x58}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:06 executing program 7: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) fcntl$getownex(r0, 0x10, &(0x7f0000000000)={0x0, 0x0}) ioprio_set$pid(0x2, r1, 0x1000) ioctl(r0, 0x8912, &(0x7f0000000040)="0047fc2f07d82c99240970") syz_emit_ethernet(0x3a, &(0x7f0000000080)=ANY=[@ANYBLOB="aaaa1addd2bf66aaaaaaaa0180c20008104900002c0000000000009078ac1414bbac1414aa020befac1414bbe00000018903000000e1ff8f78ff"], &(0x7f00000002c0)) openat$cuse(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cuse\x00', 0x0, 0x0) [ 1062.971054] binder: 29123:29128 BC_FREE_BUFFER u0000000000000000 no match [ 1062.971932] binder: 29119:29126 ioctl c0306201 2000dfd0 returned -22 [ 1062.988071] binder: 29123:29128 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1063.032768] binder: 29123:29128 BC_FREE_BUFFER u0000000000000000 no match [ 1063.401050] ALSA: seq fatal error: cannot create timer (-22) [ 1063.570443] ALSA: seq fatal error: cannot create timer (-22) 05:01:07 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper={0x630b}], 0x0, 0x0, &(0x7f0000000040)}) getsockopt$inet6_IPV6_IPSEC_POLICY(r0, 0x29, 0x22, &(0x7f0000000180)={{{@in, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast1}}, &(0x7f0000000040)=0xe8) setsockopt$inet6_IPV6_PKTINFO(r0, 0x29, 0x32, &(0x7f0000000080)={@mcast2={0xff, 0x2, [], 0x1}, r1}, 0x14) ioctl$FICLONE(0xffffffffffffffff, 0x40049409, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f000000dfd0)={0x12, 0x0, &(0x7f000000cf68)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000008f37)}) 05:01:07 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000240)=[{&(0x7f00000001c0)=""/50}], 0x1000000000000356) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:07 executing program 4: r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000080)={&(0x7f0000000000)={0x10}, 0xc, &(0x7f00000000c0)={&(0x7f0000000040)=ANY=[@ANYBLOB="20000000200001020000000000000000020000000000009862e58167e27006220231efd461fc1df78605e7ff1f0d81"], 0x20}, 0x1}, 0x0) 05:01:07 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x7}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:07 executing program 1 (fault-call:4 fault-nth:34): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:07 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x4}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:07 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6000000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:07 executing program 7: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x600, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1064.007091] binder: 29169:29174 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1064.014377] FAULT_INJECTION: forcing a failure. [ 1064.014377] name failslab, interval 1, probability 0, space 0, times 0 [ 1064.016745] binder: 29169:29174 BC_FREE_BUFFER u0000000000000000 no match [ 1064.025681] CPU: 1 PID: 29172 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1064.039526] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1064.042605] binder: 29169:29174 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:07 executing program 5: setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(0xffffffffffffffff, 0x84, 0x7b, &(0x7f0000000240), 0x8) perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$sg(&(0x7f0000000040)='/dev/sg#\x00', 0x0, 0x0) epoll_create1(0x80000) ioctl$SG_IO(r0, 0x2284, &(0x7f0000001480)={0x4, 0x0, 0x0, 0x0, @scatter={0x0, 0x0, &(0x7f0000000280)}, &(0x7f0000001500), &(0x7f0000001400)=""/71, 0x0, 0x0, 0x0, &(0x7f00000002c0)}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/net/pfkey\x00', 0x1, 0x0) [ 1064.048881] Call Trace: [ 1064.048908] dump_stack+0x1b9/0x294 [ 1064.048931] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1064.048950] ? is_bpf_text_address+0xd7/0x170 [ 1064.048969] ? kernel_text_address+0x79/0xf0 [ 1064.048985] ? __unwind_start+0x166/0x330 [ 1064.065909] binder: 29169:29174 BC_FREE_BUFFER u0000000000000000 no match [ 1064.067292] should_fail.cold.4+0xa/0x1a [ 1064.067313] ? __save_stack_trace+0x7e/0xd0 [ 1064.067335] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1064.067359] ? graph_lock+0x170/0x170 05:01:07 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x200000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1064.104883] ? save_stack+0x43/0xd0 [ 1064.108523] ? kasan_kmalloc+0xc4/0xe0 [ 1064.108654] netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. [ 1064.112414] ? kasan_slab_alloc+0x12/0x20 [ 1064.112436] ? find_held_lock+0x36/0x1c0 [ 1064.112456] ? __lock_is_held+0xb5/0x140 [ 1064.112480] ? check_same_owner+0x320/0x320 [ 1064.137464] ? rcu_note_context_switch+0x710/0x710 [ 1064.142411] __should_failslab+0x124/0x180 [ 1064.146654] should_failslab+0x9/0x14 [ 1064.150454] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1064.155565] __kmalloc_node_track_caller+0x33/0x70 [ 1064.160492] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1064.165245] __alloc_skb+0x14d/0x780 [ 1064.168960] ? skb_scrub_packet+0x580/0x580 [ 1064.173276] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1064.178804] ? ip_generic_getfrag+0x11c/0x2d0 [ 1064.183295] ? ip_reply_glue_bits+0xc0/0xc0 [ 1064.187623] ? raw_getfrag+0x15b/0x220 [ 1064.191502] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1064.196531] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1064.201560] ? raw_destroy+0x30/0x30 [ 1064.205285] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1064.211082] ? ipv4_mtu+0x375/0x580 [ 1064.214716] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1064.220166] ? lock_acquire+0x1dc/0x520 [ 1064.224132] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1064.229661] ? ip_setup_cork+0x4dc/0x7c0 [ 1064.233720] ip_append_data.part.48+0xf3/0x180 [ 1064.238293] ? raw_destroy+0x30/0x30 [ 1064.242002] ip_append_data+0x6d/0x90 [ 1064.245797] ? raw_destroy+0x30/0x30 [ 1064.249505] raw_sendmsg+0x1dae/0x29b0 [ 1064.253400] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1064.258496] ? rcu_report_qs_rnp+0x790/0x790 [ 1064.262905] ? graph_lock+0x170/0x170 [ 1064.266720] ? expand_files.part.8+0x9a0/0x9a0 [ 1064.271296] ? check_same_owner+0x320/0x320 [ 1064.275625] ? lock_downgrade+0x8e0/0x8e0 [ 1064.279767] ? lock_release+0xa10/0xa10 [ 1064.283732] ? check_same_owner+0x320/0x320 [ 1064.288050] ? __check_object_size+0x95/0x5d9 [ 1064.292544] inet_sendmsg+0x19f/0x690 [ 1064.296335] ? __might_sleep+0x95/0x190 [ 1064.300309] ? ipip_gro_receive+0x100/0x100 [ 1064.304649] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1064.310180] ? security_socket_sendmsg+0x94/0xc0 [ 1064.314924] ? ipip_gro_receive+0x100/0x100 [ 1064.319240] sock_sendmsg+0xd5/0x120 [ 1064.322946] __sys_sendto+0x3d7/0x670 [ 1064.326739] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1064.331405] ? wait_for_completion+0x870/0x870 [ 1064.335983] ? __lock_is_held+0xb5/0x140 [ 1064.340049] ? __sb_end_write+0xac/0xe0 [ 1064.344021] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1064.349547] ? fput+0x130/0x1a0 [ 1064.352824] ? ksys_write+0x1a6/0x250 [ 1064.356625] ? __ia32_sys_read+0xb0/0xb0 [ 1064.360679] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1064.365518] __x64_sys_sendto+0xe1/0x1a0 [ 1064.369570] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1064.374582] do_syscall_64+0x1b1/0x800 [ 1064.378457] ? finish_task_switch+0x1ca/0x840 [ 1064.382947] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1064.387870] ? syscall_return_slowpath+0x30f/0x5c0 [ 1064.392791] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1064.398162] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1064.403004] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1064.408186] RIP: 0033:0x4559f9 [ 1064.411362] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1064.430736] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1064.438437] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1064.445695] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1064.452952] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1064.460211] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1064.467471] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000022 [ 1064.477480] binder: 29165:29173 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1064.493254] binder: 29165:29173 BC_FREE_BUFFER u0000000000000000 no match [ 1064.505426] binder: 29185:29186 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1064.512591] binder: 29185:29186 BC_FREE_BUFFER u0000000000000000 no match [ 1064.541414] binder: 29185:29186 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:07 executing program 4: r0 = openat$snapshot(0xffffffffffffff9c, &(0x7f00000011c0)='/dev/snapshot\x00', 0x0, 0x0) mkdir(&(0x7f00000005c0)='./file0\x00', 0x0) creat(&(0x7f0000f66ff4)='./file0/bus\x00', 0x0) open$dir(&(0x7f0000000180)='./file0/bus\x00', 0x0, 0x0) writev(0xffffffffffffffff, &(0x7f00002c8000), 0x0) r1 = dup(r0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x2011, r1, 0x0) ioctl$VHOST_SET_VRING_KICK(r0, 0x80083313, &(0x7f00000000c0)) 05:01:07 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:07 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r1, &(0x7f0000b6dfc8)={0x0, 0x0, &(0x7f00008feff0)={&(0x7f0000327f68)={0x2, 0x400000000000003, 0x0, 0x0, 0x13, 0x0, 0x0, 0x0, [@sadb_address={0x5, 0x6, 0x0, 0x0, 0x0, @in6={0xa}}, @sadb_address={0x5, 0x9, 0xff, 0x0, 0x0, @in6={0xa, 0x0, 0x0, @remote={0xfe, 0x80, [], 0xffffffffffffffff}}}, @sadb_sa={0x2, 0x1}, @sadb_address={0x5, 0x5, 0x0, 0x0, 0x0, @in6={0xa, 0x0, 0x0, @mcast2={0xff, 0x2, [], 0x1}}}]}, 0x98}, 0x1}, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) prlimit64(0x0, 0x7, &(0x7f0000000180), &(0x7f00000001c0)) sendmmsg$unix(r2, &(0x7f0000003bc0)=[{&(0x7f0000000040)=@abs, 0x6e, &(0x7f0000000680), 0x0, &(0x7f0000000140)=ANY=[@ANYBLOB="18000000000000000100000001000000", @ANYRES32=r2, @ANYBLOB="000066869ecee8ce6af9fd2998ca11bce9c80000"], 0x18}], 0x1, 0x0) recvmmsg(r3, &(0x7f0000002f40)=[{{&(0x7f0000000940)=@ax25, 0x80, &(0x7f00000009c0), 0x0, &(0x7f0000000a00)=""/36, 0x24}}], 0x1, 0x0, &(0x7f0000003000)) 05:01:08 executing program 5: r0 = syz_open_dev$sndseq(&(0x7f0000dcc000)='/dev/snd/seq\x00', 0x0, 0x0) read(r0, &(0x7f0000fb6000)=""/28, 0x1c) r1 = getpid() sched_setaffinity(r1, 0x8, &(0x7f0000d4b000)=0x2) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000010039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000140)={0x0, 0x0, 0x0, 'queue1\x00'}) r2 = memfd_create(&(0x7f0000000040)='proceth1\x00', 0x0) ioctl$UFFDIO_UNREGISTER(r2, 0x8010aa01, &(0x7f0000000080)={&(0x7f0000ffa000/0x4000)=nil, 0x4000}) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL(r0, 0x4058534c, &(0x7f000035d000)) r3 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000efb000)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$sock_FIOSETOWN(r3, 0x8901, &(0x7f0000000000)=r1) 05:01:08 executing program 1 (fault-call:4 fault-nth:35): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:08 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000ffc000/0x1000)=nil, 0x1000}, 0x3}) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1064.562329] binder: 29185:29186 BC_FREE_BUFFER u0000000000000000 no match [ 1064.713456] FAULT_INJECTION: forcing a failure. [ 1064.713456] name failslab, interval 1, probability 0, space 0, times 0 [ 1064.724856] CPU: 1 PID: 29210 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1064.731796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1064.741159] Call Trace: [ 1064.743786] dump_stack+0x1b9/0x294 [ 1064.747436] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1064.752648] ? unwind_get_return_address+0x61/0xa0 [ 1064.757600] ? graph_lock+0x170/0x170 [ 1064.761424] should_fail.cold.4+0xa/0x1a [ 1064.765508] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1064.770629] ? __lock_is_held+0xb5/0x140 [ 1064.774686] ? __kmalloc_node_track_caller+0x47/0x70 [ 1064.779781] ? graph_lock+0x170/0x170 [ 1064.783575] ? __x64_sys_sendto+0xe1/0x1a0 [ 1064.787802] ? find_held_lock+0x36/0x1c0 [ 1064.791856] ? __lock_is_held+0xb5/0x140 [ 1064.795914] ? check_same_owner+0x320/0x320 [ 1064.800224] ? rcu_note_context_switch+0x710/0x710 [ 1064.805140] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1064.810436] __should_failslab+0x124/0x180 [ 1064.814670] should_failslab+0x9/0x14 [ 1064.818461] kmem_cache_alloc_node+0x272/0x780 [ 1064.823030] ? __kmalloc_node_track_caller+0x47/0x70 [ 1064.828125] __alloc_skb+0x111/0x780 [ 1064.831828] ? skb_scrub_packet+0x580/0x580 [ 1064.836141] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1064.841689] ? ip_generic_getfrag+0x11c/0x2d0 [ 1064.846174] ? ip_reply_glue_bits+0xc0/0xc0 [ 1064.850495] ? raw_getfrag+0x15b/0x220 [ 1064.854369] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1064.859401] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1064.864410] ? raw_destroy+0x30/0x30 [ 1064.868124] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1064.873912] ? ipv4_mtu+0x375/0x580 [ 1064.877531] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1064.882982] ? lock_acquire+0x1dc/0x520 [ 1064.886949] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1064.892491] ? ip_setup_cork+0x4dc/0x7c0 [ 1064.896541] ip_append_data.part.48+0xf3/0x180 [ 1064.901111] ? raw_destroy+0x30/0x30 [ 1064.904814] ip_append_data+0x6d/0x90 [ 1064.908620] ? raw_destroy+0x30/0x30 [ 1064.912327] raw_sendmsg+0x1dae/0x29b0 [ 1064.916211] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1064.921301] ? rcu_report_qs_rnp+0x790/0x790 [ 1064.925701] ? graph_lock+0x170/0x170 [ 1064.929509] ? expand_files.part.8+0x9a0/0x9a0 [ 1064.934078] ? check_same_owner+0x320/0x320 [ 1064.938401] ? lock_downgrade+0x8e0/0x8e0 [ 1064.942540] ? lock_release+0xa10/0xa10 [ 1064.946500] ? check_same_owner+0x320/0x320 [ 1064.950812] ? __check_object_size+0x95/0x5d9 [ 1064.955300] inet_sendmsg+0x19f/0x690 [ 1064.959085] ? __might_sleep+0x95/0x190 [ 1064.963048] ? ipip_gro_receive+0x100/0x100 [ 1064.967361] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1064.972889] ? security_socket_sendmsg+0x94/0xc0 [ 1064.977650] ? ipip_gro_receive+0x100/0x100 [ 1064.981966] sock_sendmsg+0xd5/0x120 [ 1064.985664] __sys_sendto+0x3d7/0x670 [ 1064.989454] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1064.994116] ? wait_for_completion+0x870/0x870 [ 1064.998694] ? __lock_is_held+0xb5/0x140 [ 1065.002751] ? __sb_end_write+0xac/0xe0 [ 1065.006714] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1065.012237] ? fput+0x130/0x1a0 [ 1065.015507] ? ksys_write+0x1a6/0x250 [ 1065.019300] ? __ia32_sys_read+0xb0/0xb0 [ 1065.023347] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1065.028874] __x64_sys_sendto+0xe1/0x1a0 [ 1065.032925] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1065.037935] do_syscall_64+0x1b1/0x800 [ 1065.041830] ? finish_task_switch+0x1ca/0x840 [ 1065.046313] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1065.051233] ? syscall_return_slowpath+0x30f/0x5c0 [ 1065.056153] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1065.061508] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1065.066339] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1065.071515] RIP: 0033:0x4559f9 [ 1065.074688] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1065.094053] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1065.101837] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1065.109096] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1065.116357] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1065.123613] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1065.130868] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000023 05:01:09 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x20000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:09 executing program 4: keyctl$set_reqkey_keyring(0xe, 0xffffffffffffffff) request_key(&(0x7f0000016000)='logon\x00', &(0x7f0000ce8ffb)={0x73, 0x79, 0x7a}, &(0x7f0000000000)='\x00', 0x0) 05:01:09 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r2 = socket$inet6(0xa, 0x1, 0x0) getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000040)={0x0, 0x9}, &(0x7f0000000140)=0x8) getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r2, 0x84, 0x1f, &(0x7f0000000240)={r3, @in={{0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x1f}}}, 0xfffffffffffffff7, 0x1a}, &(0x7f00000001c0)=0x90) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000400)={"73797a6b616c6c65723006000400", 0x5002}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:09 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x4c000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:09 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x23000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:09 executing program 1 (fault-call:4 fault-nth:36): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:09 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000140)="295ee1311f16f477671070") perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) shmget$private(0x0, 0x4000, 0xa04, &(0x7f0000ffc000/0x4000)=nil) r1 = semget$private(0x0, 0x4, 0x0) semtimedop(r1, &(0x7f0000000000)=[{0x1, 0x5, 0x800}, {0x4, 0x6, 0x1000}, {0x4, 0x8000, 0x1000}, {0x4, 0x498d, 0x800}, {0x0, 0x6, 0x800}, {0x3, 0x3}, {0x2, 0xfffffffffffffc00, 0x1800}], 0x7, &(0x7f0000000040)={0x0, 0x989680}) 05:01:09 executing program 7: r0 = socket$inet6(0xa, 0x1, 0xfffffffffffffffe) ioctl(r0, 0x8912, &(0x7f0000000040)="295ed277a4200100360070") r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) fstatfs(r2, &(0x7f0000000080)) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c832, 0xffffffffffffffff, 0x0) r3 = openat$ion(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ion\x00', 0x2000, 0x0) pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$SO_VM_SOCKETS_BUFFER_MIN_SIZE(r4, 0x28, 0x1, &(0x7f0000000180)=0x439, 0x8) dup3(r5, r4, 0x0) ioctl$ION_IOC_ALLOC(r3, 0xc0184900, &(0x7f0000000100)={0x0, 0x22, 0x1, r5}) clone(0x0, &(0x7f0000000780), &(0x7f00000001c0), &(0x7f0000000000), &(0x7f0000000740)) [ 1065.761507] binder: 29239:29242 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1065.773237] FAULT_INJECTION: forcing a failure. [ 1065.773237] name failslab, interval 1, probability 0, space 0, times 0 [ 1065.784640] CPU: 0 PID: 29246 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1065.791573] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1065.800950] Call Trace: [ 1065.803539] dump_stack+0x1b9/0x294 [ 1065.807161] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1065.812337] ? is_bpf_text_address+0xd7/0x170 [ 1065.816822] ? kernel_text_address+0x79/0xf0 [ 1065.821219] ? __unwind_start+0x166/0x330 [ 1065.825361] should_fail.cold.4+0xa/0x1a [ 1065.829418] ? __save_stack_trace+0x7e/0xd0 [ 1065.833729] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1065.838827] ? graph_lock+0x170/0x170 [ 1065.842631] ? save_stack+0x43/0xd0 [ 1065.846242] ? kasan_kmalloc+0xc4/0xe0 [ 1065.850115] ? kasan_slab_alloc+0x12/0x20 [ 1065.854252] ? find_held_lock+0x36/0x1c0 [ 1065.858315] ? __lock_is_held+0xb5/0x140 [ 1065.862378] ? check_same_owner+0x320/0x320 [ 1065.866690] ? rcu_note_context_switch+0x710/0x710 [ 1065.871615] __should_failslab+0x124/0x180 [ 1065.875841] should_failslab+0x9/0x14 [ 1065.879627] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1065.884723] __kmalloc_node_track_caller+0x33/0x70 [ 1065.889640] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1065.894398] __alloc_skb+0x14d/0x780 [ 1065.898105] ? skb_scrub_packet+0x580/0x580 [ 1065.902420] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1065.907948] ? ip_generic_getfrag+0x11c/0x2d0 [ 1065.912432] ? ip_reply_glue_bits+0xc0/0xc0 [ 1065.916745] ? raw_getfrag+0x15b/0x220 [ 1065.920618] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1065.925626] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1065.930636] ? raw_destroy+0x30/0x30 [ 1065.934346] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1065.940136] ? ipv4_mtu+0x375/0x580 [ 1065.943751] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1065.949195] ? lock_acquire+0x1dc/0x520 [ 1065.953172] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1065.958698] ? ip_setup_cork+0x4dc/0x7c0 [ 1065.962750] ip_append_data.part.48+0xf3/0x180 [ 1065.967323] ? raw_destroy+0x30/0x30 [ 1065.971027] ip_append_data+0x6d/0x90 [ 1065.974818] ? raw_destroy+0x30/0x30 [ 1065.978524] raw_sendmsg+0x1dae/0x29b0 [ 1065.982418] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1065.987509] ? rcu_report_qs_rnp+0x790/0x790 [ 1065.991912] ? graph_lock+0x170/0x170 [ 1065.995706] ? expand_files.part.8+0x9a0/0x9a0 [ 1066.000273] ? check_same_owner+0x320/0x320 [ 1066.004591] ? lock_downgrade+0x8e0/0x8e0 [ 1066.008727] ? lock_release+0xa10/0xa10 [ 1066.012686] ? check_same_owner+0x320/0x320 [ 1066.016996] ? __check_object_size+0x95/0x5d9 [ 1066.021480] inet_sendmsg+0x19f/0x690 [ 1066.025266] ? __might_sleep+0x95/0x190 [ 1066.029248] ? ipip_gro_receive+0x100/0x100 [ 1066.033557] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1066.039084] ? security_socket_sendmsg+0x94/0xc0 [ 1066.043827] ? ipip_gro_receive+0x100/0x100 [ 1066.048141] sock_sendmsg+0xd5/0x120 [ 1066.051841] __sys_sendto+0x3d7/0x670 [ 1066.055631] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1066.060294] ? wait_for_completion+0x870/0x870 [ 1066.064866] ? __lock_is_held+0xb5/0x140 [ 1066.068921] ? __sb_end_write+0xac/0xe0 [ 1066.072883] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1066.078408] ? fput+0x130/0x1a0 [ 1066.081674] ? ksys_write+0x1a6/0x250 [ 1066.085464] ? __ia32_sys_read+0xb0/0xb0 [ 1066.089515] __x64_sys_sendto+0xe1/0x1a0 [ 1066.093564] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1066.098568] do_syscall_64+0x1b1/0x800 [ 1066.102446] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1066.107276] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1066.112195] ? syscall_return_slowpath+0x30f/0x5c0 [ 1066.117112] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1066.122466] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1066.127310] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1066.132509] RIP: 0033:0x4559f9 [ 1066.135680] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1066.154928] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c 05:01:09 executing program 4: r0 = syz_open_dev$sndpcmc(&(0x7f000048b000)='/dev/snd/pcmC#D#c\x00', 0x0, 0x0) mmap$binder(&(0x7f0000ca9000/0x1000)=nil, 0x1000, 0x0, 0x2051, r0, 0x0) r1 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_mreq(r1, 0x29, 0x1b, &(0x7f0000000000)={@dev={0xfe, 0x80, [], 0x16}}, 0x14) [ 1066.162625] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1066.169883] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1066.177145] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1066.184400] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1066.191654] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000024 [ 1066.201291] binder: 29239:29242 BC_FREE_BUFFER u0000000000000000 no match 05:01:09 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xffff0000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:09 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) setsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r3, 0x84, 0x8, &(0x7f0000000040)=0x6, 0x4) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") epoll_ctl$EPOLL_CTL_DEL(r0, 0x2, r1) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1066.229827] binder: 29239:29242 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1066.265870] binder: 29239:29242 BC_FREE_BUFFER u0000000000000000 no match [ 1066.627821] ALSA: seq fatal error: cannot create timer (-22) 05:01:10 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x4000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:10 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x7400000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:10 executing program 4: r0 = socket$nl_crypto(0x10, 0x3, 0x15) fremovexattr(r0, &(0x7f0000000100)=@known='security.capability\x00') r1 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x8, 0x10000) getsockopt$inet_sctp6_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x1b, &(0x7f0000000140)={0x0, 0xe0, "c401fced2b7478f4a1f78841da2623a8fa564d266a0159fcb77f958b1f01cba0c56fcc51e468d7d26ab862ce8ff2b88cd396a5a1282e2cc4e59442d495bfc70dcf5080ae3ac870776b2d212ebdf358d52d12f67080d95f70ffb42f73da17dcfa0e98b0a661e259f8623ed7d8ac63df90d0fa5986916e6f4a42a7994f53a140680cd8bd38867e64954e2e03f90dabe0d187acae97031708d10a97a932ec9442a2efeff7f0777a4cc4d0dc5b9975c3aedbd870daf7530a2c92bee85f0269248ef29666015827a136ee8c3095c5b572bc4a23b9b2b04429d177e5b4206185b2a011"}, &(0x7f0000000040)=0xe8) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r1, 0x84, 0x6f, &(0x7f00000000c0)={r2, 0x10, &(0x7f0000000080)=[@in={0x2, 0x4e20, @multicast1=0xe0000001}]}, &(0x7f0000000240)=0x10) 05:01:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x4000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:10 executing program 5: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="025cc83d6d345f8f760070") r1 = syz_open_dev$sg(&(0x7f0000000040)='/dev/sg#\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffffffffe, 0x31, 0xffffffffffffffff, 0x0) ioctl$SG_GET_SG_TABLESIZE(r1, 0x2272, &(0x7f0000000240)) openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x101000, 0x0) 05:01:10 executing program 1 (fault-call:4 fault-nth:37): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:10 executing program 7: r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x80, 0x0) bpf$MAP_CREATE(0x0, &(0x7f00000001c0)={0x3, 0x401, 0x3, 0x20, 0x38, r0, 0xb6}, 0x2c) unshare(0x24020400) r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000040)='/dev/mixer\x00', 0x20000, 0x0) ioctl$KVM_GET_SUPPORTED_CPUID(r1, 0xc008ae05, &(0x7f0000000080)=""/202) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x3, 0x4, 0x4, 0x9}, 0x14) epoll_create(0x8000000000000002) socket$nl_crypto(0x10, 0x3, 0x15) bpf$MAP_CREATE(0x0, &(0x7f000061e000)={0xd, 0x2, 0x4, 0x69, 0x0, r2}, 0x2c) 05:01:10 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x10000000000) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) sendto$inet6(r0, &(0x7f0000000040)="eb5dae826f0ae6bca3996927ef8d738565654e82228bd729643c2d76105c0f671ee502559cbca7a26899b9ed0dd3e85b480da2a1bd906f", 0x37, 0x80, 0x0, 0x0) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @dev={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x1b}}, 0x8000000000008, {0x2, 0xffffffffffffffff, @dev={0xac, 0x14, 0x14, 0x1c}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1066.797222] ALSA: seq fatal error: cannot create timer (-22) [ 1066.841412] binder: 29287:29288 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1066.844029] FAULT_INJECTION: forcing a failure. [ 1066.844029] name failslab, interval 1, probability 0, space 0, times 0 [ 1066.857379] binder: 29287:29288 BC_FREE_BUFFER u0000000000000000 no match [ 1066.859689] CPU: 0 PID: 29290 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1066.859700] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1066.859706] Call Trace: [ 1066.859729] dump_stack+0x1b9/0x294 05:01:10 executing program 4: r0 = openat$md(0xffffffffffffff9c, &(0x7f0000000080)='/dev/md0\x00', 0x0, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x0) ioctl$IOC_PR_RELEASE(r0, 0x401070ca, &(0x7f0000000000)={0x3, 0x8, 0x1}) ioctl$BLKPG(r0, 0x40140921, &(0x7f00000001c0)={0x0, 0x0, 0x0, &(0x7f00000000c0)}) 05:01:10 executing program 5: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000100)={&(0x7f0000000180)={0x10, 0x40030000000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="1800000031001d01000000000000000001000000040000007778649922d6e75ed16e3bfd7dca7c0d20377f4c4fe02e681ffe9f6a63972e9b4a2c39177788bf569e2ad857442dfcbeb87fec3036b7b49dcd1d8ebf0df0332f8ce88de96a3a2574f388bf06aa1a67dde6d9af336d5d51c998c2025c"], 0x18}, 0x1}, 0x0) 05:01:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x60, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1066.859752] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1066.894331] ? unwind_get_return_address+0x61/0xa0 [ 1066.898158] binder: 29287:29288 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1066.899276] ? graph_lock+0x170/0x170 [ 1066.899307] should_fail.cold.4+0xa/0x1a [ 1066.899331] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1066.912085] binder: 29287:29288 BC_FREE_BUFFER u0000000000000000 no match [ 1066.914099] ? __lock_is_held+0xb5/0x140 [ 1066.914117] ? __kmalloc_node_track_caller+0x47/0x70 [ 1066.914135] ? graph_lock+0x170/0x170 [ 1066.914153] ? __x64_sys_sendto+0xe1/0x1a0 [ 1066.914173] ? find_held_lock+0x36/0x1c0 [ 1066.947422] ? __lock_is_held+0xb5/0x140 [ 1066.951507] ? check_same_owner+0x320/0x320 [ 1066.955847] ? rcu_note_context_switch+0x710/0x710 [ 1066.960794] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1066.966092] __should_failslab+0x124/0x180 [ 1066.970346] should_failslab+0x9/0x14 [ 1066.974158] kmem_cache_alloc_node+0x272/0x780 [ 1066.978758] ? __kmalloc_node_track_caller+0x47/0x70 [ 1066.983884] __alloc_skb+0x111/0x780 [ 1066.987604] ? skb_scrub_packet+0x580/0x580 [ 1066.991930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1066.997466] ? ip_generic_getfrag+0x11c/0x2d0 [ 1067.001961] ? ip_reply_glue_bits+0xc0/0xc0 [ 1067.006290] ? raw_getfrag+0x15b/0x220 [ 1067.010171] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1067.015210] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1067.020226] ? raw_destroy+0x30/0x30 [ 1067.023943] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1067.029738] ? ipv4_mtu+0x375/0x580 [ 1067.033362] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1067.038866] ? lock_acquire+0x1dc/0x520 [ 1067.043008] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1067.048533] ? ip_setup_cork+0x4dc/0x7c0 [ 1067.052590] ip_append_data.part.48+0xf3/0x180 [ 1067.057167] ? raw_destroy+0x30/0x30 [ 1067.060875] ip_append_data+0x6d/0x90 [ 1067.064669] ? raw_destroy+0x30/0x30 [ 1067.068388] raw_sendmsg+0x1dae/0x29b0 [ 1067.072286] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1067.077395] ? rcu_report_qs_rnp+0x790/0x790 [ 1067.081808] ? graph_lock+0x170/0x170 [ 1067.085607] ? expand_files.part.8+0x9a0/0x9a0 [ 1067.090179] ? check_same_owner+0x320/0x320 [ 1067.094511] ? lock_downgrade+0x8e0/0x8e0 [ 1067.098654] ? lock_release+0xa10/0xa10 [ 1067.102618] ? check_same_owner+0x320/0x320 [ 1067.106941] ? __check_object_size+0x95/0x5d9 [ 1067.111434] inet_sendmsg+0x19f/0x690 [ 1067.115220] ? __might_sleep+0x95/0x190 [ 1067.119185] ? ipip_gro_receive+0x100/0x100 [ 1067.123505] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1067.129036] ? security_socket_sendmsg+0x94/0xc0 [ 1067.133782] ? ipip_gro_receive+0x100/0x100 [ 1067.138099] sock_sendmsg+0xd5/0x120 [ 1067.141806] __sys_sendto+0x3d7/0x670 [ 1067.145602] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1067.150265] ? wait_for_completion+0x870/0x870 [ 1067.154868] ? __lock_is_held+0xb5/0x140 [ 1067.158935] ? __sb_end_write+0xac/0xe0 [ 1067.162992] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1067.168517] ? fput+0x130/0x1a0 [ 1067.171788] ? ksys_write+0x1a6/0x250 [ 1067.175586] ? __ia32_sys_read+0xb0/0xb0 [ 1067.179644] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1067.184483] __x64_sys_sendto+0xe1/0x1a0 [ 1067.188537] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1067.193548] do_syscall_64+0x1b1/0x800 [ 1067.197432] ? finish_task_switch+0x1ca/0x840 [ 1067.201924] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1067.206845] ? syscall_return_slowpath+0x30f/0x5c0 [ 1067.211770] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1067.217128] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1067.221969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1067.227149] RIP: 0033:0x4559f9 [ 1067.230323] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1067.249661] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1067.257382] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1067.264641] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1067.271900] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1067.279172] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1067.286432] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000025 05:01:10 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = fcntl$dupfd(r2, 0x0, r2) ioctl$FS_IOC_FSGETXATTR(r0, 0x801c581f, &(0x7f0000000080)={0x3, 0x9, 0x6, 0x100000000, 0x810000000000}) ioctl$KVM_S390_INTERRUPT_CPU(r3, 0x4010ae94, &(0x7f00000000c0)={0x1, 0x3, 0x8000}) openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r3, r4, &(0x7f0000027000/0x18000)=nil, &(0x7f0000000040)=[@text64={0x40, &(0x7f0000000180)="660f38803568890000b9800000c00f3235000800000f300fc71b66470f3882935d0000000f323e67440f380583000001000f015944f3420f01dfb93d0b00000f3266ba410066b8c6a066ef", 0x4b}], 0xaaaabf0, 0x5d, &(0x7f0000000000), 0x32) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) 05:01:10 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x2300}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1067.338452] binder: 29309:29311 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1067.371928] binder: 29309:29311 BC_FREE_BUFFER u0000000000000000 no match 05:01:10 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="2957e1311f16f477671070") r1 = socket(0xa, 0x2, 0x0) setsockopt$packet_fanout(r1, 0x107, 0x12, &(0x7f0000000080)={0x0, 0x7, 0x1000}, 0x4) setsockopt$inet_int(r1, 0x0, 0x17, &(0x7f00000000c0)=0x7, 0x4) connect$inet6(r1, &(0x7f0000000040)={0xa, 0x0, 0x0, @ipv4={[0xfeffffff], [0xff, 0xff], @loopback=0x7f000001}}, 0x1c) unshare(0x20400) setsockopt$inet_int(r1, 0x0, 0x17, &(0x7f0000000000), 0x4) [ 1067.385889] binder: 29309:29311 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:10 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) read(r0, &(0x7f0000000240)=""/191, 0xbf) 05:01:10 executing program 1 (fault-call:4 fault-nth:38): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1067.435387] binder: 29309:29311 BC_FREE_BUFFER u0000000000000000 no match 05:01:10 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xf8ff3f1f00000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1067.541621] FAULT_INJECTION: forcing a failure. [ 1067.541621] name failslab, interval 1, probability 0, space 0, times 0 [ 1067.552961] CPU: 0 PID: 29331 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1067.559917] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1067.569285] Call Trace: [ 1067.571899] dump_stack+0x1b9/0x294 [ 1067.575554] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1067.580768] ? is_bpf_text_address+0xd7/0x170 [ 1067.585304] should_fail.cold.4+0xa/0x1a [ 1067.589389] ? __save_stack_trace+0x7e/0xd0 [ 1067.593736] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1067.598868] ? graph_lock+0x170/0x170 [ 1067.602692] ? save_stack+0x43/0xd0 [ 1067.606345] ? kasan_kmalloc+0xc4/0xe0 [ 1067.610255] ? kasan_slab_alloc+0x12/0x20 [ 1067.614427] ? find_held_lock+0x36/0x1c0 [ 1067.618504] ? __lock_is_held+0xb5/0x140 [ 1067.622569] ? check_same_owner+0x320/0x320 [ 1067.626884] ? rcu_note_context_switch+0x710/0x710 [ 1067.631810] __should_failslab+0x124/0x180 [ 1067.636035] should_failslab+0x9/0x14 [ 1067.639827] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1067.644928] __kmalloc_node_track_caller+0x33/0x70 [ 1067.649848] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1067.654614] __alloc_skb+0x14d/0x780 [ 1067.658803] ? skb_scrub_packet+0x580/0x580 [ 1067.663120] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1067.668648] ? ip_generic_getfrag+0x11c/0x2d0 [ 1067.673134] ? ip_reply_glue_bits+0xc0/0xc0 [ 1067.677451] ? raw_getfrag+0x15b/0x220 [ 1067.681329] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1067.686345] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1067.691359] ? raw_destroy+0x30/0x30 [ 1067.695073] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1067.700862] ? ipv4_mtu+0x375/0x580 [ 1067.704480] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1067.709931] ? lock_acquire+0x1dc/0x520 [ 1067.713895] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1067.719593] ? ip_setup_cork+0x4dc/0x7c0 [ 1067.723647] ip_append_data.part.48+0xf3/0x180 [ 1067.728220] ? raw_destroy+0x30/0x30 [ 1067.731952] ip_append_data+0x6d/0x90 [ 1067.735741] ? raw_destroy+0x30/0x30 [ 1067.739447] raw_sendmsg+0x1dae/0x29b0 [ 1067.743336] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1067.748430] ? zap_class+0x720/0x720 [ 1067.752136] ? graph_lock+0x170/0x170 [ 1067.755930] ? expand_files.part.8+0x9a0/0x9a0 [ 1067.760518] ? lock_downgrade+0x8e0/0x8e0 [ 1067.764657] ? lock_release+0xa10/0xa10 [ 1067.768623] ? check_same_owner+0x320/0x320 [ 1067.772935] ? __check_object_size+0x95/0x5d9 [ 1067.777424] inet_sendmsg+0x19f/0x690 [ 1067.781209] ? __might_sleep+0x95/0x190 [ 1067.785174] ? ipip_gro_receive+0x100/0x100 [ 1067.789486] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1067.795014] ? security_socket_sendmsg+0x94/0xc0 [ 1067.799759] ? ipip_gro_receive+0x100/0x100 [ 1067.804070] sock_sendmsg+0xd5/0x120 [ 1067.807773] __sys_sendto+0x3d7/0x670 [ 1067.811571] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1067.816239] ? wait_for_completion+0x870/0x870 [ 1067.820824] ? schedule+0xef/0x430 [ 1067.824355] ? __schedule+0x1e30/0x1e30 [ 1067.828318] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1067.833842] ? fput+0x130/0x1a0 [ 1067.837115] ? ksys_write+0x1a6/0x250 [ 1067.840907] ? __ia32_sys_read+0xb0/0xb0 [ 1067.844956] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1067.850504] __x64_sys_sendto+0xe1/0x1a0 [ 1067.854556] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1067.859565] do_syscall_64+0x1b1/0x800 [ 1067.863440] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1067.868287] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1067.873205] ? syscall_return_slowpath+0x30f/0x5c0 [ 1067.878130] ? retint_user+0x18/0x18 [ 1067.881838] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1067.886672] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1067.891848] RIP: 0033:0x4559f9 [ 1067.895033] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1067.914339] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1067.922039] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1067.929299] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1067.936557] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1067.943823] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1067.951079] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000026 05:01:11 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x6c00000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:11 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x74000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:11 executing program 7: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x60, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:11 executing program 4: r0 = socket$pptp(0x18, 0x1, 0x2) bind$pptp(r0, &(0x7f0000000000)={0x18, 0x2, {0x0, @remote={0xac, 0x14, 0x14, 0xbb}}}, 0x1e) mlock2(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x0) connect$pptp(r0, &(0x7f0000000280)={0x18, 0x2, {0x1, @remote={0xac, 0x14, 0x14, 0xbb}}}, 0x23) [ 1068.072732] binder: 29345:29346 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1068.079361] binder: 29343:29347 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1068.119358] binder: 29345:29346 BC_FREE_BUFFER u0000000000000000 no match [ 1068.130777] binder: 29343:29347 BC_FREE_BUFFER u0000000000000000 no match [ 1068.169221] binder: 29345:29346 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1068.189836] binder: 29345:29346 BC_FREE_BUFFER u0000000000000000 no match [ 1068.984418] ALSA: seq fatal error: cannot create timer (-22) 05:01:12 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000000040)={@mcast2={0xff, 0x2, [], 0x1}, 0x9, 0x2, 0xff, 0x1, 0x0, 0x2, 0x8b10}, 0x20) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) getsockopt$inet_sctp6_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000140)={0x0, 0x8}, &(0x7f00000001c0)=0x8) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000000240)={r4, 0xa9d}, 0x8) 05:01:12 executing program 1 (fault-call:4 fault-nth:39): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:12 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xf00000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:12 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000140)="22bd5e01cc2995ca561dc05fc373343d51cd1ba296bb8b807081df97884c7075a3cfde822c6e36f50f343ae42ee6a8a904fd95ccd4c2044d5ac7e4bdac09ef41112727c77c3a6c420ad6af0891274e74e3f70f3cc182c1289956c1f1fc52de449e39bb1f27de7751ab1c40d9296da7f1e5a3d4c2fd0d058bd4f0200dbe68dc20a2d3194413013494ec21738e1b04411eb57857ec901811d4fd4bb079a15c4697a00e5b8228267b9da763592cfd1f73e0facf5080dace6ed059c1dc1bfcf680c947b6c2c9cb66f191107a") setsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000001000)={0x10000, 0x4, 0x100, 0x400}, 0x6) r1 = socket(0x11, 0x80002, 0x0) setsockopt(r1, 0x107, 0xd, &(0x7f0000001000), 0xc5) mmap(&(0x7f0000ffc000/0x1000)=nil, 0x40000, 0x0, 0x12, r1, 0x0) 05:01:12 executing program 7: mkdir(&(0x7f000082f000)='./control\x00', 0x0) mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0) r0 = userfaultfd(0x0) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000e4c000)={0xaa, 0x4}) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000043fe0)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r1 = creat(&(0x7f0000000000)='./control/file0\x00', 0x0) write$sndseq(r1, &(0x7f0000011fd2)=[{0x0, 0x0, 0x0, 0x0, @time, {}, {}, @time=@time={0x77359400}}], 0x30) unlink(&(0x7f0000f86000)='./control/file0\x00') epoll_pwait(r1, &(0x7f00000001c0)=[{}, {}, {}, {}], 0x4, 0x2, &(0x7f0000000200)={0x552}, 0x8) rmdir(&(0x7f00000000c0)='./control\x00') syz_fuseblk_mount(&(0x7f0000000080)='./control/file2\x00', &(0x7f0000000100)='./control/file1\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) getsockopt$nfc_llcp(r1, 0x118, 0x7, &(0x7f0000000240)=""/40, 0x28) umount2(&(0x7f0000000040)='./control/file1\x00', 0x8) syz_fuseblk_mount(&(0x7f0000000140)='./control\x00', &(0x7f0000000180)='./control/file1\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) close(r0) 05:01:12 executing program 4: syz_init_net_socket$bt_sco(0x1f, 0x4, 0x2) r0 = syz_open_dev$vcsn(&(0x7f00000000c0)='/dev/vcs#\x00', 0x1, 0x400000) openat(r0, &(0x7f0000000040)='./file0\x00', 0x200, 0x1) 05:01:12 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xfdfdffff00000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x10000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1069.153941] ALSA: seq fatal error: cannot create timer (-22) [ 1069.206487] binder: 29374:29376 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1069.212339] FAULT_INJECTION: forcing a failure. [ 1069.212339] name failslab, interval 1, probability 0, space 0, times 0 [ 1069.224832] CPU: 1 PID: 29377 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1069.231769] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1069.234958] binder: 29374:29376 BC_FREE_BUFFER u0000000000000000 no match [ 1069.241129] Call Trace: [ 1069.241157] dump_stack+0x1b9/0x294 [ 1069.241179] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1069.241200] ? unwind_get_return_address+0x61/0xa0 [ 1069.241225] ? graph_lock+0x170/0x170 [ 1069.268244] should_fail.cold.4+0xa/0x1a [ 1069.272335] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1069.277462] ? __lock_is_held+0xb5/0x140 [ 1069.281540] ? __kmalloc_node_track_caller+0x47/0x70 [ 1069.286670] ? graph_lock+0x170/0x170 [ 1069.289267] binder: 29374:29376 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1069.290485] ? __x64_sys_sendto+0xe1/0x1a0 [ 1069.290512] ? find_held_lock+0x36/0x1c0 [ 1069.305726] ? __lock_is_held+0xb5/0x140 [ 1069.309056] IPVS: ftp: loaded support on port[0] = 21 [ 1069.309807] ? check_same_owner+0x320/0x320 [ 1069.309826] ? rcu_note_context_switch+0x710/0x710 [ 1069.309846] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1069.320592] binder: 29374:29376 BC_FREE_BUFFER u0000000000000000 no match [ 1069.324284] __should_failslab+0x124/0x180 [ 1069.324303] should_failslab+0x9/0x14 [ 1069.324319] kmem_cache_alloc_node+0x272/0x780 [ 1069.324336] ? __kmalloc_node_track_caller+0x47/0x70 [ 1069.324359] __alloc_skb+0x111/0x780 [ 1069.324378] ? skb_scrub_packet+0x580/0x580 [ 1069.362279] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1069.367831] ? ip_generic_getfrag+0x11c/0x2d0 [ 1069.372345] ? ip_reply_glue_bits+0xc0/0xc0 [ 1069.376682] ? raw_getfrag+0x15b/0x220 [ 1069.380586] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1069.385637] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1069.390682] ? raw_destroy+0x30/0x30 [ 1069.394429] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1069.400249] ? ipv4_mtu+0x375/0x580 05:01:12 executing program 4: unshare(0x40000000) r0 = socket(0x11, 0x100000803, 0x0) r1 = syz_open_dev$tun(&(0x7f00000000c0)='/dev/net/tun\x00', 0x0, 0x20000000002) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={"6966e23000faffffffffffffff00", 0x5001}) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000000)={'ifb0\x00', 0xa201}) write$tun(r1, &(0x7f0000000480)={@void, @val, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x6c, 0x0, @empty, @multicast1=0xe0000001}, @igmp={0x0, 0x0, 0x0, @multicast1=0xe0000001}}}, 0x26) 05:01:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x7000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1069.403892] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1069.409365] ? lock_acquire+0x1dc/0x520 [ 1069.413357] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1069.418909] ? ip_setup_cork+0x4dc/0x7c0 [ 1069.423001] ip_append_data.part.48+0xf3/0x180 [ 1069.425132] binder: 29388:29389 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1069.427597] ? raw_destroy+0x30/0x30 [ 1069.427620] ip_append_data+0x6d/0x90 [ 1069.427638] ? raw_destroy+0x30/0x30 [ 1069.427658] raw_sendmsg+0x1dae/0x29b0 [ 1069.427690] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1069.440430] binder: 29388:29389 BC_FREE_BUFFER u0000000000000000 no match [ 1069.442102] ? rcu_report_qs_rnp+0x790/0x790 [ 1069.442129] ? graph_lock+0x170/0x170 [ 1069.442153] ? expand_files.part.8+0x9a0/0x9a0 [ 1069.442167] ? check_same_owner+0x320/0x320 [ 1069.442198] ? lock_downgrade+0x8e0/0x8e0 [ 1069.459641] binder: 29388:29389 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1069.461788] ? lock_release+0xa10/0xa10 [ 1069.461806] ? check_same_owner+0x320/0x320 [ 1069.461824] ? __check_object_size+0x95/0x5d9 [ 1069.461846] inet_sendmsg+0x19f/0x690 [ 1069.461860] ? __might_sleep+0x95/0x190 [ 1069.461877] ? ipip_gro_receive+0x100/0x100 [ 1069.461900] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1069.520269] ? security_socket_sendmsg+0x94/0xc0 [ 1069.525013] ? ipip_gro_receive+0x100/0x100 [ 1069.529322] sock_sendmsg+0xd5/0x120 [ 1069.533223] __sys_sendto+0x3d7/0x670 [ 1069.537017] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1069.541678] ? wait_for_completion+0x870/0x870 [ 1069.546252] ? __lock_is_held+0xb5/0x140 [ 1069.550307] ? __sb_end_write+0xac/0xe0 [ 1069.554273] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1069.560150] ? fput+0x130/0x1a0 [ 1069.563419] ? ksys_write+0x1a6/0x250 [ 1069.567210] ? __ia32_sys_read+0xb0/0xb0 [ 1069.571259] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1069.576806] __x64_sys_sendto+0xe1/0x1a0 [ 1069.580854] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1069.585861] do_syscall_64+0x1b1/0x800 [ 1069.589736] ? finish_task_switch+0x1ca/0x840 [ 1069.594222] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1069.599137] ? syscall_return_slowpath+0x30f/0x5c0 [ 1069.604058] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1069.609415] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1069.614250] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1069.619425] RIP: 0033:0x4559f9 [ 1069.622595] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1069.641832] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1069.649529] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 05:01:13 executing program 5: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000440)='/dev/vga_arbiter\x00', 0x40000, 0x0) readv(r1, &(0x7f0000000080)=[{&(0x7f0000000140)=""/154, 0x9a}], 0x1) getsockopt$inet_sctp_SCTP_EVENTS(r1, 0x84, 0xb, &(0x7f0000000300), &(0x7f0000000340)=0xb) setsockopt$inet_sctp_SCTP_AUTO_ASCONF(r1, 0x84, 0x1e, &(0x7f0000000040)=0x2, 0x4) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r1, 0x84, 0x4, &(0x7f0000000200), &(0x7f0000000240)=0x4) bpf$OBJ_PIN_MAP(0x6, &(0x7f00000000c0)={&(0x7f0000000380)='./file0\x00', r1}, 0x10) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000000480)={0x0, @in={{0x2, 0x4e22}}, [0x0, 0xffffffff, 0x7fffffff, 0x6, 0x8, 0xffffffffffffffc1, 0x4, 0xffffffffc15248cf, 0x9d65, 0xeb, 0x0, 0x8001, 0x9, 0xa24, 0x229]}, &(0x7f00000003c0)=0x100) munmap(&(0x7f0000fff000/0x1000)=nil, 0x1000) setsockopt$inet_sctp_SCTP_AUTH_DELETE_KEY(r1, 0x84, 0x19, &(0x7f0000000400)={r2, 0x5}, 0x8) setsockopt$bt_BT_FLUSHABLE(r1, 0x112, 0xa, &(0x7f0000000100)=0xfffbfffffffffffd, 0x114) setsockopt$bt_BT_FLUSHABLE(r0, 0x112, 0x8, &(0x7f0000000000)=0x8, 0x4) setsockopt$inet6_tcp_TCP_REPAIR_OPTIONS(r1, 0x6, 0x16, &(0x7f0000000280)=[{0x3}, {0x7, 0xd4}, {0x4, 0x6}, {0xa, 0x800}, {0x2}, {0xa, 0x7}, {0x2, 0x4}, {0x3, 0x6}, {0x6, 0x2d}, {0x3, 0x5}], 0xa) 05:01:13 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x5800000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:13 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) lseek(r1, 0x0, 0x2) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) pipe(&(0x7f0000000040)={0xffffffffffffffff}) ioctl$UFFDIO_UNREGISTER(r4, 0x8010aa01, &(0x7f0000000140)={&(0x7f0000ffd000/0x3000)=nil, 0x3000}) [ 1069.656785] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1069.664049] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1069.671307] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1069.678564] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000027 [ 1069.693986] binder: 29388:29389 BC_FREE_BUFFER u0000000000000000 no match [ 1069.818913] IPVS: ftp: loaded support on port[0] = 21 [ 1070.259056] ALSA: seq fatal error: cannot create timer (-22) 05:01:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:13 executing program 1 (fault-call:4 fault-nth:40): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:13 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:13 executing program 5: r0 = socket$inet6(0xa, 0x800004, 0x0) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$TUNSETOFFLOAD(r1, 0x400454d0, 0x657d3d0f9a846d70) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") getsockopt$bt_sco_SCO_CONNINFO(r1, 0x11, 0x2, &(0x7f0000000140)=""/157, &(0x7f0000000200)=0x9d) syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, &(0x7f0000000080), 0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="64697361626c655f7370617273653d6e6f3d002c00b06ca64885cf06555b94c21e1816ceaa538bbf1319a572fda9aa"]) 05:01:13 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) ioctl$TUNSETSNDBUF(r0, 0x400454d4, &(0x7f0000000040)=0x8) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:13 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x6c000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:13 executing program 4: r0 = socket$kcm(0x29, 0x5, 0x0) ioctl(r0, 0x8912, &(0x7f0000000080)="0047fc2f07d82c99240970") r1 = socket$netlink(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) sendmsg$nl_route(r1, &(0x7f0000000000)={&(0x7f0000000040)={0x10}, 0xfffffffffffffe5f, &(0x7f0000000200)={&(0x7f00000000c0)=@ipv6_newaddr={0x34, 0x14, 0x109, 0x0, 0x0, {0xa, 0x0, 0x0, 0x0, r2}, [@IFA_FLAGS={0x8, 0x8, 0x284}, @IFA_ADDRESS={0x14, 0x1, @local={0xfe, 0x80, [], 0xaa}}]}, 0x34}, 0x1, 0x0, 0x0, 0x4010}, 0x0) 05:01:13 executing program 7: r0 = socket(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0xc0, @dev={0xfe, 0x80, [], 0x1f}, 0xffffffffffffffff}, 0x1c) r1 = socket(0x11, 0x100000803, 0x0) r2 = syz_open_dev$tun(&(0x7f00000000c0)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000100)={"6966623000faffffffffffffff00", 0x12}) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000000)="295ee1311f16f477671070") ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000000)={'ifb0\x00', 0xa201}) connect$bt_l2cap(r0, &(0x7f0000000080)={0x2}, 0xe) [ 1070.428363] ALSA: seq fatal error: cannot create timer (-22) [ 1070.483822] binder: 29434:29436 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1070.491417] __ntfs_error: 62 callbacks suppressed [ 1070.491429] ntfs: (device loop5): parse_options(): The disable_sparse option requires a boolean argument. [ 1070.516480] FAULT_INJECTION: forcing a failure. [ 1070.516480] name failslab, interval 1, probability 0, space 0, times 0 [ 1070.527800] CPU: 1 PID: 29437 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1070.534738] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1070.544103] Call Trace: [ 1070.546713] dump_stack+0x1b9/0x294 [ 1070.550358] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1070.555562] ? is_bpf_text_address+0xd7/0x170 [ 1070.560071] ? kernel_text_address+0x79/0xf0 [ 1070.564495] ? __unwind_start+0x166/0x330 [ 1070.568568] binder: 29434:29436 BC_FREE_BUFFER u0000000000000000 no match [ 1070.568656] should_fail.cold.4+0xa/0x1a [ 1070.568673] ? __save_stack_trace+0x7e/0xd0 [ 1070.568692] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1070.583656] binder: 29434:29436 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1070.584000] ? graph_lock+0x170/0x170 [ 1070.584020] ? save_stack+0x43/0xd0 [ 1070.584038] ? kasan_kmalloc+0xc4/0xe0 [ 1070.595016] binder: 29434:29436 BC_FREE_BUFFER u0000000000000000 no match [ 1070.596077] ? kasan_slab_alloc+0x12/0x20 [ 1070.596102] ? find_held_lock+0x36/0x1c0 [ 1070.596125] ? __lock_is_held+0xb5/0x140 [ 1070.596153] ? check_same_owner+0x320/0x320 05:01:14 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x2, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1070.596173] ? rcu_note_context_switch+0x710/0x710 [ 1070.635841] __should_failslab+0x124/0x180 [ 1070.640093] should_failslab+0x9/0x14 [ 1070.643908] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1070.649037] __kmalloc_node_track_caller+0x33/0x70 [ 1070.653982] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1070.658750] __alloc_skb+0x14d/0x780 [ 1070.662481] ? skb_scrub_packet+0x580/0x580 [ 1070.666817] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1070.668448] binder: 29448:29449 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1070.672364] ? ip_generic_getfrag+0x11c/0x2d0 [ 1070.672384] ? ip_reply_glue_bits+0xc0/0xc0 [ 1070.672410] ? raw_getfrag+0x15b/0x220 [ 1070.672426] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1070.672444] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1070.672464] ? raw_destroy+0x30/0x30 [ 1070.691589] binder: 29448:29449 BC_FREE_BUFFER u0000000000000000 no match [ 1070.692065] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1070.692089] ? ipv4_mtu+0x375/0x580 [ 1070.722131] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1070.727603] ? lock_acquire+0x1dc/0x520 [ 1070.731582] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1070.737110] ? ip_setup_cork+0x4dc/0x7c0 [ 1070.743755] ip_append_data.part.48+0xf3/0x180 [ 1070.748333] ? raw_destroy+0x30/0x30 [ 1070.752037] ip_append_data+0x6d/0x90 [ 1070.755828] ? raw_destroy+0x30/0x30 [ 1070.759533] raw_sendmsg+0x1dae/0x29b0 [ 1070.763420] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1070.768516] ? rcu_report_qs_rnp+0x790/0x790 [ 1070.772918] ? graph_lock+0x170/0x170 [ 1070.776713] ? expand_files.part.8+0x9a0/0x9a0 [ 1070.781282] ? check_same_owner+0x320/0x320 [ 1070.785602] ? lock_downgrade+0x8e0/0x8e0 [ 1070.789754] ? lock_release+0xa10/0xa10 [ 1070.793729] ? check_same_owner+0x320/0x320 [ 1070.798041] ? __check_object_size+0x95/0x5d9 [ 1070.802526] inet_sendmsg+0x19f/0x690 [ 1070.806315] ? __might_sleep+0x95/0x190 [ 1070.810281] ? ipip_gro_receive+0x100/0x100 [ 1070.814607] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1070.820133] ? security_socket_sendmsg+0x94/0xc0 [ 1070.824876] ? ipip_gro_receive+0x100/0x100 [ 1070.829204] sock_sendmsg+0xd5/0x120 [ 1070.832908] __sys_sendto+0x3d7/0x670 [ 1070.836698] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1070.841360] ? wait_for_completion+0x870/0x870 [ 1070.845931] ? __lock_is_held+0xb5/0x140 [ 1070.849987] ? __sb_end_write+0xac/0xe0 [ 1070.853954] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1070.859478] ? fput+0x130/0x1a0 [ 1070.862745] ? ksys_write+0x1a6/0x250 [ 1070.866535] ? __ia32_sys_read+0xb0/0xb0 [ 1070.870583] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1070.876110] __x64_sys_sendto+0xe1/0x1a0 [ 1070.880159] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1070.885165] do_syscall_64+0x1b1/0x800 [ 1070.889058] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1070.893981] ? syscall_return_slowpath+0x30f/0x5c0 [ 1070.898917] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1070.904272] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1070.909105] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1070.914285] RIP: 0033:0x4559f9 [ 1070.917462] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1070.936727] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1070.944425] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1070.951701] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1070.958957] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1070.966227] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1070.973483] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000028 05:01:14 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000240)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x10000000000000cb) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) syz_open_dev$dspn(&(0x7f0000000280)='/dev/dsp#\x00', 0x9, 0x4000) ioctl$ifreq_SIOCGIFINDEX_team(r1, 0x8933, &(0x7f0000000b40)={'team0\x00', 0x0}) setsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000000b80)={r3, @loopback=0x7f000001, @loopback=0x7f000001}, 0xc) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000a00)={{0x2, 0x0, @multicast1=0xe0000001}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) setsockopt$ARPT_SO_SET_REPLACE(r1, 0x0, 0x60, &(0x7f0000000400)={'filter\x00', 0x7, 0x4, 0x4b0, 0x0, 0x298, 0x298, 0x3c8, 0x3c8, 0x3c8, 0x4, &(0x7f0000000040), {[{{@uncond, 0xf0, 0x138}, @unspec=@IDLETIMER={0x48, 'IDLETIMER\x00', 0x0, {0x2, 'syz1\x00'}}}, {{@uncond, 0xf0, 0x160}, @unspec=@NFLOG={0x70, 'NFLOG\x00', 0x0, {0x75, 0x1ff, 0x2, 0x0, 0x0, "c9495bc86cdaa3b309c1ff7327e912e95091642e3a3ec89ac39a9e625c7975542ec23e24345426398bbc8133e5cb0f70f18373819958c4e6a185d9d790eecfa8"}}}, {{@arp={@empty, @multicast1=0xe0000001, 0xffffff00, 0xff000000, @empty, {[0x0, 0x0, 0x0, 0x0, 0xff, 0xff]}, @mac=@dev={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x21}, {}, 0x0, 0x5, 0x2, 0x10000, 0x624f2c88, 0xfffffffffffffff7, 'syzkaller0\x00', '\x00', {0xff}, {0xff}, 0x0, 0x2}, 0xf0, 0x130}, @unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz0\x00', 0x2, 0x80000000, 0xfffffffffffffc01}}}], {{[], 0xc0, 0xe8}, {0x28, '\x00', 0x0, 0xfffffffffffffffe}}}}, 0x500) getsockopt$inet6_IPV6_XFRM_POLICY(r4, 0x29, 0x23, &(0x7f0000000900)={{{@in6, @in6=@mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in=@rand_addr}}, &(0x7f0000000140)=0xe8) setsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f00000001c0)={r5, @empty, @broadcast=0xffffffff}, 0xc) ioctl$sock_inet6_SIOCSIFDSTADDR(r4, 0x8918, &(0x7f0000000180)={@ipv4={[], [0xff, 0xff], @remote={0xac, 0x14, 0x14, 0xbb}}, 0x6, r5}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:14 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") syz_mount_image$ext4(&(0x7f0000000300)='ext3\x00', &(0x7f0000000340)='./file0\x00', 0x0, 0x0, &(0x7f00000004c0), 0x0, &(0x7f0000000540)=ANY=[@ANYBLOB]) userfaultfd(0x0) 05:01:14 executing program 4: sysfs$2(0x2, 0x2, &(0x7f0000000480)=""/144) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000)='/dev/snapshot\x00', 0x8a01, 0x0) [ 1071.030416] binder: 29448:29449 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1071.065953] binder: 29448:29449 BC_FREE_BUFFER u0000000000000000 no match 05:01:14 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6c00000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1071.158963] binder: 29467:29468 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1071.171651] binder: 29467:29468 BC_FREE_BUFFER u0000000000000000 no match [ 1071.190106] binder: 29467:29468 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:14 executing program 4: r0 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000040)=0x0) rmdir(&(0x7f0000000100)='./file0\x00') capget(&(0x7f0000000300)={0x20071026, r1}, &(0x7f0000000340)={0x4, 0x9, 0x3ff, 0x2, 0x1, 0x100000001}) r2 = getpgrp(r1) capget(&(0x7f0000000a00)={0x20080522, r2}, &(0x7f0000000000)={0x40000000}) bind$vsock_stream(r0, &(0x7f00000000c0)={0x28, 0x0, 0x2710, @my=0x0}, 0x10) r3 = openat$vcs(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/vcs\x00', 0x101000, 0x0) getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(0xffffffffffffff9c, 0x84, 0x18, &(0x7f0000000200)={0x0, 0x8}, &(0x7f0000000240)=0x8) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(r3, 0x84, 0x13, &(0x7f0000000280)={r4, 0x6}, &(0x7f00000002c0)=0x8) [ 1071.202856] binder: 29467:29468 BC_FREE_BUFFER u0000000000000000 no match [ 1071.521597] EXT4-fs (loop5): VFS: Can't find ext4 filesystem [ 1071.552785] EXT4-fs (loop5): VFS: Can't find ext4 filesystem [ 1071.872342] ALSA: seq fatal error: cannot create timer (-22) 05:01:15 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x7a00000000000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:15 executing program 4: r0 = syz_open_dev$loop(&(0x7f0000ca9ff5)='/dev/loop#\x00', 0x0, 0x105082) r1 = syz_open_dev$loop(&(0x7f0000000100)='/dev/loop#\x00', 0x8000400000000c9, 0x0) r2 = syz_open_procfs(0x0, &(0x7f0000000280)='timers\x00') recvmmsg(r2, &(0x7f0000003d00)=[{{&(0x7f0000000000)=@vsock={0x0, 0x0, 0x0, @reserved}, 0x80, &(0x7f00000000c0)=[{&(0x7f00000001c0)=""/147, 0x93}, {&(0x7f00000002c0)=""/145, 0x91}, {&(0x7f0000000080)}, {&(0x7f0000000380)=""/152, 0x98}], 0x4, &(0x7f0000000440)=""/37, 0x25, 0x5}, 0x101}, {{0x0, 0x0, &(0x7f0000002740)=[{&(0x7f0000000480)=""/251, 0xfb}, {&(0x7f0000000580)=""/164, 0xa4}, {&(0x7f0000000640)=""/4096, 0x1000}, {&(0x7f0000001640)=""/116, 0x74}, {&(0x7f00000016c0)=""/4096, 0x1000}, {&(0x7f00000026c0)=""/112, 0x70}], 0x6, &(0x7f00000027c0)=""/175, 0xaf, 0x6}, 0x4}, {{&(0x7f0000002880)=@ll={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @remote}, 0x80, &(0x7f0000002b40)=[{&(0x7f0000002900)=""/215, 0xd7}, {&(0x7f0000002a00)=""/96, 0x60}, {&(0x7f0000002a80)=""/189, 0xbd}], 0x3, &(0x7f0000002b80)=""/16, 0x10, 0x6}, 0x80000000}, {{&(0x7f0000002bc0)=@pppol2tpin6={0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000002cc0)=[{&(0x7f0000002c40)=""/112, 0x70}], 0x1, &(0x7f0000002d00)=""/104, 0x68, 0xff}, 0x797}, {{&(0x7f0000002d80)=@in={0x0, 0x0, @local}, 0x80, &(0x7f00000032c0)=[{&(0x7f0000002e00)=""/44, 0x2c}, {&(0x7f0000002e40)=""/7, 0x7}, {&(0x7f0000002e80)=""/102, 0x66}, {&(0x7f0000002f00)=""/89, 0x59}, {&(0x7f0000002f80)=""/19, 0x13}, {&(0x7f0000002fc0)=""/168, 0xa8}, {&(0x7f0000003080)=""/162, 0xa2}, {&(0x7f0000003140)=""/98, 0x62}, {&(0x7f00000031c0)=""/213, 0xd5}], 0x9, &(0x7f0000003380)=""/186, 0xba, 0x80}, 0x178}, {{0x0, 0x0, &(0x7f0000003680)=[{&(0x7f0000003440)=""/184, 0xb8}, {&(0x7f0000003500)=""/104, 0x68}, {&(0x7f0000003580)=""/201, 0xc9}], 0x3, &(0x7f00000036c0)=""/137, 0x89, 0xc}, 0x8001}, {{0x0, 0x0, &(0x7f0000003900)=[{&(0x7f0000003780)=""/137, 0x89}, {&(0x7f0000003840)=""/142, 0x8e}], 0x2, &(0x7f0000003940)=""/214, 0xd6, 0xfffffffffffffff9}, 0x7ff}, {{&(0x7f0000003a40)=@nfc_llcp, 0x80, &(0x7f0000003ac0), 0x0, &(0x7f0000003b00)=""/180, 0xb4, 0xfffffffffffffffd}, 0x8}, {{&(0x7f0000003bc0)=@xdp, 0x80, &(0x7f0000003c80)=[{&(0x7f0000003c40)=""/14, 0xe}], 0x1, &(0x7f0000003cc0)=""/42, 0x2a, 0x5}, 0x6}], 0x9, 0x20, &(0x7f0000003f40)={0x77359400}) ioctl$LOOP_SET_FD(r0, 0x4c00, r2) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) ioctl$LOOP_SET_FD(r1, 0x4c00, r0) 05:01:15 executing program 7: r0 = socket$inet(0x10, 0x3, 0xc) socketpair(0x5, 0x6, 0x65a, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) connect$bt_sco(r1, &(0x7f0000000040)={0x1f, {0x5, 0x80, 0x3fe0000000, 0x1, 0x6, 0x8}}, 0x8) sendmsg(r0, &(0x7f0000011fc8)={0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000001640)="24000000100007031dfffd946fa2830020200a0009000300001c85680c1ba3a20400ff7e28000000060affffba16a0aa1c0009b356da5a80d18bec4c8546c8243929db2406b20cd37ed01cc0", 0x4c}], 0x1}, 0x0) 05:01:15 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x400000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:15 executing program 1 (fault-call:4 fault-nth:41): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:15 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x60000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:15 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0xffffffffffffff4c}], 0x1ca) setsockopt$inet_mreqsrc(r0, 0x0, 0x27, &(0x7f0000000040)={@rand_addr=0x80, @multicast2=0xe0000002, @multicast1=0xe0000001}, 0xc) r1 = socket$inet_tcp(0x2, 0x1, 0x0) syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) getsockopt$inet_sctp_SCTP_GET_PEER_ADDR_INFO(r0, 0x84, 0xf, &(0x7f0000000240)={0x0, @in={{0x2, 0x4e20, @remote={0xac, 0x14, 0x14, 0xbb}}}, 0x4, 0x5, 0x4, 0x1, 0xffffffffffffffe0}, &(0x7f0000000400)=0x98) getsockopt$inet_sctp_SCTP_GET_PEER_ADDR_INFO(r0, 0x84, 0xf, &(0x7f0000000440)={r2, @in={{0x2, 0x4e20, @broadcast=0xffffffff}}, 0x7, 0x8001, 0xf8, 0x3f, 0x7}, &(0x7f0000000500)=0x98) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={"f179db6b616c6c650172a7b500b700", 0x2001}) ioctl$TCSETS(r0, 0x5402, &(0x7f00000001c0)={0x7ff, 0x2, 0x3, 0x9, 0x7, 0x9c99, 0x0, 0x1f, 0x0, 0x9, 0x7a6, 0xeb3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) setsockopt$inet6_tcp_TCP_ULP(r3, 0x6, 0x1f, &(0x7f0000000140)='tls\x00', 0x4) 05:01:15 executing program 5: r0 = socket$inet6(0xa, 0x3, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = add_key$keyring(&(0x7f0000000400)='keyring\x00', &(0x7f0000000440)={0x73, 0x79, 0x7a}, 0x0, 0x0, 0xfffffffffffffffc) r2 = shmget(0x0, 0x2000, 0x140, &(0x7f0000ffe000/0x2000)=nil) shmctl$SHM_INFO(r2, 0xe, &(0x7f0000000000)=""/219) add_key(&(0x7f0000000240)='dns_resolver\x00', &(0x7f00000003c0)={0x73, 0x79, 0x7a}, &(0x7f0000000840)="277ae62a36421cffaba153a3cb2ad384c9668c3280d4646f8ad44c2aed71f3de8018dda5098e1485fe175392422b368b81fd6c099baba2a2be137707d2f5c6500520b2176fe4dc6666239ffc04ec22b291235ac5da0caa6699862e2076b7289348b465c70b15f34bfd3c9678a25c1d3820642fadb1f2b114e3342be0071ae331f520199c5fb317add4ca23910ad445be0287d50bb9a03de1a049271cd1ce6a16367d06ddd537f8d6731b78dfdfca0e6de1a087272583473ef87971be7f0dad6dfd9d5223979ed859178e92cfb1a3e8fe9ff25023b029c5cefbc3e28d4b6fca0393006460337e401e4a74449263060769d54c55d31f351fc8cfce14a22bc6a35e29458c22d7c5808b7bbe03c8b37f5b2718eb0d39aa402eee5dae6b67a70453804afe2fd06222000c5b99d53fe97c44f066cdfe920c5c6a1a3c3b0424335e5987dea4b223836cd75532ef0f271bf50543472368cd8ddc555f30cc6b8626945e5488b8e7780b062594c1b840d9947270a1891dbfb8721bb0aaa284f0aa5c0839a73c835e00595e3401d2096ecfaa9804ed19b26c33413a22119d465241c0e399285323d2c1d44af58c77d503bf2333e72bf510269cc6bcb88cc02c038eed08c735fdffab73c8f51183e3b8c35ffb802b1321dddd57a0276c7b681f6a5b65a749a189657f2f32d0cfac876da5da0e4b41eb89d2895f33329d701c6b598c2d44787b945e86d8b07f82fb949b738d2168379b7349627840a77f9073bdc5de11a887f8bbdf6b52376dc4d2c7d5539b04ff0a525b463c2c7648c4223fcd62e4dfd853235bdd63fb909f21c885219a94a0fff188eecf3d549209cfb50403af5b7ed81d7f2a7259abe98d88f6b3d3979659ab5ec5e0ba39bbdc7b91fae1eba6b1cc72f2897e2f264eccf819c7fe34c71be1e88a3613461f0aa2fb1d4778dadc6496fa9e241dcbcadb171da089343c43572ee3962a4baee9adce7fb08e12a6f679774cc630df5ad732b1ba07b6c957a5a5ea0a40e8992cac5d657a0af4b70e98ca7adfb621333a7a3c0bb8d441458cb0742faa654b295f7038d06fb26ff6af8977a97962776990af5e972b09118c944b39563bb15a1c1c85ac5c16bd7b74055af29bced53138c66cfa171900971f068d7782faa726eb0c031b7cfd3cc096aa629e0bce029e52bfa66faab7660f96845fc6eae642296fb1b08231af68f0979ac4c55a445d1bce7af2151a13944b7407cc63dadaff356b37ac04eb177be5a41f3b3e9bad2ba9c3108b9cdedd87ed94b62a8f2e116358567dc133aa371356030358fa793a6f68dbc669a37779504f9499f4550557c012165bd808c9fdb84de5a05102ce6b763bbefaf18fd0745c51704e175c8dfcd021da7dd9bfbb669d9af9d1a23f31ccbdb16a4718ce58d9814918ae9e8e0536f2cee0c6060e12ac02d751b59f821448589d4102871eee6b9293ec0eacb11f584db8d1fbd31877a1735e467ccc3447bcac9b41ef00", 0x423, r1) [ 1072.041754] ALSA: seq fatal error: cannot create timer (-22) [ 1072.088650] binder: 29490:29496 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1072.128563] binder: 29490:29496 BC_FREE_BUFFER u0000000000000000 no match 05:01:15 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xf5ffffff00000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1072.137869] netlink: 20 bytes leftover after parsing attributes in process `syz-executor7'. 05:01:15 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) syz_open_dev$mouse(&(0x7f0000000040)='/dev/input/mouse#\x00', 0x1, 0x400200) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1072.175249] Option ' Ÿüì"²‘#ZÅÚ ªf™†. v·(“H´eÇ óKý<–x¢\8 d/­±ò±ã4+àã1õ œ_³­ÔÊ#‘ [ 1072.175249] ÔE¾‡Õ ¹ =á I'ÑÎj6}ÝÕ7øÖsxßßÊmá ‡'%ƒG>øyq¾ ­mýR#—žØYŽ’ϱ£èþŸòP#°)ÅÎûÃâKo [ 1072.268289] binder: 29490:29496 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1072.280176] binder: 29490:29496 BC_FREE_BUFFER u0000000000000000 no match 05:01:15 executing program 4: openat$md(0xffffffffffffff9c, &(0x7f0000000000)='/dev/md0\x00', 0x2000, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f00000000c0)={0x26, 'aead\x00', 0x0, 0x0, 'aegis256-aesni\x00'}, 0x58) close(r0) 05:01:15 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x48000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:15 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xf000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:15 executing program 7: mkdir(&(0x7f0000000000)='./file0\x00', 0x0) r0 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000180)='/dev/qat_adf_ctl\x00', 0x101000, 0x0) ioctl$FICLONERANGE(r0, 0x4020940d, &(0x7f0000000200)={r0, 0x0, 0x20, 0x0, 0xa4}) setsockopt$inet_mtu(r0, 0x0, 0xa, &(0x7f00000001c0)=0x1, 0x4) mount(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='proc\x00', 0x0, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000240)='/dev/snd/pcmC#D#c\x00', 0x6, 0x40080) rename(&(0x7f0000000040)='./file0/bus\x00', &(0x7f0000000080)='./file0/bus\x00') [ 1072.406961] binder: 29531:29533 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:15 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1e00}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1072.453907] binder: 29531:29533 BC_FREE_BUFFER u0000000000000000 no match [ 1072.479485] binder: 29531:29533 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:15 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) getsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f0000000400)={{{@in=@dev, @in=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast2}, 0x0, @in6=@mcast1}}, &(0x7f0000000140)=0xe8) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f00000001c0)={0x0}, &(0x7f0000000240)=0xc) setsockopt$netrom_NETROM_T2(r0, 0x103, 0x2, &(0x7f0000000b40)=0x6287, 0x4) r6 = getuid() lstat(&(0x7f0000000280)='./file0\x00', &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0}) r8 = getpgrp(0x0) dup3(r2, r0, 0x80000) lstat(&(0x7f0000000b80)='./file0\x00', &(0x7f0000000bc0)) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f00000002c0)={0x0, 0x0}, &(0x7f0000000580)=0xc) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000005c0)={{{@in6=@local, @in=@rand_addr, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in=@dev}}, &(0x7f00000006c0)=0xe8) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000740)={0x0}, &(0x7f0000000780)=0xc) getsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f00000046c0)={{{@in6=@loopback, @in=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in=@multicast1}}, &(0x7f00000008c0)=0xe8) kcmp(r11, r11, 0x5, r1, r2) r13 = getgid() fcntl$getownex(r1, 0x10, &(0x7f0000000900)={0x0, 0x0}) fstat(r2, &(0x7f0000000940)={0x0, 0x0, 0x0, 0x0, 0x0}) fstat(r2, &(0x7f00000009c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) sendmsg$netlink(r0, &(0x7f0000000b00)={&(0x7f0000000040)=@proc={0x10, 0x0, 0x25dfdbfd, 0x80180}, 0xc, &(0x7f0000000700)=[{&(0x7f0000001d80)=ANY=[@ANYBLOB="042900001e00cc362abd7000fcdbdf25a0127d00a66b50a90ab46e9f31d0aa927732f76506ceaa27a3ea8638924e01a5245bd16ad7dc028869d859ece9184fcaa97250df88fc7f4bc641389a70148d2c9e8f32f770da1cb4a2919971e517923a43bf11372c0ed146c74a15875d3a49cdcb7613aae93707ba662a11156c60383b6d59fb62ad8440878949bccdc9549961a030810cc77335ef02b28192fd0fd79e118e234dae4247e94f500b4fa4d8d09c092687593724a1b388fc76c3cd4f41d443a47b048cb1a856fbdc385c69950355a271151d07443c134259ab572356f7fc609e2c0c259c0561c279d442328778c179c5ff15ac2a10051264afdd74549cba4b59901d0436d44b158a29ff7d8f1803331570d30be6ffec925cab2a574dcb057684d9734bf936dcd4fbcebf2053ce239e2c9b5031165c3608683dce1cb0e5af4fa68193623aaea2b1ad000e7afd080009000300000008009300000000000245bdc4e92f058dc412ed374e861c72de2e27d10cc6f8d0565bc467d0cba2bf43e6b0afdb131cd3a4ba101971c4ae8bb341aa0784ca8faa81dc2cdf012e1108484cfc7ca9e66a721ed9748252b615b18558fd0e4dac0702d4359d55026ef40ee884f1cd520d7b47cf6abbfa947c1f648e76e86d047bdede7cad0d678ab9cdad03e98303a2532e844dafd8155b5c54d9651ad72ff274959ed1196df583ca0a654c5a3e9bc5c16654ac6e94ddba04b473bb1cec1b03fed109cf38fb6679c8b1676329f201cf9ea7c7579fd1f2b9120927fbdf2b01806da17d3cb27f390d3d03997964b282dc716a5f074f24698e84005fa45989f2bd0c19ff9b24b89810b23c97f42f7c25b527ad3e2cb8759299e4224f20674b8b6f10d3f013fda43b38f3aa7844490504d49430d0294244ddb69b75150f236ead2f26da5d0c3e2b24a69e633dbdaab28423396d2144f2c144713b71d11a7f790b4defadb587a537afcc20828cc53041351508133214e9a1fd8d3ddc4e094a32760eda97c503aa747ec85ed1b8c62fa76979cbef13cd7f608ff988c8a44c1577a6505195756e9dffe465003525756f405e892a9837525916e4b8511a4c398fffb99f51720faba84bcd3a249ab8c85d8e01380b420e1d1192a6bd9d1fa964c3c71f0ef43bac291a19a634eb9981e875a42b162d98b2824f162f1781929f54c4be42a0e1a73fab1dd94d680b141862d86ffac5c8f218ec2e8163c367ff079c6bb456990020e31a00b44452b938f072be94e7dba12730261c66e20a55a3902893f0879737cedf72daef45eb31983572bb74cdd77237853cdc6aa32284051b12780f2f27acf7866506e113ee8e647316d744623a537c71c774dc8635e89360bbec014dfc0dd8698dd95172c930fd2034b9fa0e892aae3c7f14c3e54276e985f970372b34097670effa5e62bd0a9010f14891208dbbc3b34fe220529b7bb2ba7d737d8e0b902c6c6cefaf1853ac5f02d02b5c51c71b98417a66a3df4a5989292eb1ca937d16eabfbc2a781d5f8a4a2292e7c76a723c79885c0130740389c5ff9cbfa4979faccc69ccf0449afa22e6defa93608403073654ae40fb94521d7ecf354ef372f897d2c251e795fb2c74ce63318f6c83f540c87783ecf26d565be134cf9ebf15547d1e63e2a65573200def1df4da15ccf80296d62e96447ec9ec903d8efcad31daf071d3aaf4757b555f1cfa4b8f9ec557d4ea233edb987af811dd84db6262b3730e438f6f6cb01579df61d7aac0f0d6e22cde01acd2b6070d3e460d43a26729346488ba7bab396a84a5b4a730abf55a64a12aba63b03ecf9e2fdcaa8f6a53df103a714a598691ec731d0777eabea992961fc241550dec3c562ffa684d03a16a2c5fe09ceceee56b3d1c114f59d61b435f6c29b73e1cb972a5272f97370a8e18bb08b2e7255ce5957438ae3b6edd1e2ec138e31ec3e2d5fceb146e1f6df94cffd57516e1fdf90e35b8ecd5472cc4502c7e3aa5efd3e48d52984b1e3327f8ae7b7830edf1929c922759f0ddcaa974c9d542ec2fa1b2f9d56df4b2ad44e1b31cb6ada04142f408e4ad89de05f315fef673facd095e022b5838e25566b865ffe538c677b80523f21fea343101504270493e559a3e69abd54fba6b1d6f896b9a48880db10b50dc9c17a239a673b8c9b7703e9c6ce9c496e54e5cee8ac1c71f40db1c075b2790c145c42d5e02a2f282d4cc8e328cac38be360cc6d5077ec263ec0ca5a06f89501aa67fb56d544f2f2247112b95da9b60b1b0d428e226a10bbf90024f4cd5dd19b29c7f777d363721dfc92b1bd37ebb01c945af811026f32cafeb6b29bfeea44f0d72fb28a84a173f4aca4b141b6eb79148a0d8598f421504f9f657cd4268fa611a4c01eddde36eb11aee6320b7f1b849f3c21095b01fef79894e0c69810f55fb91f793cf8fda91a8d7423720bde4f5ef82ef9d36ca08ad3b420971ee0acd8f5b45972684adb1b89748d283da788eef3bf1166076461665d1ee01869ebb73fd210f01486fc75a3b64638067418aa4873ae7211ae18ecae402b477e94a2f0e3f93b90c61a3bb0a840d56be0532f1f27f666b5ac0bd3e3b867e55e5883f9c751c1ba56e4b86a636de288353c2eed17e713522d1ae8df4b36193d28971468f1e94160ceb1a58ce97cdd2b7b5eb66f0779040c9f16c1da659e0c78b32a83b5644c915875b31229e189ddeea587e0249812ffa5cfaae5158a3b36542ec357773fc0aa47f2d0c1575a1916eda143ab63a6c1f387dd4bea6140d7aa6bba9061e2869d8dea5d95784ce5f5a5d56a87ccda2642d18dd67f37ee4fdfaffa124420c95d4c5f2e891255622a050daff9236ef29afbd623fd3e9becfcbe4df90f64dfb0a658081d7843eb96623e00f46b8d6c88aeb14b01ae56f3c22759f1d177f3715e2cbe67b43cbcfa4bf94befa01aaeae417396c41bf114443f822c3ea0c3cf6cbaaa9f7a3588b44f4ef408cc8ee9f23dddadbdfc8f0f429b6a415bf49c3ccdccf9fddcf4dd13a74e834686b2a4b43c80eb279e32bfc5a4709e28f5eed1293d2f2c2180851868e1fca1f494c639b58c0dbc8027d874b9422072a1cda00caf7fd1f71d2d24aa1dcb01ca6a8d3d6ac5417cb510f5dbc545356ef3c17ad51ffdc63878c1785d2d4fc4c3bdc4c2e596fe7c4da9de46aa224545a67abc28b0949c2d23bbc47b33b8ad88f9cc9fb3d45c9ed385d7b4d650e93c1eab49838a449d1566079572310d7ae40c0c7a13e7cffcdf31705ecc3af7343e71aefd8569c695d522258d8dfe6a6a8adb4fe17b31d765f4ea0f4f9d7bb696be1019aad6dcf00037299f4b1a794b2d8e696f1f5b1b90cbc8f166f5999e4e8b9b9028a0b55117aca753ddf50d8fcefca3864f011df7922ca2b0d66732717b66fec1b02b3186b1fa1358df71cf20d9c375efe0314679cb4ab17c5c3e4417e73ab464c5d06a6c7a14824985d50e41e23f6961ac83d09455e548de5cf9de207f51c4f6aa4cf073ba55f1e9ba7e9e62669a76eab248609e96406ea4354ff1d584fc3411af295bd13ba8c18231b1f66f9f2fe5677f88048a07662c8c41bbdec411036392ae8407c608032ff64ac5986f1e43ca0d760552aa77f5e0c0d9ae5775b8eac6de7d4d51ce438a8d412406ec5a2544d9b6ce84e33b4f312da20c4bc05f8c30d9b2c99fc12b2bf9aa15b35c8bfcaa3fa9037233afd48ce933a61c2a36e09d385c2a466bcda9049020a8b21d4d91abc6cf77269aeeb645732a13ec7ca658817d439758666b0fc91a20240ef325aa35b813e90da9671126cca8c19a5308933ccae7ba2f725d852a9f0a2e2706ddbe5d7fff03b3b9e926fb6416b0172392fac0e181f4dbedefc53082b305c85ac6c30d92f90389e0d3a3286e8282c4d20cc1123c3ef788eb3e4f6fbf8d9dd066c076fdedee20b393be120af134cf3eb1e9dee4486205da1155b496b6d5fe736ed9036e2ede655d09013520dd44acab6bbb6424637928f1377037ba65bc1949ab16b4a308bf8a8c4200375541f6dafaf25d967c6a9a70317aada3dfdb6e416dc0b7041829c9d37f59539587cacd3fed6832ece5e65e545d05bde471924f3b3b9e6b446b814458a46a439da5e3d1a0f77e5844d5ea486e74bbf4a55c2aa55f916a7b10c31c589388d3984275bdf42f63ac7edc30e3c82d83d48667216de6380ca4cc53b0cb2446c97a8dee40f3907113b0952c49e90027b4691af0c392b7e4b524a361f77477c105f9d581f1d343897d0acc423a0c54a93ebb6785ad4bb761f49402d694881c2f28cf65099a212be9dc148ea7b1b252b4011df038368d3abaa44d03cc1e4dba1e89aaa5ab99ef8532e8419f5855332578b24d8ccb9b22b70f1b49ce120eab5e3b7161c616782909f1693b70abb0e72a5eb3d8234be016c4289cf161fcc661d21a083604b509fc57bffd4c84c8177bcc7857872f6b98a7b117f585c75120afe3c459bfa025ea526328d98314242f225fb1a5f62897183334f5a7e3d87d89af9116f357e733e679dca19b61b9f7519ccf122359fec43c2fc3a78bff99291be9e74a6133b90340550402623385698c0ce57ab29723928e619c429e615240f3196036b2931f5073fda694616b8d34df3b0bd0276109ae9c2207428c92b4f1fa5de56252a5dc9e42460d51c50d273fa18c423b9176448fa8a45f52e0a9d2dc27a0b6167dea34fb9c4d4d51ee3747c4bd903295fc797fd63e4ce55d9dbf149cfb4e46af6985f0b53a1da58bd1280ae04e4d92d726bfa135d5f5b6da5839a26e899f07ddf271fa3e4d14e602ea76c046353867bc2b5dea9b6befeacb1ed64ff2f6f5d1198168bc4038ed445c73b0f9ebb4a9d8d4fbd9e75a9b967bacc3f047b73ceebcebf3b62d8dd91f0e3ff7f58a54e8241fd291a10bb71f44bb4a624275d2212b604e7b76ef768ef96fb11fcedc7f0f6a3e44402f282aa59f903fa0cd87f0eac06599e4f624c986601293c0e6a6383b3b77d4e2a7487b8b194d37fedc8c404127ce94a3cfa38f5c80416aef0b7ef5e5c28b7946d90cfdfc388e19f68150d80ad5d31ba62f6485833915731375d61cb527c87a7f88eb088e5432028681993f493551389fd1fb61b971d662686a015e994ff7856ac11badf0f18faa1fe40eaf785a6cbb968bb94b6701df92fed6d16410ec4318fbf2aa20cb87df9a4fee32ee93ff46f156d0f9847af122d31cae3ea5262c7e93671e345762ffec5f9641c2f88702d54a36c1e06f83a587e4e8449bf89e573d60b416f21da4ad379b2169e250b6ca3e2808965605b366f4b886e71a8d4dfd93c7c59ae2881e30016536d7100d2ee32e87f3e055028d18b869c2b4e1a7134a820b800d8d4cfcbb65ba8799643fd7dc427b3cd9db3ee567bae8a9b8d3dddd1049f1ee9283dfaf2037dd6a88248adfdd0cecbcffec5d52f03ae05d8bfaece4f04085a2d9b1e2f72f8ba3d465c6c936255e8b1d9ee96f0634f8937e03c6786a450588a999708783b0c462f51d6c0bac8eb25a3b375f5df40e4344b73723a02bba860e21db1b61efc654c04cc1a30914d6f2b10330ee467e08d9bdd187b2f07ec695436ad6a737d1604eb092314b29f37ccbd81967c36e65187bcd87a132113619d9fbf9e807b6653a7fd01e8ab32587a6252fd2be554f228aa01211f1a027991e766975e331c1f5ae32138ed6da11832f17253081eb1b75629c851620c2d4a6f7c82a51eb4ae0a908b58c6a0a7c2e85d02675b1bd9b665c0aeb5db011fe4c63f7aed41c3890ea73a0a22d2b1f8b04f94d5eb578de1902d90ee1479c36f723f50e115d1bd52a91ece33fdbbdd57ce5bd5a8a257bd7a3385309b35c8a8aadf204ae0a4122660a7478437cf77ffa44079038d9a9485d18dd17d52ba36e640341ce2807f93338355b86721849c6181f2e85fec63c2d86509eaaf539683612ee6820dd417249ee396c9aa01b504f6ab6fc25d00f2525564860a9a7c2a71a938fd479eaf236a93505c46fe4b29ba18650aa6b92d56087b3236eb844dd7eb6ffeec401dabf21228cdf10c6f224eff054d04426d01fdd3a7f77acb318815eb1cd7c003df1b27e3364d94e1b61c232d6e92949d78c420eec424ace8620ed9dc0f6030a75c340ea9cb3cb300393a60cc7a272a516921fa77a724e44517859291445acd8f29d1524505b563742ea64182ebc3426171396154d60e7a7aa955d0290af8c90203f560a3309249ff3b8c44af5feba75ce4719371b0d94ffdc332c16a043c81117ea2ac84bcc2cc80d5fb2862b92fed31edb04b4e91f85885bc5c0f5041ec6747915ef7947ce36a90dde0cec148d8f686f01234d4fa19333895405e321312b58a8bea5dddc217e1ac7c4769f2c633c352d6e088309c2a33969c2c5367c54f190f74ba32503251d051a4059f8f3ab049bc25200c34d29914002800ff0100000000000000000000000000011c9138ffce76f7cf9c9cbe5f6d34e66973f49e408fa5f63b1784be6e408a0090600fc28741b9aa0aaf31398f1f2fdcaa3a5b80e77da0bc38cfb959aac3433e2938be7fffe572ff809b245b63b76db99ef6f8a48e180eb1ddf3df7f0885180a05011b71d0cce027056b517b7de6f70aadf16846ce43b1e7d7d2b357fbbf808907e6057263b48b16e769fa39664df05c6ee975ecd22c6e3e13028209a13a1626b9bad104b52a6a25e98fbf040b917cc51818333987bfee0c287d08ac51b97c5931e8aa373981d735a1ad49105d782f5b1410000c0073797a6b616c6c657230000000040091003001600008004500", @ANYRES32=r4, @ANYBLOB="fd1614a7f207300fbbb33331922d0d034a365f249220fff1a52c0f4d684b7ec17482d656fcc15907802b9efef83a60cdebc00ebd35a26050258f74c63f23da56bfe8521aa87e5ba8f89823d5c123663723b68676fde2a3a4b56e7b19dfde2ad101733d5b13151cb830e630440ebde26df814004900fe8000000000000000000000000000aa08006500", @ANYRES32=r2, @ANYBLOB="0c0016006e65742f617270005658171cb5c07b89e4dbfc7e4a33ef965491b8515cc892242f1cd37ebceeb885a0b6408cf252af74bb9355d84e3206d229f804563d34d1c2aaae73859301e87fb2bafeaee50b2c076e60282ff9443ae06e40ff6a16c434819533fa9495b88090deb1ef120ce54f5445fe0a677c2affeaec0c002100000000000000000008007100000000", @ANYRES32=r5, @ANYBLOB="0000000c005c0008004f000700000008000300", @ANYRES32=r0, @ANYBLOB="e0028c000c000900ff010000000000000c003000090000000000000004006c0008001600000000001ebf1e2ed0cc19762f3f30c4500c9512b65c836014fb55fa79bec66bd356f45fde3026bbc297fab4a8dca632d96cc6b0d68e5f3ea9b9a296d6d617f3a63114ea770629be279165b66400d17bbfd2879853c38667eecb2907fe31e9c175079ca22396d973b97fe9c05672944ab8eefe50cc5c3458189e4f4cf36fa15c779c4109390d37e3d7bd441fd12c7a9fb7b18c87771a479b0e084e33522a380bfc2f80241cfad7168c36bf4d7a9c32c239551ce09f4e425e653352df3c3fefbef98e6e2c993c1a2615b9f472a08cd5cd0ae581efa6a0d3c55a1f93e921c0e25eabf6e776997c100f94c4d663ae2c3b3e83befaadf5103d04b4009200e7542467860c89a6015c90201b72038d237c19ad33e46df4a7703617914a6dce673d0a4f80582238628c1d2f453c69b5fa98144cab409aa0c1ccb51c1a0146ee897ee1bcbfa44d669c108f6bf220c5f08c90c97c9e38589edb32e7a8b5b9b56ed2766216e18a175a2cda1b8c116036cb60b4bed85655fd9d5be53f83dfaf95ebde95a55d1585b5e030747c104320196655c7aaf04dc3d52a6cb8da648253eee9b85fb16f1e9dd943da10de009e00000018ffd6d7f985fb9862c7bcdbc561bc7e90fc4fdf4dad742a67d374703a8353b20efe0a4a2b2d32fa0948b79e963c4a34e46cdb2dddc380d0f4374de509ba5874dda0b5f15976d7c31f37cdbeb2b5718a992cefce8e1da37378c4b5892182169e8f4d90762d300ae95c967f6c8cec67e46e9e41d00dc43de518513dedcf8002d4ac301be8511722829c58683720e3372606dfc7cb4b87683d062e56619a068f9392c566ee4d2a45dc0bfc1e4438dde3f0e4aa4fe7ab6f0571150a72176d05c54a8188d3e576f6866d54a598e2f8e4b72a2a3ee4e59319ecf75204c2e6b5b91c5b9cb423059cbe3f5776074b9303e9512d50cdced4ae75553be1d0b8ace008008c00", @ANYRES32=r6, @ANYBLOB='\b\x00a\x00', @ANYRES32=r7, @ANYBLOB="00000014005a00fe80000000000000000000000000001b181208003e4eeed6bb5b8623c9ebcbce04476286f106ead999f99b8d07e6ac971099d3ff81ec0b8e6b387a322cf450f553b404a5471b288aab9c42e9fe5cfc23543996d1e9d3143f159667e3d0ce39111f4c7b76e94a45ac2bf8e5dcf9e54a84a475a4a131d3fcf004cfb2ae0fa1e11db86416b476e8b62decfad7d146399b1d3ab63c6b066dfe5882cc1963ade24b220362dbd42c888bd8533d982fe8f971d4dd1e629ab2c23f8b90252ebaaec30720dce7fba7a5da7d71e3aaea25db6806723db4c8d9debd1a496d0d0614306ec8796e6595b0f8ebe42204c2ef6695dc65655228f8df27ef5e14ec06484f61ca993b1900ba692e4f74ba6e09ed467c39f36b18755d66395904032d562ff43ff7862c38a6356dcba5c0a22ea5dee24700448f0302d870d19413027e0f5fcc7499613d6a9b8aba18c8dfa11eb8c9c7253f289bce1f82d472b5d8cf3df347149aba9183cab656af421dd81638d8081b1f1bdaa5f05389003606a2d0a8fb30b309375ae72e3b5dc3ca7e22732627d4576a3f3a7bb443c4792d5a1d04c12ddcb907aa261e20d9a5aecf654709fe7cfe1f39f28464af815da374296b601bcb4062a9f5c15588a1918a0bd6178e6cc0dd1a69bbe3778f396a406cbf0defc731d8864bab1b97b9be880c02f5dc1278293be0e0e6742adf3181bfc99804008a0005f33fa1658c7ff1d21c1605e37379572d4845bd8384866f70881469422b3ae7ce593f0e27e7a01f38aca1bab258a5a2b12aa5797e20aa09140bcaa33e6e201c4619e7d8c8981d9a16b1f739f9e43e502e2b6595140cdef2f1483089678e16a0b9c24556cebc47d8087f5a8611ddd20b09a4e43c1f6aa11121c57e894d248e3dec4f68b89504b38a2465759973d8f5f672736979dcd9fcb15b4bff7e6b4e24c99d07031e29000e4140f807f3eee5c365cc2bd9cdb6103f856dfa4df9c609ce6d0e47590016c5071e9963875c9d818eda89c69e0da2fad3ced197ed78ef982d6797de3501ccf5c002e7869e26bce18fce0e40bf5a745ee343c2495768bd591307312a31552c0f5367c0d292e54af1656ad6bfa103a9856967ed79c2f083555623415224adc3f5c23a374a66d2838c9847eee28aadd7a05606b5e9a48d9fd45d679117bf82dfe373d301f432ba02525a2764967ab27104b11d557fdf47adb453483d75a89e88809314d80abe8df0a0e71ba4e619744b0db3cd04402690f3dc8293ad384ac21f676be6a025c857f91eb9a1406b5ec7850a9d14c78f0100548ba1d597912b32410118254c296a8253de03fc98dafa4a32c3baa0c50bae5da331039c7b0404e2e8d52c1a2b5d4ed7fafd0f713eb6438ab41ffd6106c79ee5206800b14eafed73650c3a0d4985dab1f11cf24a6c590c12bad4a0e720076044d48b46d7d80cbcbe7aae5067a771cab40b32827e674cf572b8d50415bc4973246f55c87cf843807e1e13404cde7cb22c31ef1464130983fc330fa1ddd1f008efdf8581745a670cc68db887ca30951b254c696c58b0eed2faf82741abb324fe988f47fa601aa438df3ff0f5843a6b85c2bb270b809082322c230eef039cec7300b92a88b675e3f5405ceb2dec79a5fbd8e9987f33be52b1c9e3ca7080f16bc906c5193b00ba28442660a2a4b4c5bec8fae592dbd001fd26403f1ff30a6e7db3d2106a7fbcbede31c807799cc21f2091bf3a763c0c415f41244d8ae64ddfaae69bfc883bfcc0a66fd88e67a921c67b6012be155e7224b729ca4c61be9659490446ff15e690526f783512c916e0df27fb4f2998f11202b2d972ceba33be62f56b91beda9f91c5c04d0b37bff49d7844a511a5fe30514297512379f1e212e4cbf4a2c55e56ac43480a50f2f41188647016c5d06e548fb41ac2812571fb491388fdd87f5f719e82e144fe0a4b8e017d450a4989f4b1d120bba8e265a857e2fdfc5b0918124b4dd3b42ff622e649264d03bff68c517277990091cce1b2f2e2d61d339bac4600114b7dd590ac569d72742425cb592041a09635dab52a12c0f934a50676ae38da1845aa9caec0d334cc142c0ba373f88523a3d7537cd6ba47a00346b0859cbc0aea448b22608bb8718773a701dfbab52a7c681e6ef4e22c7c70b0c87cb59e5febf60450ea6acc65860bbfc4cb582503117f6a4cbaaaf9cd69dcec8d859f802d346c170794c248fad45f1cb0cd658fce4bde47084a012b3521fa651629c579a5af7e01300ab62fb4fe2c97be7de6bfb7a9c3064f5ac42592db3190c4b4eb5116462c9c70d83c2f75d8a2bbdd3d090b02ded8eb7853fcd40e604b4af16a799e5170aa14a13ac6f6a6f5355fb0298cf82c775e5657b16305c3c41a1756f29e7c0dc6cddea5c61e84697d2378f1437f04199eb1ff1d78cdb7ee02509773bcb51253805b44cf1419a52096fa64ba68c19db9b96b9a77d6c0bdafd7d0b9872cc4cefbaefb079818af6803a7c046ff1e991e1cf0c83cf554062afc3962f23cadc7f9f5b6e4a4ac44cf9687e1422f79c262477a2fedf32a902a8abf70f4897396dcc2a4c0d05e9c14c124959089fc7e4dbf15bc3975cc582be14d2e48b309024ccaedcaca0b85b7e1d969d456e876c628e8dbd818d4362afb5717ee4a58759c057cfba648fb327e856d8e3b73bb598c13de83422949df76e3a7f663343b98266ffbe4ab93a39938848bbcc9acd98ff0030f78cfa3b34166c4b3b7d8b8d9015452eeeb4fd9baa760a8a357164b288b2d1bc20dd09d7be7a026eb8f7fb290ab75c9c3df75b72193431c821946ef7f96a1bd45a9c425a116edb17ac2fd0293f6c0c380d4e9078c20ca6df8a606d625d3787eb816417347fb9865f9625ae67dde799acbe01f2e3b461286015cc86fad86180807e73a954c197f626fe1568015e736ef719a229374978fd951fdbe8c8420941609d448c864a8b119eb7c6b3594cfac04ea7c20a67d01eeb9b69abeb6bc5b0be206801747332af4abc306e64507b0f37bc747c7ce1c242195c7bc9efa0a1c41f42a800d26b248ed297e3af7175f49de2b930bb7af405073382ba2cac250eb658bfec92f89dbace43aafc1ddc411efb9b57cb5284da4e44b1cf468b60550987e3a12a69513df0a0225cd353348dced3f196cd853fd3aecc0dd556168226d6ee97fd5c5bd4ea39ae740f19179913a71001a5b971a6e3a4251b3a720b7326243204cbcad4b485de4d12d73bb6b21ed7bc516fac6dd0e51ecc2b7ea62df7d5f6e22f99fe47ed12d59bedf3eef5f18062143cd1a5a6896da1c2e99088f7751e5d050f88d2b548e2eec6d4f9601d58f460c4d59e5058243cffcc06182ef232c7c93ed4622076de8e37355f4e4b3d321a9f809d2dcfc36fcebe06fc3424ae72875807355c34177b4c147b54b1f872c93837db21db7cf41dd844f5daf4e13ca8014de969e4150452d7b997b55865aeb7ecc53372f79c8943b0e928dbea48417c53bd718a19155cefc84cfe0a333e2b20e7aec9dfb36b8ee90455e8f6fb309a9eea168001e9caf029ddcb0cf67d3b896a3bb93dde463805961e8db1e73fcba3d53212a7410932a3aceafa006056a80d89134b7960e380c8605efbe8c75858a0794ac1b978823ca6458f5f212ae4669156f29d438e5d8159ca064717641f884dfdeafa7de8977de8009acc7cda95b05920b48a593d0cc7632e0aff85a65f69cd7fa63be8a05702678c93f6862bac3ddd5a10af62eb8264235a92ff5fa5751ac2281a8c10010ba179282166b42dea498cbfd0fac6fe4f0e6d4eb4c51200649de13b1b41894bcf2ff97a5863568482bba495e4fc0e2811b61f6c22e695232ef4410a7dad7353eaf9010c866023e51c48aca1f752e53dfe95823eb21a565a75fd2dcbd2bbce0c87b43dea1d933870eaaaa2109378093942a545e42ed50e9fa0a9e7be68e201fdbae9309350dcc16ce34d97f4f42dbe0f1c5bb78dfb3fbbcfa6d21852929b2f1a8b4cd1f6610f1e459abb9d2e381ec35046077c79e44b5cf6810af8c83de12530dab9664403a4bb267d272151950afc23a20914dbb4cfe7b75c91338f44f68f2507d17bf90c58126cd2161bdc57629d584cc4d34cab6021f4c1da25a350f2defce9da5136302edd53846b0c528a2eb8f1b6b22ad6d9e45044a6e1ceab1ce60a4fd0f447402d8b9a1b6071e6d5abd017179c1754367a24797ea374fe6c6f23d070588884ada36845e36e6c366b9a0e3a9113ae68dfba8d5c5809cacb2409fe8841621600de532d6f0852e8c655f3addda9897bc2062f036e2d522752b35e7ce1ed4e56f82d9dc69a56f54f51d4739c65098a443cf18c89b8bba534c9fba275b7d724693b8fcaf939ef0dd20300015c6ad2761a35e65c5a061986254a8734b820bd2b36314a34e141da321a6524717bbf7b78d05f74c1b59bfae2210c53744c4bf55655b60fc5b5203e6f6a2a46cabe5772b5c041dae4f51f6ab5728f66ae10db1f94f30a52abcc9b066b6331284094812c8e33a4677d4782fcdbc258f74cf807406faeb2c5a356cee5f500027325661307074412524fb321f9852df19d0184707e1a03a3f83cf04025ac70df0f1bc20f52d47be3179d031dbb0e208440e7ba0f36329cd68a367ebb46a1968aac2ec0fcd75fcf54c5a3652dc3a63423d1978ce9acc972f61a798597e0e8f6bd47af5c9503936db32b0432e9c95b4659df71e6f040029b40b351b06ed50451e6b15e97a3b66cb6a7ed9a1153bfec2b9dd5bbcf68f296a3f4437984cae0b42835de0f3df17352611a602f3370f27419c8ce1683697a54a973b05193228f388a15f081224b68511dd3b13f8184d70077bcbcd1f9d8e2cf87b6b2d9f33aaa265290c77561611127016ceeadf8b31c01542b7f1975d55be5e477a80c387e00140d23fdf2391ba959847a67858b0e2b87288f4779b49b1ae8733d2eaa5210040f910a58ff9eeccd32ed504f585ef501ffd2242001eacef93d35a213467a5692260a730e6fa0abc5f86d63b07e86b36228703197822910ddcba71f82413d809e459d19cfb1ae9485c41db9603ee2f44b55d7632c6b7fdcfd9c280b66934a16582581a1f3ddac8813fe6b6b0b40ae18789fdf75e0bfd6e915cc7d84fb1af929a6a8b27191739978e26e68ba2346d7b22d0806eb845ae12b4fca4a8eb826b99a7641d5fe4c6a8b9cf3ce919b003a1a4ed7c3f275b86638f96fd19c9daeba797082a90377ce194ccc5f0cf56e030cd00cb0df70d9d57fa61e8c47585ba1dfefd2f5366688acead8e14e3c4569496da82360211050a83a4e3e720f1f84402cb5b97d85a17f5a05d13740eb3a5e1213b9ccd5769ef7a869caae71b04d4ffc0be3555065310a74b483174d2ce19d2f6ac96722647f01c00676f11b64ab3307074d7cb8722af3670da5301811ddf96f35733705bc372a1b54221cbe996805e6608f08a0cc34e68eee7ad2a1697f3fa869a1051488b9c299adece2caa0d4f5918a0be4ba0f1a7ba4b1bcbe38e52133286038ccdfeadc84191e6d363265547333b8eec89b23c55e8ae0fff4bead8d7592eb0082e5bc9bb560336adbaf8f1f44ecb0a8ef4329aab3c45019ef5616798a27c00e295cbe46d9239d823f6302f138e797d7b0c0e9054ed913711960fd61b87ae550e2571eff34af20545345e7bff5badc90376bea3710d1ca75b69f8fd2c0c3d1a19cb9f5426e5143eec3f6c891fd28154e63f32817567d09daebd5831d2bedf4cf0f66a490a013ea99eefd31a489a957d8d98b3f986d03f912204a9fef12c8821568f3e0f1726d2b98c0189b4f0ca3c1457746a6c69029ba40ef5fabe9a76e3565810872e054f869ad641fe71b828612b0332b2f0bb8323a59a2db38048574283d6e0d3a40b20dddc28a79d004a38465e0c7027cf49c45c7b2f2fa501ec4b216ad2a2e7286e1ca0abded80e6b8e408ed0168a8776e8f831ccb7eda1aea2a859ac9118f12af9b73ab392fbbd3ab649520f9b4c20f3fe85ccd0664adcbcd248fbf49f4c8d7c499a9ca3eb0d3bb8c29df347fc7242d0d4baf2acd4811d782b03fd52b67fb5e6fff771ab3e5882c1d818b3d423445cd6d10779e103dc0ec36a4fa08220f3363f1fcd6132867332deecf0bddc7b445cd3d3d9aecdbe81b429afdf7418b38fa9b8030a74237842f5a243f4f8e3b82fe95505b883e52e9ab52e961106d8e2aedd5ae6ef9e468c2af9cebd5a3519ab5f6398d65197b80fa90f1743afd5f89e2a7aa30cbcea92b6517866b0b9cb1a4f5d0382da7bfb30deaac57d963d8f7acf68349970ff067e4618c5265f525411f4de6536905d044dd6f470016515da9e225e15249f83d7fff861faf008ba4918f8320a99e545d20597214dd06d3d4ddedc99f9e934906b9f348d9f24ef0dd6e87e5188e265f8a99befd6e61311f04efb76583cfd26d7f09f66cc7312c6f70e8b47e91a612344f910a1a0bf1b6454189569ee28ca690ae09dd7330b2251e4cd1c8e2e848b2db00473c995494d659b45cc08004800", @ANYRES32=r8, @ANYBLOB="14003000ff01000000000000000000000000000108004500", @ANYRES32=r9, @ANYBLOB="08001400", @ANYRES32=r10, @ANYBLOB='\x00\x00'], 0x2904}], 0x1, &(0x7f0000000a40)=ANY=[@ANYBLOB="28001900b663b3e189e100", @ANYRES32=r1, @ANYRES32=r0, @ANYRES32=r1, @ANYRES32=r0, @ANYRES32=r2, @ANYBLOB="0000000020000000000000000100000002000000", @ANYRES32=r11, @ANYRES32=r12, @ANYRES32=r13, @ANYBLOB="0000000020000000000000000100000002000000", @ANYRES32=r14, @ANYRES32=r15, @ANYRES32=r16, @ANYBLOB="0000000028000000000000000100000001000000", @ANYRES32=r3, @ANYRES32=r1, @ANYRES32=r3, @ANYRES32=r0, @ANYRES32=r2, @ANYBLOB='\x00\x00\x00\x00'], 0x90, 0x40000}, 0x8000) 05:01:15 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) r1 = dup(r0) stat(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)) ioctl$int_in(r0, 0x5452, &(0x7f0000000200)=0x5) ioctl$DRM_IOCTL_RES_CTX(r1, 0xc0106426, &(0x7f0000000400)={0x1, &(0x7f0000000300)=[{0x0}]}) ioctl$DRM_IOCTL_SET_SAREA_CTX(r1, 0x4010641c, &(0x7f00000004c0)={r2, &(0x7f0000000700)=""/88}) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$sock_int(r0, 0x1, 0x21, &(0x7f0000000240), 0x4) r3 = syz_open_procfs(0x0, &(0x7f00000001c0)='net/netlink\x00') setsockopt$IP_VS_SO_SET_ZERO(0xffffffffffffffff, 0x0, 0x48f, &(0x7f0000000500)={0x0, @remote={0xac, 0x14, 0x14, 0xbb}, 0x0, 0x0, 'lc\x00'}, 0x2c) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000340), 0x0) r4 = syz_genetlink_get_family_id$ipvs(&(0x7f00000003c0)='IPVS\x00') sendmsg$IPVS_CMD_DEL_SERVICE(r1, &(0x7f0000000600)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x1020000}, 0xc, &(0x7f0000000580)={&(0x7f0000000640)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r4, @ANYBLOB="0101e589b16d7000fcdbdf25030000000800040002e3ee8075c6f01d18c518d0f39b021e186532504c1596f8e6f6412e60190ea0c3ef9816057c5f94ca21d54ab143e29c5c1115528dcf7c759189d196b1"], 0x1c}, 0x1, 0x0, 0x0, 0x20000000}, 0x40) r5 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/vga_arbiter\x00', 0x0, 0x0) bind$inet6(r0, &(0x7f0000000180)={0xa, 0x4e20}, 0x1c) ioctl$KVM_GET_XCRS(0xffffffffffffffff, 0x8188aea6, &(0x7f0000000380)=ANY=[]) sendto$inet6(r1, &(0x7f00000007c0), 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback={0x0, 0x1}}, 0x1c) ioctl$KDSKBLED(0xffffffffffffffff, 0x4b65, 0x0) ioctl$SG_SET_KEEP_ORPHAN(0xffffffffffffffff, 0x2287, &(0x7f0000000280)) r6 = open(&(0x7f00000008c0)='./file0\x00', 0x20141042, 0x0) getsockopt$inet_IP_XFRM_POLICY(r3, 0x0, 0x11, &(0x7f0000000780)={{{@in=@multicast1, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@loopback}, 0x0, @in6=@local}}, &(0x7f0000000440)=0xe8) ioctl$DRM_IOCTL_AGP_ALLOC(r6, 0xc0206434, &(0x7f0000000540)={0x8, 0x0, 0x10001, 0xfff}) ioctl$DRM_IOCTL_AGP_ALLOC(r3, 0xc0206434, &(0x7f00000006c0)={0x1, r8, 0x10001, 0x7fff}) ioctl$sock_inet6_SIOCSIFDSTADDR(r0, 0x8918, &(0x7f0000000480)={@loopback={0x0, 0x1}, 0x2d, r7}) ioctl$sock_inet_SIOCSIFADDR(r5, 0x8916, &(0x7f00000005c0)={'nr0\x00', {0x2, 0x4e20, @rand_addr=0x20}}) ftruncate(r6, 0x80080) sendfile(r1, r6, &(0x7f0000d83ff8), 0x2008000fffffffe) [ 1072.515061] binder: 29531:29533 BC_FREE_BUFFER u0000000000000000 no match 05:01:15 executing program 5: r0 = socket$inet6(0xa, 0x805, 0xfffffffffffffffe) fchdir(r0) r1 = syz_open_dev$binder(&(0x7f0000000080)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r2 = dup3(r1, r0, 0x80000) ioctl(r0, 0x4000008912, &(0x7f0000000100)="2957e1311f16f477671070") ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000140)=[@transaction={0x40406300, {0x3, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x28, 0x8, &(0x7f0000000040)=[@ptr={0x70742a85, 0x0, &(0x7f0000000000), 0x1, 0x4, 0x3a}], &(0x7f00000000c0)=[0x78]}}], 0x6b, 0x0, &(0x7f0000000380)="d8d4a7ca01773847d13e1d473e1788b129bf706c03ae8eba810b36d3b9669b773987a1ecf695e1a42b412a5d6646ac12f18d572dcb1e60229feef42dfe1cce2f9327f9590bce4ffc68cd2c21b85a26fe7b501ca379500499b58e50b654528fbfbe3b7e4bc83cae8df78949"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000200)={0x4c, 0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="076304400000000000634040020000000000000000004366ca839d5f45477eb71dc42e0c00000000000000000000000000000000000000000000000000000000000029408047eac7f081b5bd2bbff167e9fa1cbadad618edb11e33ea9cc004ff079972b2ddba87030a80b73b5c823d3d06610fca7e5fa6a1552e584ee4f008d01691a2a7cfa37715c652ee458c7f85fa429c5c11ab78995f4ae517c774ac2915aa872a7c84d2748afba581c731bcad5f5217b8c82aa2d86127c1e5a4994959ff44c81c9c1bb4c611ac09ba7e5e5fa90a521c467de96740d2e0d85a8d8a87827e90a7870dbd792874c1c525ffdc84da435ab07d9c01fd436502cec58d3779ac17a51c9d89526f757101", @ANYPTR=&(0x7f0000000380)=ANY=[], @ANYPTR=&(0x7f00000003c0)=ANY=[]], 0x0, 0x0, &(0x7f0000000180)}) 05:01:15 executing program 4: r0 = creat(&(0x7f0000000040)='./bus\x00', 0x0) r1 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) write$binfmt_elf64(r1, &(0x7f0000000280)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0xd1, 0xffffffff, 0x0, 0x8, 0x2, 0x3, 0x5, 0xe7, 0x40, 0x190, 0x8, 0x1d, 0x38, 0x1, 0x9f, 0x8, 0x9}, [{0x6474e553, 0x7, 0x1, 0x7, 0x3, 0x1, 0x9, 0x2c113863}], "bac86463b9c863743866e23bf61facdd999bcf53dcaa9ae56b29ed1452cb91b35f4b989b5a842dcbeabaeef4f51bda8cc603aa3889c55522b1cfd05010571bd6418cc58f5f45818e745646edd302cd408aeee0f77cf9ba49b7b3fb78013fd8", [[], []]}, 0x2d7) ioctl$TIOCLINUX2(r0, 0x541c, &(0x7f0000000080)={0x2, 0x9, 0x7f, 0x401, 0x1, 0xf5c}) ioctl$fiemap(r0, 0xc020660b, &(0x7f0000000200)={0x0, 0x5, 0x1, 0x0, 0x1, [{0xf5b0, 0x1000, 0x2a}]}) msync(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x3) [ 1072.690651] binder: 29563:29566 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 1072.698531] binder: 29563:29566 got transaction to invalid handle [ 1072.704871] binder: 29563:29566 transaction failed 29201/-22, size 0-0 line 2852 [ 1072.762532] binder: 29563:29570 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 1072.770423] binder: 29563:29570 got transaction to invalid handle [ 1072.776742] binder: 29563:29570 transaction failed 29201/-22, size 0-0 line 2852 [ 1072.816309] FAULT_INJECTION: forcing a failure. [ 1072.816309] name failslab, interval 1, probability 0, space 0, times 0 [ 1072.827626] CPU: 1 PID: 29571 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1072.834563] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1072.843920] Call Trace: [ 1072.846518] dump_stack+0x1b9/0x294 [ 1072.850154] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1072.855353] ? unwind_get_return_address+0x61/0xa0 [ 1072.860296] ? graph_lock+0x170/0x170 [ 1072.864107] should_fail.cold.4+0xa/0x1a [ 1072.868174] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1072.873292] ? __lock_is_held+0xb5/0x140 [ 1072.877357] ? __kmalloc_node_track_caller+0x47/0x70 [ 1072.882463] ? graph_lock+0x170/0x170 [ 1072.886254] ? __x64_sys_sendto+0xe1/0x1a0 [ 1072.890499] ? find_held_lock+0x36/0x1c0 [ 1072.894572] ? __lock_is_held+0xb5/0x140 [ 1072.898648] ? check_same_owner+0x320/0x320 [ 1072.902975] ? rcu_note_context_switch+0x710/0x710 [ 1072.907907] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1072.913196] __should_failslab+0x124/0x180 [ 1072.917436] should_failslab+0x9/0x14 [ 1072.921262] kmem_cache_alloc_node+0x272/0x780 [ 1072.925854] ? __kmalloc_node_track_caller+0x47/0x70 [ 1072.930968] __alloc_skb+0x111/0x780 [ 1072.934689] ? skb_scrub_packet+0x580/0x580 [ 1072.939106] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1072.944647] ? ip_generic_getfrag+0x11c/0x2d0 [ 1072.949149] ? ip_reply_glue_bits+0xc0/0xc0 [ 1072.953487] ? raw_getfrag+0x15b/0x220 [ 1072.957376] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1072.962404] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1072.967430] ? raw_destroy+0x30/0x30 [ 1072.971160] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1072.976973] ? ipv4_mtu+0x375/0x580 [ 1072.980612] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1072.986078] ? lock_acquire+0x1dc/0x520 [ 1072.990058] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1072.995597] ? ip_setup_cork+0x4dc/0x7c0 [ 1072.999663] ip_append_data.part.48+0xf3/0x180 [ 1073.004252] ? raw_destroy+0x30/0x30 [ 1073.007970] ip_append_data+0x6d/0x90 [ 1073.011772] ? raw_destroy+0x30/0x30 [ 1073.015493] raw_sendmsg+0x1dae/0x29b0 [ 1073.019399] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1073.024507] ? rcu_report_qs_rnp+0x790/0x790 [ 1073.028926] ? graph_lock+0x170/0x170 [ 1073.032736] ? expand_files.part.8+0x9a0/0x9a0 [ 1073.037320] ? check_same_owner+0x320/0x320 [ 1073.041682] ? lock_downgrade+0x8e0/0x8e0 [ 1073.045841] ? lock_release+0xa10/0xa10 [ 1073.049820] ? check_same_owner+0x320/0x320 [ 1073.054142] ? __check_object_size+0x95/0x5d9 [ 1073.058645] inet_sendmsg+0x19f/0x690 [ 1073.062445] ? __might_sleep+0x95/0x190 [ 1073.066422] ? ipip_gro_receive+0x100/0x100 [ 1073.070748] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1073.076293] ? security_socket_sendmsg+0x94/0xc0 [ 1073.081061] ? ipip_gro_receive+0x100/0x100 [ 1073.085388] sock_sendmsg+0xd5/0x120 [ 1073.089108] __sys_sendto+0x3d7/0x670 [ 1073.092917] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1073.097592] ? wait_for_completion+0x870/0x870 [ 1073.102181] ? __lock_is_held+0xb5/0x140 [ 1073.106298] ? __sb_end_write+0xac/0xe0 [ 1073.110286] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1073.115835] ? fput+0x130/0x1a0 [ 1073.119118] ? ksys_write+0x1a6/0x250 [ 1073.122927] ? __ia32_sys_read+0xb0/0xb0 [ 1073.126991] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1073.132538] __x64_sys_sendto+0xe1/0x1a0 [ 1073.136604] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1073.141627] do_syscall_64+0x1b1/0x800 [ 1073.145518] ? finish_task_switch+0x1ca/0x840 [ 1073.150016] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1073.154951] ? syscall_return_slowpath+0x30f/0x5c0 [ 1073.159889] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1073.165263] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1073.170126] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1073.175320] RIP: 0033:0x4559f9 [ 1073.178504] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1073.197908] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1073.205622] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1073.212893] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1073.220163] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1073.227433] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1073.234703] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000029 [ 1073.244731] ALSA: seq fatal error: cannot create timer (-22) 05:01:16 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1e}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:16 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x500, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:16 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) getsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r0, 0x84, 0x12, &(0x7f0000000400), &(0x7f0000000440)=0x4) write$fuse(r0, &(0x7f00000002c0)={0x28, 0x1, 0x9, @fuse_notify_store_out={0x3, 0x2738000, 0xfff}}, 0x28) setsockopt$inet6_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000280)='westwood\x00', 0x9) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x80003}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000000140)={0x0, 0x0, 0x0}, &(0x7f0000000240)=0xc) getgid() setgid(r4) fcntl$getflags(r3, 0x40a) open$dir(&(0x7f0000000040)='./file0\x00', 0x10040, 0x40) setsockopt$inet6_tcp_TCP_FASTOPEN_KEY(r0, 0x6, 0x21, &(0x7f00000001c0)="b5f2ffa572b2b8d5992e6bc2849dd943", 0x10) 05:01:16 executing program 4: r0 = socket$inet(0x2, 0x1, 0x84) listen(r0, 0x82d) listen(r0, 0x0) listen(r0, 0x6) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x101000, 0x0) getdents(r1, &(0x7f0000000040)=""/236, 0xec) 05:01:16 executing program 7: r0 = socket$inet_sctp(0x2, 0x402000400000005, 0x84) r1 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000000)='/dev/urandom\x00', 0x400, 0x0) getpeername$packet(r1, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @broadcast}, &(0x7f0000000080)=0x14) setsockopt$inet_MCAST_MSFILTER(r0, 0x0, 0x30, &(0x7f0000000140)={0x0, {{0x2, 0x0, @broadcast=0xffffffff}}, 0x0, 0x1, [{{0x2, 0x0, @dev={0xac, 0x14, 0x14}}}]}, 0x10c) 05:01:16 executing program 5: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000240)="0047fc2f07d82c99240970") r1 = syz_open_dev$tun(&(0x7f0000000280)='/dev/net/tun\x00', 0x0, 0x0) pwritev(r0, &(0x7f00000005c0)=[{&(0x7f0000000100)="ec4cd245fc03f1f8ef2938dd134192a94df90a66245adca882cf0861cfefa82e588bde5608b53e90046224f46109b48523c686ab405c6478af8b5cbcf4c368e86adca46856024989eb32283f057a640d20d0bf68b93cc78b7a32c3d746650262b8cbc1932ea7b3f89098a583a16561e17ffadacc73c533589a3326df33644676f876e7a0ccc8e6a3a2252c880f898bee7633ec11892f550bff4a8c0976cfa28a548e6d5c2cee0e016cd3297091a0e4f54344ada8e25fd81c45794d118e854e03b266cb7e81dc8be29155de271bd7a906ac15aa773fb9ec", 0xd7}, {&(0x7f00000002c0)="cd34ba2a0c03b902542624308b611cf2cb5717641c0e1e65ddd37a208b937e005a5f3831d0fdba17951323c1e262e1ad3420a56bddfbcb704b96b85cc3789d2204d3bf078fc6651d644b71f120ff5e70b48bb5c0220760f6832db6b72f7723359eac7ef3a6d2d1213e7a4dbdec", 0x6d}, {&(0x7f0000000080)="f60deb06c746e0ae655344e53a36dba41675b9abbd9521ec1ade4ae8dc7a", 0x1e}, {&(0x7f0000000340)="8b57b69e1aa01680febac905f931767986c812519a4781fe6bd1694f3d749fa537f7b339afc6b22f29cd0a570cf3a24e99a659e3fbf299963509cc699b2486e71866f96e512c36d9a3b3ca39125320895a31f1e19c9a7b86574871351edeba4172e0af1985249b21f4805bca93cdc92a60da2100e886b07dad761721af868a2ad9b40b4b42db36c32a6f57d5b2ea0d6c53c585bdb3dc5696bf52d4695cc4b7d4a85dc1a6e544c28a1244613284e38251d5da333d749b7123c5ca576508582c45ca43bc2de5060a1781c1de9c758bd68daf2609de457fe143df424b6a654427006ddd2cd5ab0b46511ef3111724", 0xed}, {&(0x7f0000000200)="a0fcff1cb7561b1dcdfb389840e82c2fcacd4f52", 0x14}, {&(0x7f0000000440)="503e6fe625456f42b92385bc93b8868dc3cf6e0bdd10d1ba37c27adbaabc735b4fcca4c5f27daaaca1ec4f3193b4a7fd18ae1c0bcd366059557d8d80c2e55e5d5fffb966f57186a663b00119db3d3fd4538eeea56547f9e0c64bb12200b59346fd7bfa803114e4fa5237547499c0e27ecb9a9498dc2028937a706b4f8d62308a747426b19988a05005928a7565be821be5658b5197cc84c3c1ec79407c36165e97d199da6dfab7c834e1fc4ef56f502c334875f0ddc3e20f10c513a6b4024e141da11d396f42961ff4159913fffee73ae9bf0d6ba8e50e28d6a7c859073e6dfb549e4720b2bc6cf6f9c2275bcd", 0xed}, {&(0x7f0000000540)="a6a8c55de73217d2f987ffc1d51da5889552e68e1992f0f50460c951cea00e5a5cb4b55cd43296369041179439484978a99524c5f23994c701315bf8188728b01a2d20eee33f3f3a9613c0e35d1c997ceddec6147050b2719634f993033a", 0x5e}], 0x7, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={"d202b999cf85000000000088f301e710", 0x102}) ioctl$TUNSETQUEUE(r1, 0x400454d9, &(0x7f0000000000)={'vhan0\x00', 0x400}) r2 = syz_open_dev$tun(&(0x7f0000000280)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f00000000c0)={"d202b999cf85000000000088f301e710", 0x102}) ioctl$TUNSETQUEUE(r1, 0x400454d9, &(0x7f0000000040)={'erspan0\x00', 0x600}) 05:01:16 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x1f000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:16 executing program 1 (fault-call:4 fault-nth:42): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1073.278439] binder: undelivered TRANSACTION_ERROR: 29201 [ 1073.284313] binder: undelivered TRANSACTION_ERROR: 29201 [ 1073.306334] ALSA: seq fatal error: cannot create timer (-22) [ 1073.383371] binder: 29594:29596 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1073.398000] FAULT_INJECTION: forcing a failure. [ 1073.398000] name failslab, interval 1, probability 0, space 0, times 0 [ 1073.409339] CPU: 0 PID: 29592 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1073.416273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1073.425633] Call Trace: [ 1073.428235] dump_stack+0x1b9/0x294 [ 1073.431883] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1073.437090] ? is_bpf_text_address+0xd7/0x170 [ 1073.441601] ? kernel_text_address+0x79/0xf0 [ 1073.446018] ? __unwind_start+0x166/0x330 [ 1073.450184] should_fail.cold.4+0xa/0x1a [ 1073.454259] ? __save_stack_trace+0x7e/0xd0 [ 1073.458598] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1073.463720] ? graph_lock+0x170/0x170 [ 1073.467541] ? save_stack+0x43/0xd0 [ 1073.471187] ? kasan_kmalloc+0xc4/0xe0 [ 1073.475093] ? kasan_slab_alloc+0x12/0x20 [ 1073.479247] ? find_held_lock+0x36/0x1c0 [ 1073.483311] ? __lock_is_held+0xb5/0x140 [ 1073.487381] ? check_same_owner+0x320/0x320 [ 1073.491708] ? rcu_note_context_switch+0x710/0x710 [ 1073.496643] __should_failslab+0x124/0x180 [ 1073.500874] should_failslab+0x9/0x14 [ 1073.504668] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1073.509778] __kmalloc_node_track_caller+0x33/0x70 [ 1073.514705] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1073.519465] __alloc_skb+0x14d/0x780 [ 1073.523172] ? skb_scrub_packet+0x580/0x580 [ 1073.527488] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1073.533024] ? ip_generic_getfrag+0x11c/0x2d0 [ 1073.537517] ? ip_reply_glue_bits+0xc0/0xc0 [ 1073.541841] ? raw_getfrag+0x15b/0x220 [ 1073.545719] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1073.550740] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1073.555761] ? raw_destroy+0x30/0x30 [ 1073.559509] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1073.565315] ? ipv4_mtu+0x375/0x580 [ 1073.568937] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1073.574401] ? lock_acquire+0x1dc/0x520 [ 1073.578426] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1073.583956] ? ip_setup_cork+0x4dc/0x7c0 [ 1073.588014] ip_append_data.part.48+0xf3/0x180 [ 1073.592590] ? raw_destroy+0x30/0x30 [ 1073.596299] ip_append_data+0x6d/0x90 [ 1073.600092] ? raw_destroy+0x30/0x30 [ 1073.603803] raw_sendmsg+0x1dae/0x29b0 [ 1073.607699] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1073.612800] ? rcu_report_qs_rnp+0x790/0x790 [ 1073.617209] ? graph_lock+0x170/0x170 [ 1073.621007] ? expand_files.part.8+0x9a0/0x9a0 [ 1073.625579] ? check_same_owner+0x320/0x320 [ 1073.629910] ? lock_downgrade+0x8e0/0x8e0 [ 1073.634051] ? lock_release+0xa10/0xa10 [ 1073.638019] ? check_same_owner+0x320/0x320 [ 1073.642331] ? __check_object_size+0x95/0x5d9 [ 1073.646828] inet_sendmsg+0x19f/0x690 [ 1073.650617] ? __might_sleep+0x95/0x190 [ 1073.654587] ? ipip_gro_receive+0x100/0x100 [ 1073.659282] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1073.664818] ? security_socket_sendmsg+0x94/0xc0 [ 1073.669565] ? ipip_gro_receive+0x100/0x100 [ 1073.673882] sock_sendmsg+0xd5/0x120 [ 1073.677587] __sys_sendto+0x3d7/0x670 [ 1073.681381] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1073.686046] ? wait_for_completion+0x870/0x870 [ 1073.690624] ? __lock_is_held+0xb5/0x140 [ 1073.694689] ? __sb_end_write+0xac/0xe0 [ 1073.698658] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1073.704182] ? fput+0x130/0x1a0 [ 1073.707459] ? ksys_write+0x1a6/0x250 [ 1073.711313] ? __ia32_sys_read+0xb0/0xb0 [ 1073.715367] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1073.720904] __x64_sys_sendto+0xe1/0x1a0 [ 1073.724975] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1073.729984] do_syscall_64+0x1b1/0x800 [ 1073.733859] ? finish_task_switch+0x1ca/0x840 [ 1073.738345] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1073.743266] ? syscall_return_slowpath+0x30f/0x5c0 [ 1073.748189] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1073.753558] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1073.758400] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1073.763582] RIP: 0033:0x4559f9 05:01:16 executing program 7: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = open(&(0x7f0000000040)='./file0\x00', 0x20000, 0x54) setsockopt$l2tp_PPPOL2TP_SO_SENDSEQ(r0, 0x111, 0x3, 0x0, 0x4) shmget$private(0x0, 0x3000, 0x78001828, &(0x7f0000000000/0x3000)=nil) [ 1073.766763] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1073.786140] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1073.793839] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1073.801098] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1073.808354] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1073.815611] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1073.822870] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000002a [ 1073.833125] binder: 29594:29596 BC_FREE_BUFFER u0000000000000000 no match 05:01:17 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = socket(0xa, 0x2, 0x0) ioctl$PPPOEIOCDFWD(r1, 0xb101, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r1, 0x0, 0x80, &(0x7f0000000600)=@nat={'nat\x00', 0x19, 0x2, 0x348, [0x20000280, 0x0, 0x0, 0x200002b0, 0x200002e0], 0x0, &(0x7f0000000000), &(0x7f0000000680)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff02000000030000000000000000007663616e30000000000000000000000062726964676530000000000000000000736974300000000000000000000000007465616d300000000000000000000000aaaaaaaaaaaa000000000000aaaaaaaaaabb0000000000000000d8010000d801000010020000636f6d6d656e7400000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007374617469737469630000000000000000d90000000000000000000000000000001800000000000000000000000000000000000000000000000000000000000000736e6174000000000000000000000000000000000000000000000000000000001000000000000000aaaaaaaaaa000000ffffffff000000001b0000000000000000007465616d5f736c6176655f310000000069726c616e300000000000000000000069726c616e300000000000000000000073797a6b616c6c0002000000000000000180c2000000000000000000f646793b7b3900000000000000007000000070000000a80000006172707265706c7900000000000000000000000000000000000000000000000010000000000000000180c200000000000000000000000000"]}, 0x3c1) 05:01:17 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x18}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:17 executing program 5: r0 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r1 = socket(0xa, 0x1, 0x0) ioctl(r1, 0x8912, &(0x7f0000000000)="c626262c8523bf012cf66f") fallocate(r0, 0x0, 0x0, 0x4) fallocate(r0, 0x20, 0x0, 0xfffffeff000) lseek(r0, 0x0, 0x4) openat$cuse(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cuse\x00', 0x400400, 0x0) [ 1073.891224] binder: 29594:29596 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:17 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080), 0x0) [ 1073.935079] kernel msg: ebtables bug: please report to author: Wrong len argument [ 1073.951660] binder: 29594:29596 BC_FREE_BUFFER u0000000000000000 no match [ 1074.005982] kernel msg: ebtables bug: please report to author: Wrong len argument 05:01:17 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x4800, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1074.145999] binder: 29629:29631 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1074.184387] binder: 29629:29631 BC_FREE_BUFFER u0000000000000000 no match [ 1074.207236] binder: 29629:29631 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1074.218818] binder: 29629:29631 BC_FREE_BUFFER u0000000000000000 no match [ 1074.746235] ALSA: seq fatal error: cannot create timer (-22) 05:01:18 executing program 5: r0 = creat(&(0x7f00006e9ff8)='./file0\x00', 0x0) lremovexattr(&(0x7f0000000040)='./file0\x00', &(0x7f0000000080)=@known='security.capability\x00') lsetxattr(&(0x7f0000712ff8)='./file0\x00', &(0x7f0000faffe7)=@known='security.capability\x00', &(0x7f00002b2fec)="0000000201000000000000010400000000000000", 0x14, 0x0) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") write$fuse(r0, &(0x7f0000000000)={0x14, 0x0, 0x0, @fuse_poll_out}, 0x14) 05:01:18 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x10000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:18 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r0, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @loopback={0x0, 0x1}}, 0x1c) listen(r0, 0x15040003) r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ppp\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000000100)={0x0}, &(0x7f0000000180)=0x8) setsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f00000001c0)={r2, 0x200, 0x7, 0x401}, 0x10) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_AUTOCLOSE(r3, 0x84, 0x4, &(0x7f0000000140)=0x2, 0x4) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX_OLD(r3, 0x84, 0x6b, &(0x7f000055bfe4)=[@in6={0xa, 0x4e23, 0x0, @loopback={0x0, 0x1}}], 0x1c) 05:01:18 executing program 7: r0 = socket$alg(0x26, 0x5, 0x0) dup3(r0, r0, 0x0) bind$alg(r0, &(0x7f000001f000)={0x26, 'hash\x00', 0x0, 0x0, 'hmac(sha384-ssse3)\x00'}, 0x58) r1 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x9, 0x414982) getsockopt$inet_sctp_SCTP_GET_PEER_ADDR_INFO(0xffffffffffffff9c, 0x84, 0xf, &(0x7f0000000040)={0x0, @in6={{0xa, 0x4e21, 0x9, @mcast2={0xff, 0x2, [], 0x1}, 0xd35a}}, 0x40, 0x6, 0x401, 0x4a3}, &(0x7f0000000180)=0x98) setsockopt$inet_sctp_SCTP_PR_SUPPORTED(r1, 0x84, 0x71, &(0x7f00000001c0)={r2, 0x2}, 0x8) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000380)="02baa81ed0ee8bc23c146314a73c89d51d0c32f145fd028e76154af9a5e352527e187c307457ce1b04c69918a092d53e52c1c84c60a6a0c0891fcff50a194111477a0f605133e622e91455209338d7f1e185666a59441a8fa1dcbdb2871b18010a7956e4757a4c80f335df4c106e36f90a971069da9be963e324eac4a2129f6c42be5917450f85c9f2d0439e887c7f60e03e5e69a512f7f5ecbc9d7be5feeb3aeba756e6ab5d03afeb503fbb63702ea74f7462874938c5cfe50000000000005c6fc0cab883bcfda1a6fa8c0fcf48b383d6a092d6d526055d084cc37d4a6273fd81ef251f612c9100bf5b654e45c78c5dcb5a50049ca4fe3da82341f582ac4954", 0x265) r3 = syz_open_dev$admmidi(&(0x7f0000000100)='/dev/admmidi#\x00', 0x7, 0x103000) epoll_wait(r3, &(0x7f0000000140)=[{}, {}, {}], 0x3, 0x3f) 05:01:18 executing program 1 (fault-call:4 fault-nth:43): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:18 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') r1 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00') sendmsg$IPVS_CMD_GET_DAEMON(r0, &(0x7f0000000400)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000240)={0xb4, r1, 0x20, 0x70bd26, 0x25dfdbfc, {0xb}, [@IPVS_CMD_ATTR_SERVICE={0x28, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x8, 0x6, 'nq\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x58}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@local={0xfe, 0x80, [], 0xaa}}]}, @IPVS_CMD_ATTR_DEST={0x1c, 0x2, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x3}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x94e}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x1}]}, @IPVS_CMD_ATTR_DAEMON={0xc, 0x3, [@IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e21}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x6}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x800}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x3}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x81}, @IPVS_CMD_ATTR_SERVICE={0x30, 0x1, [@IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@loopback={0x0, 0x1}}, @IPVS_SVC_ATTR_TIMEOUT={0x8, 0x8, 0x5}, @IPVS_SVC_ATTR_AF={0x8, 0x1, 0xa}, @IPVS_SVC_ATTR_PE_NAME={0x8, 0xb, 'sip\x00'}]}]}, 0xb4}, 0x1, 0x0, 0x0, 0x8080}, 0x4000) readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(0xffffffffffffffff, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:18 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xfdfdffff}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:18 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6c, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1074.914589] ALSA: seq fatal error: cannot create timer (-22) [ 1074.959628] binder: 29644:29646 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1074.982573] binder: 29644:29646 BC_FREE_BUFFER u0000000000000000 no match [ 1074.993661] FAULT_INJECTION: forcing a failure. [ 1074.993661] name failslab, interval 1, probability 0, space 0, times 0 [ 1075.001320] binder: 29644:29646 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1075.004956] CPU: 1 PID: 29650 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1075.018770] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1075.028133] Call Trace: [ 1075.030745] dump_stack+0x1b9/0x294 [ 1075.034397] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1075.039606] ? unwind_get_return_address+0x61/0xa0 [ 1075.044553] ? graph_lock+0x170/0x170 [ 1075.048368] should_fail.cold.4+0xa/0x1a [ 1075.052444] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1075.057566] ? __lock_is_held+0xb5/0x140 [ 1075.061644] ? __kmalloc_node_track_caller+0x47/0x70 [ 1075.061931] binder: 29644:29646 BC_FREE_BUFFER u0000000000000000 no match [ 1075.066760] ? graph_lock+0x170/0x170 [ 1075.066782] ? __x64_sys_sendto+0xe1/0x1a0 [ 1075.066801] ? find_held_lock+0x36/0x1c0 [ 1075.066820] ? __lock_is_held+0xb5/0x140 [ 1075.066843] ? check_same_owner+0x320/0x320 [ 1075.094185] ? rcu_note_context_switch+0x710/0x710 [ 1075.099137] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1075.104430] __should_failslab+0x124/0x180 05:01:18 executing program 5: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x1, 0x4) connect$inet6(r0, &(0x7f0000000080)={0xa}, 0x1c) bpf$OBJ_GET_PROG(0x7, &(0x7f0000000140)={&(0x7f0000000000)='./file0\x00', 0x0, 0x10}, 0x10) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000040)='tls\x00', 0xfffffffffffffedc) setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x2, &(0x7f0000000100)={0x303, 0x33}, 0x28) recvmsg(r0, &(0x7f0000002700)={&(0x7f00000001c0)=@pptp={0x0, 0x0, {0x0, @multicast2}}, 0x80, &(0x7f0000002640), 0x0, &(0x7f00000026c0)=""/28, 0x1c}, 0x2123) 05:01:18 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x10, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:18 executing program 4: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) pipe2(&(0x7f00000000c0)={0xffffffffffffffff}, 0x800) ioctl$BLKRESETZONE(r2, 0x40101283, &(0x7f0000000100)={0x1000, 0x8}) ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000040)={0x4, 0xffffffffffffffff}) dup2(r0, r1) dup2(r1, r3) [ 1075.108674] should_failslab+0x9/0x14 [ 1075.112487] kmem_cache_alloc_node+0x272/0x780 [ 1075.117083] ? __kmalloc_node_track_caller+0x47/0x70 [ 1075.122211] __alloc_skb+0x111/0x780 [ 1075.125941] ? skb_scrub_packet+0x580/0x580 [ 1075.130278] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1075.135827] ? ip_generic_getfrag+0x11c/0x2d0 [ 1075.140338] ? ip_reply_glue_bits+0xc0/0xc0 [ 1075.144683] ? raw_getfrag+0x15b/0x220 [ 1075.148579] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1075.153618] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1075.158660] ? raw_destroy+0x30/0x30 [ 1075.162401] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1075.168215] ? ipv4_mtu+0x375/0x580 [ 1075.171864] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1075.177337] ? lock_acquire+0x1dc/0x520 [ 1075.181319] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1075.186848] ? ip_setup_cork+0x4dc/0x7c0 [ 1075.190901] ip_append_data.part.48+0xf3/0x180 [ 1075.195472] ? raw_destroy+0x30/0x30 [ 1075.199177] ip_append_data+0x6d/0x90 [ 1075.203002] ? raw_destroy+0x30/0x30 [ 1075.206709] raw_sendmsg+0x1dae/0x29b0 [ 1075.210596] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1075.215690] ? rcu_report_qs_rnp+0x790/0x790 [ 1075.220097] ? graph_lock+0x170/0x170 [ 1075.223892] ? expand_files.part.8+0x9a0/0x9a0 [ 1075.228462] ? check_same_owner+0x320/0x320 [ 1075.232782] ? lock_downgrade+0x8e0/0x8e0 [ 1075.236920] ? lock_release+0xa10/0xa10 [ 1075.240880] ? check_same_owner+0x320/0x320 [ 1075.245190] ? __check_object_size+0x95/0x5d9 [ 1075.249679] inet_sendmsg+0x19f/0x690 [ 1075.253466] ? __might_sleep+0x95/0x190 [ 1075.257426] ? ipip_gro_receive+0x100/0x100 [ 1075.261740] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1075.267286] ? security_socket_sendmsg+0x94/0xc0 [ 1075.272029] ? ipip_gro_receive+0x100/0x100 [ 1075.276339] sock_sendmsg+0xd5/0x120 [ 1075.280041] __sys_sendto+0x3d7/0x670 [ 1075.283830] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1075.288490] ? wait_for_completion+0x870/0x870 [ 1075.293062] ? __lock_is_held+0xb5/0x140 [ 1075.297124] ? __sb_end_write+0xac/0xe0 [ 1075.301091] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1075.306634] ? fput+0x130/0x1a0 [ 1075.309903] ? ksys_write+0x1a6/0x250 [ 1075.313694] ? __ia32_sys_read+0xb0/0xb0 [ 1075.317757] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1075.323300] __x64_sys_sendto+0xe1/0x1a0 [ 1075.327352] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1075.332359] do_syscall_64+0x1b1/0x800 [ 1075.336232] ? finish_task_switch+0x1ca/0x840 [ 1075.340720] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1075.345637] ? syscall_return_slowpath+0x30f/0x5c0 [ 1075.350557] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1075.355909] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1075.360741] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1075.365918] RIP: 0033:0x4559f9 [ 1075.369091] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1075.388338] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1075.396035] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1075.403295] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 05:01:18 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @multicast2=0xe0000002}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) ioctl$FIDEDUPERANGE(r3, 0xc0189436, &(0x7f0000000240)={0x1000, 0x21, 0x4, 0x0, 0x0, [{r2, 0x0, 0x5}, {r3, 0x0, 0x8001}, {r1, 0x0, 0x80000001}, {r1, 0x0, 0x2}]}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1075.410552] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1075.417808] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1075.425067] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000002b 05:01:18 executing program 7: setsockopt$inet_dccp_buf(0xffffffffffffffff, 0x21, 0xc, &(0x7f0000000100)="f84a21a8a96cd8da40ee6ccd2cd9bb2e5480ffc399622faefe64607460207c9b0a42fc8651bb2ee4f71aba52d2cba52039c2ea9f2d6ee20b13fc022a84af1217d7ee65a634ce098d1b45a60740d7edb9f981f9bda4894b5c219762db0e6437a937f6ee90acc62de5d805a9c49b79943b63f8985b18", 0x75) perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(0xffffffffffffffff, 0x0, 0x0, 0x400004b) 05:01:18 executing program 5: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000000)="025cc83d6d345f8f760070") r1 = memfd_create(&(0x7f000088f000)='\x00\x00\x00', 0x4) ftruncate(r1, 0x1000000) read(r1, &(0x7f0000000000)=""/48, 0xfffffdef) r2 = socket$inet6(0xa, 0x2000000080803, 0x1d8b) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r3 = socket$inet6(0xa, 0x2, 0x0) setsockopt$inet6_mtu(r3, 0x29, 0x17, &(0x7f0000000000)=0x4, 0x4) connect$inet6(r3, &(0x7f0000000100)={0xa, 0x0, 0x0, @dev={0xfe, 0x80}, 0x4}, 0x1c) sendmmsg(r3, &(0x7f00000092c0), 0x4ff, 0x0) 05:01:18 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x8000000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1075.508326] binder: 29673:29676 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1075.542635] binder: 29673:29676 BC_FREE_BUFFER u0000000000000000 no match [ 1075.576463] binder: 29673:29676 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:18 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000440)=[{&(0x7f0000001d80)=""/4096, 0x1000}], 0x1000000000000079) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f0000000140)=0x0) fcntl$setownex(r1, 0xf, &(0x7f00000001c0)={0x0, r3}) r4 = socket$inet6(0xa, 0x1, 0x0) getsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r4, 0x84, 0x12, &(0x7f00000002c0), &(0x7f0000000400)=0x4) ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") getsockopt$bt_rfcomm_RFCOMM_CONNINFO(r0, 0x12, 0x2, &(0x7f0000000240)=""/71, &(0x7f0000000040)=0x47) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:18 executing program 7: r0 = syz_init_net_socket$llc(0x1a, 0x1000000001, 0x0) accept4(r0, &(0x7f0000000040)=@can, &(0x7f00000000c0)=0x80, 0x1) syz_mount_image$xfs(&(0x7f0000000000)='xfs\x00', &(0x7f0000000100)='./file0\x00', 0x5, 0x8, &(0x7f0000000600)=[{&(0x7f0000000140)="dc6c28be60f2852678e58dfcfa2b4cb0cacd4612ca89d715baf090e9473ca2daace068866011403da2a78a033d39ced7c84c37b0cad67091383dea9c84c6a7a2413a87519ce9b8f1402a7c09b8bd0792ec1a6faa42bb1fc523702017313f473c7be5391c4526f4f2ff6842a151ff48edc915c324829864880ff1f6e6f0c3033ce054c82adde34702f9e4ba6044cb97067b88e56b8bf6543803ca3901154b0e9d619d4a1968575cfdef0783", 0xab, 0x100000000}, {&(0x7f0000000200)="23ebf28a75757784442cfba73b7479975f694989a5bfe223f6fec72990dd1789a291da58ef0465ce4f78eaf23c170be3f6b7d8522254e247e1ea705a5e3995d24997d6e0fd3982271c27297c3964076da79620602b96c66134e7850dcb24507c0c1a537187d3fe8b5f59b18357261b1b85a7894a0d0cccbbed1b54", 0x7b, 0x3}, {&(0x7f0000000280)="80330f591210d8793bb4c016f7b1e0cbf9c4e281697205c477badc23ade6d56106d0c69c6124bf74051d723de118eeb652f75c02b549c9c4a3066fc71037247511d185b9e0a694661d9cf719b0e855c9fd63cf019e87017fe35d0f167239156d530f878e93e8d9bef1776f2c03ec7a1bcd05a4be7ac6558dc691c107e78245f38540329ceb5bd4af4ffd755ecc507515861aa188d9d5ece465a997b27e7100e81b982e81bf7a35f5c2a3e76253c8b6b61074", 0xb2, 0xb3a}, {&(0x7f0000000340)="c9", 0x1, 0xfffffffffffffbff}, {&(0x7f0000000380)="fbea87b8d72954e0335376d3e33202949b5e35815ed2b43052971a6ec4063831408bfcae7bc070c4bcab94ab7f291bb9534da7a35f3e339fd1983c55a07f6014fc618ba5bf20730efe61aeab42f22eab925d7e2bc3f640f4789c59e9f32c52a532f6b28cd365b9", 0x67, 0x2}, {&(0x7f0000000400)="f73f82ef21b9a052ce3c0a282ab83f2a0c16f24632100045e01ba879be8586520e28616aaad29feb74c066e899209f6df5073e882385458b005151f98ab1560c01c8b90ff2927cf9095b467397bcd7edcac82f9bdd86cd0ecd3cec219e8b1a793331052dfd26ae97eb3f739075f7aeeba3b179d0bcdca869e57706469cdecc639b27667ada79c159aa62ea38", 0x8c, 0x81}, {&(0x7f00000004c0)="08a69e0c28636675961a7020bd5575ea702ccec2237a065c573e695d58a87918e08b30289a46", 0x26, 0x7fff}, {&(0x7f0000000500)="1b543789c3d70c9e874d5f3d6e036f2e8187a3c691969c553e83c74f14a7c2d3435bde4cfbff1e5a09e048f9848b3f2bb1d2af84a8a7fd5a48611f3379491fc3190666dd389a9f8a090ce1bf89c514ca3e0d4e7a6b24a9f45826add2418a3819e3ae334d6566ca9d5ea52b3eb895ab213939e4e5865f026b7146b492e482ef5e79444d9b4021afad37275a91811da862ed7884f7afef37eb74352aeab433ef7f12f85f818c3cd5de741096b05ca03214d799941bc3a6b19b28c959735b7dec41387b4f9f3a", 0xc5, 0x2}], 0x42000, &(0x7f00000006c0)={'nouuid,', {[{@filestreams='filestreams', 0x2c}, {@swidth={'swidth', 0x3d, [0x3d, 0x35, 0x3d, 0x3d, 0x0, 0x3d, 0x7f, 0x3f]}, 0x2c}, {@prjquota='prjquota', 0x2c}, {@uquota='uquota', 0x2c}, {@wsync='wsync', 0x2c}, {@bsdgroups='bsdgroups', 0x2c}]}}) 05:01:18 executing program 1 (fault-call:4 fault-nth:44): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1075.639348] binder: 29673:29676 BC_FREE_BUFFER u0000000000000000 no match 05:01:19 executing program 4: r0 = signalfd(0xffffffffffffffff, &(0x7f0000000040), 0x8) signalfd4(r0, &(0x7f0000000080)={0x29}, 0x8, 0x80000) poll(&(0x7f0000000000)=[{r0}], 0x1, 0x10001) signalfd(r0, &(0x7f0000000700), 0x8) [ 1075.748311] FAULT_INJECTION: forcing a failure. [ 1075.748311] name failslab, interval 1, probability 0, space 0, times 0 [ 1075.759767] CPU: 0 PID: 29702 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1075.766710] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1075.776074] Call Trace: [ 1075.778681] dump_stack+0x1b9/0x294 [ 1075.782327] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1075.787541] ? is_bpf_text_address+0xd7/0x170 [ 1075.792063] ? kernel_text_address+0x79/0xf0 [ 1075.796481] ? __unwind_start+0x166/0x330 [ 1075.800648] should_fail.cold.4+0xa/0x1a [ 1075.804723] ? __save_stack_trace+0x7e/0xd0 [ 1075.809063] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1075.814186] ? graph_lock+0x170/0x170 [ 1075.817999] ? save_stack+0x43/0xd0 [ 1075.821639] ? kasan_kmalloc+0xc4/0xe0 [ 1075.825545] ? kasan_slab_alloc+0x12/0x20 [ 1075.829712] ? find_held_lock+0x36/0x1c0 [ 1075.833793] ? __lock_is_held+0xb5/0x140 [ 1075.837885] ? check_same_owner+0x320/0x320 [ 1075.842222] ? rcu_note_context_switch+0x710/0x710 [ 1075.847173] __should_failslab+0x124/0x180 [ 1075.851418] should_failslab+0x9/0x14 [ 1075.855213] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1075.860310] __kmalloc_node_track_caller+0x33/0x70 [ 1075.865242] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1075.869989] __alloc_skb+0x14d/0x780 [ 1075.873696] ? skb_scrub_packet+0x580/0x580 [ 1075.878010] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1075.883549] ? ip_generic_getfrag+0x11c/0x2d0 [ 1075.888089] ? ip_reply_glue_bits+0xc0/0xc0 [ 1075.892409] ? raw_getfrag+0x15b/0x220 [ 1075.896285] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1075.901295] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1075.906304] ? raw_destroy+0x30/0x30 [ 1075.910014] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1075.915812] ? ipv4_mtu+0x375/0x580 [ 1075.919429] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1075.924882] ? lock_acquire+0x1dc/0x520 [ 1075.928846] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1075.934369] ? ip_setup_cork+0x4dc/0x7c0 [ 1075.938429] ip_append_data.part.48+0xf3/0x180 [ 1075.943003] ? raw_destroy+0x30/0x30 [ 1075.946714] ip_append_data+0x6d/0x90 [ 1075.950501] ? raw_destroy+0x30/0x30 [ 1075.954208] raw_sendmsg+0x1dae/0x29b0 [ 1075.958095] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1075.963197] ? rcu_report_qs_rnp+0x790/0x790 [ 1075.967598] ? graph_lock+0x170/0x170 [ 1075.971391] ? expand_files.part.8+0x9a0/0x9a0 [ 1075.975977] ? check_same_owner+0x320/0x320 [ 1075.980298] ? lock_downgrade+0x8e0/0x8e0 [ 1075.984456] ? lock_release+0xa10/0xa10 [ 1075.988417] ? check_same_owner+0x320/0x320 [ 1075.992727] ? __check_object_size+0x95/0x5d9 [ 1075.997211] inet_sendmsg+0x19f/0x690 [ 1076.000998] ? __might_sleep+0x95/0x190 [ 1076.004960] ? ipip_gro_receive+0x100/0x100 [ 1076.009269] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1076.014794] ? security_socket_sendmsg+0x94/0xc0 [ 1076.019537] ? ipip_gro_receive+0x100/0x100 [ 1076.023870] sock_sendmsg+0xd5/0x120 [ 1076.027571] __sys_sendto+0x3d7/0x670 [ 1076.031361] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1076.036024] ? wait_for_completion+0x870/0x870 [ 1076.040598] ? __lock_is_held+0xb5/0x140 [ 1076.044670] ? __sb_end_write+0xac/0xe0 [ 1076.048633] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1076.054154] ? fput+0x130/0x1a0 [ 1076.057438] ? ksys_write+0x1a6/0x250 [ 1076.061230] ? __ia32_sys_read+0xb0/0xb0 [ 1076.065284] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1076.070116] __x64_sys_sendto+0xe1/0x1a0 [ 1076.074163] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1076.079170] do_syscall_64+0x1b1/0x800 [ 1076.083043] ? finish_task_switch+0x1ca/0x840 [ 1076.087528] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1076.092443] ? syscall_return_slowpath+0x30f/0x5c0 [ 1076.097363] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1076.102727] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1076.107561] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1076.112737] RIP: 0033:0x4559f9 [ 1076.115907] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1076.135146] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1076.142841] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 05:01:19 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x3000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:19 executing program 1 (fault-call:4 fault-nth:45): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:19 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x11e3}], 0x1000000000000096) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1076.150097] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1076.157352] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1076.164620] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1076.171875] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000002c [ 1076.183327] ALSA: seq fatal error: cannot create timer (-22) [ 1076.241559] binder: 29717:29718 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1076.263420] FAULT_INJECTION: forcing a failure. [ 1076.263420] name failslab, interval 1, probability 0, space 0, times 0 [ 1076.270949] binder: 29717:29718 BC_FREE_BUFFER u0000000000000000 no match [ 1076.274814] CPU: 0 PID: 29715 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1076.288757] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1076.298120] Call Trace: [ 1076.300733] dump_stack+0x1b9/0x294 [ 1076.304393] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1076.309602] ? unwind_get_return_address+0x61/0xa0 [ 1076.314542] ? graph_lock+0x170/0x170 [ 1076.318349] should_fail.cold.4+0xa/0x1a [ 1076.322409] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1076.327509] ? __lock_is_held+0xb5/0x140 [ 1076.331580] ? __kmalloc_node_track_caller+0x47/0x70 [ 1076.336675] ? graph_lock+0x170/0x170 [ 1076.340468] ? __x64_sys_sendto+0xe1/0x1a0 [ 1076.344693] ? find_held_lock+0x36/0x1c0 [ 1076.348768] ? __lock_is_held+0xb5/0x140 [ 1076.352819] ? __irqentry_text_end+0xc0318/0x1f98a8 [ 1076.357834] ? check_same_owner+0x320/0x320 [ 1076.362164] ? rcu_note_context_switch+0x710/0x710 [ 1076.367083] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1076.372349] __should_failslab+0x124/0x180 [ 1076.376591] should_failslab+0x9/0x14 [ 1076.380383] kmem_cache_alloc_node+0x272/0x780 [ 1076.384953] ? __kmalloc_node_track_caller+0x47/0x70 [ 1076.390048] __alloc_skb+0x111/0x780 [ 1076.393759] ? skb_scrub_packet+0x580/0x580 [ 1076.398077] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1076.403602] ? ip_generic_getfrag+0x11c/0x2d0 [ 1076.408087] ? ip_reply_glue_bits+0xc0/0xc0 [ 1076.412402] ? raw_getfrag+0x15b/0x220 [ 1076.416278] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1076.421284] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1076.426292] ? raw_destroy+0x30/0x30 [ 1076.430003] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1076.435789] ? ipv4_mtu+0x375/0x580 [ 1076.439403] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1076.444846] ? lock_acquire+0x1dc/0x520 [ 1076.448809] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1076.454356] ? ip_setup_cork+0x4dc/0x7c0 [ 1076.458419] ip_append_data.part.48+0xf3/0x180 [ 1076.462989] ? raw_destroy+0x30/0x30 [ 1076.466701] ip_append_data+0x6d/0x90 [ 1076.470503] ? raw_destroy+0x30/0x30 [ 1076.474210] raw_sendmsg+0x1dae/0x29b0 [ 1076.478094] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1076.483187] ? rcu_report_qs_rnp+0x790/0x790 [ 1076.487590] ? graph_lock+0x170/0x170 [ 1076.491396] ? expand_files.part.8+0x9a0/0x9a0 [ 1076.495967] ? check_same_owner+0x320/0x320 [ 1076.500287] ? lock_downgrade+0x8e0/0x8e0 [ 1076.504425] ? lock_release+0xa10/0xa10 [ 1076.508412] ? check_same_owner+0x320/0x320 [ 1076.512721] ? __check_object_size+0x95/0x5d9 [ 1076.517212] inet_sendmsg+0x19f/0x690 [ 1076.520997] ? __might_sleep+0x95/0x190 [ 1076.524963] ? ipip_gro_receive+0x100/0x100 [ 1076.529274] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1076.534802] ? security_socket_sendmsg+0x94/0xc0 [ 1076.539544] ? ipip_gro_receive+0x100/0x100 [ 1076.543853] sock_sendmsg+0xd5/0x120 [ 1076.547556] __sys_sendto+0x3d7/0x670 [ 1076.551366] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1076.556043] ? wait_for_completion+0x870/0x870 [ 1076.560615] ? __lock_is_held+0xb5/0x140 [ 1076.564672] ? __sb_end_write+0xac/0xe0 [ 1076.568634] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1076.574155] ? fput+0x130/0x1a0 [ 1076.577426] ? ksys_write+0x1a6/0x250 [ 1076.581213] ? __ia32_sys_read+0xb0/0xb0 [ 1076.585259] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1076.590785] __x64_sys_sendto+0xe1/0x1a0 [ 1076.594833] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1076.599840] do_syscall_64+0x1b1/0x800 [ 1076.603716] ? finish_task_switch+0x1ca/0x840 [ 1076.608196] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1076.613114] ? syscall_return_slowpath+0x30f/0x5c0 [ 1076.618035] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1076.623391] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1076.628226] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1076.633414] RIP: 0033:0x4559f9 [ 1076.636586] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1076.655831] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1076.663526] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1076.670783] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1076.678035] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1076.685291] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1076.692547] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000002d [ 1076.737021] binder: 29717:29718 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1076.758154] binder: 29717:29718 BC_FREE_BUFFER u0000000000000000 no match [ 1076.862259] ALSA: seq fatal error: cannot create timer (-22) 05:01:20 executing program 5: mprotect(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x8) r0 = socket$key(0xf, 0x3, 0x2) socket$key(0xf, 0x3, 0x2) sendmsg$key(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f00008feff0)={&(0x7f0000000240)={0x2, 0x7, 0x0, 0x0, 0x2}, 0x10}, 0x1}, 0x0) r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x0, 0x0) ioctl$KVM_GET_DIRTY_LOG(r1, 0x4010ae42, &(0x7f0000000080)={0x10000, 0x0, &(0x7f0000ffc000/0x4000)=nil}) 05:01:20 executing program 1 (fault-call:4 fault-nth:46): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:20 executing program 4: pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r0, 0xc0045516, &(0x7f0000000080)=0x8) 05:01:20 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x2}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:20 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1800000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:20 executing program 7: r0 = add_key(&(0x7f0000000440)='big_key\x00', &(0x7f0000000480)={0x73, 0x79, 0x7a}, &(0x7f00000004c0)="72f35301a28f8e81154ff105650cd179fdae1ec4d8e782a685afc58fe9a9808cf71e59e86fd4df45d70335465eb3524794820ac7e774134e43463cfcdae5108f849b08b20050e5a7840211e13b702b369442795864a8eb34b2a759698104685e733170b7120d8d607f46e3b2920af45a3aeb2545017faf8f44e37f084d1ce3d8fdae8222ed9d4575d22a81562daf28a141c23eea6b6b077a37f49fdbca0fe36b5cc7031fe62df1f4f7f16400e6b9826413f846e1426ddbf1272c700c8594e41fa3df20af26e5a865583c46330d225e906bf3bb13929c2a2df768c8684ad139eeb33da5cfb760f72584fdcbdc3fde079d4b289088e0166dc679393e8b0cf9621718c71e9d5f86df69d0e569d5712f935c2c3717709269491d97dd820b843c0df080fce0f0194e09d1d22d697e1f11e04a6aa5ec47bafcbab9727c9ea4cbfe5687ff6fb7741801dafce497d75b4de8f6438c03df056a776535100c6fab84d2d5c45ad743fedc3ff058d3ccffc3e1a8546cee79cec1ac31e016e56d0bd938877d3ad09fa0ab30a91c0e57f6dc36725f5fc28927061d84838ee94097521652bb920655e886561e2d7d4ece20b700bd0a4cd8e79e03df72182809f1f73b6200388ac65656ab6725a77acfe6300805e610a46136dfe206c7f9e3339e13f3ae4179e86e82a47b7ab7a2f1c4de29f7455cdf30ee6fd2e4f107f1859e43d3c911f308d73f69dd7390535181ac8907723842b9236c0ed6d2a3213baab88ec8cbf3e3e81c939877f81f7c2448f56f0cdea670c4f72bb7fb80f0a64c6e9c11a187770986993b52d5eb8d98704dac18090aadcaec0f64a9e2a269e9af386543a7f81c9634106836df048194f9f87b850112d4b7564cd272789b1be65ee67608985ce86d62354c8a48613d968c76b8191bb46a8c8bcf11bddb67872043f7605493f3b71b83efe45d92d9066d692a13eb52798d877ef12749ce41ebfe0a612ff6278a39042569c009575615ec0079a84fd5aacd6df493c4b17c9cace7d436bfb265385522c9e9a110b902d0a40c6eb65d206a215e6a1a2930c18fe6e6bf1d29b87d04c1543f4b8db573f2ca1ef9e67c90a7d3afca756cea38afbfb5fe2f43a8d8f913f8cd27d9c74c2e86f889c9a103f4d4fcd91642788886548b8bbba751405e37752978a9b3aa685dcb37519d71f399dc7ec7561024e463e35ecca30537c6e6569417a72c04272cc87f02f0c919084aad7c6a4c29913da04e5097ebdd169059070c9611c546cccf5369b56af02fb9a471167bf94dad9ff277901b3a5046e934b7c08068e212ce81744f7f89fa40dcf72cee409f11c77ce83c97447ed39f3b205afdfe605c424bfe8dcd1d2aef6234fcf5eb6be259915839d8190247cd165f155aaee354eb2f64635228cc5604e38db68f9babb5828c72c816d6865332f6af4eb036bcdcf0706f12b717ae14630eeb4a6f7dc2cca118322bb95264e24702d874cb0ad4e8543bc341e317e55d78ff29d9e0fffa0971880fa62e354ef26dfd3f16e8833d53feb0fa2c01ce422dad6b2f69557dd108a998237d4d4ed229d63cb5c662ed71d02d508dc2d673b21e25b1c0ce598fd7d0ca9912fefe6ba03e9a81a7d015a15f5268bc2ab4986dccbb33d3859d38ae7d5b08f1fdc74f430f01d88c415b2be91f029388ff75de04288c87fd5ef23f658b6c7847bcb123de382fc15f8383f0488575b07afe5bedbe2b3d774f243c322fb454ac2fb4c4", 0x4d1, 0xfffffffffffffffb) perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4}, 0x0, 0x0, 0xffffffffffffffff, 0x0) keyctl$read(0xb, r0, &(0x7f00000014c0)=""/4096, 0x1000) r1 = memfd_create(&(0x7f0000000100)="6869675f59f80a6b657900", 0x3) ioctl$FIONREAD(r1, 0x541b, &(0x7f0000000080)) 05:01:20 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x68000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:20 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") socket$inet6(0xa, 0x80000, 0xfffffffffffffeff) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x4, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f00000001c0)=[{&(0x7f0000000080)}, {&(0x7f0000000140)=""/22, 0x16}], 0x2) readv(r3, &(0x7f0000000040)=[{&(0x7f0000000300)=""/242, 0x138}], 0x1) [ 1077.229825] binder: 29746:29749 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1077.233137] FAULT_INJECTION: forcing a failure. [ 1077.233137] name failslab, interval 1, probability 0, space 0, times 0 [ 1077.248211] CPU: 0 PID: 29745 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1077.255149] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1077.264512] Call Trace: [ 1077.267122] dump_stack+0x1b9/0x294 [ 1077.270767] ? dump_stack_print_info.cold.2+0x52/0x52 05:01:20 executing program 4: r0 = socket$kcm(0x29, 0x5, 0x0) io_setup(0x1000, &(0x7f0000000080)=0x0) r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000180)='smaps\x00') pipe2(&(0x7f0000000280)={0xffffffffffffffff, 0xffffffffffffffff}, 0x84000) r4 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000340)='net/if_inet6\x00') r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000013c0)='/dev/rfkill\x00', 0x103000, 0x0) r6 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000001480)='/dev/vga_arbiter\x00', 0x410000, 0x0) r7 = openat$ppp(0xffffffffffffff9c, &(0x7f0000001580)='/dev/ppp\x00', 0x101000, 0x0) r8 = memfd_create(&(0x7f0000001640)='cgroup/system)eth1\\)security@trusted\x00', 0x2) accept4$inet6(r2, &(0x7f0000001600)={0x0, 0x0, 0x0, @local}, &(0x7f0000001b00)=0x1c, 0x800) r9 = syz_open_dev$mouse(&(0x7f00000017c0)='/dev/input/mouse#\x00', 0x5, 0x0) r10 = openat$dsp(0xffffffffffffff9c, &(0x7f00000018c0)='/dev/dsp\x00', 0x40000, 0x0) r11 = syz_open_dev$amidi(&(0x7f0000001a00)='/dev/amidi#\x00', 0x9, 0x2) io_submit(r1, 0xa, &(0x7f0000001a80)=[&(0x7f00000001c0)={0x0, 0x0, 0x0, 0x7, 0xffffffffffffffc0, r0, &(0x7f0000000100)="103d0954aa7932a0040f0cd7552e0836e2ff2dc261e11e9ca48370b54e6312d0c13c99d6504824b6ecfb7bbe8ea16470f2241aa2ae9b0fcbb9f972bb7639cd3d2779d09572b54759bf043aa24efae48219f2b038b23e873b6e7293bfe1260363371abd7b95841d4e7bd5de7f08d329846b6d6190782070cce4ab", 0x7a, 0x8, 0x0, 0x1, r2}, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x3, 0x7, r0, &(0x7f0000000200)="fa0da4b6ede0d1425246913ecd6cf7f1f777b0ff52285824f56ca5b40da66e958df3d74c9d8d2d35d84013927eb8ccd0cd37219e610a6987f72f8d9ba687598def6d16c017f023e1a077de1dc998f6de85b2159fe06750d2412a66a75cc0b93c786f927f714d8c9f0a3a60fef055295a6d79d4", 0x73, 0x7f, 0x0, 0x1, r3}, &(0x7f0000000380)={0x0, 0x0, 0x0, 0xf, 0x80000000, r0, &(0x7f0000000300)="d982214ff323a0ae7064cdd9c21afc7bac62c8ed66f791774e205abc05680bf9c3e85e4accee4aecdf5648fbf9", 0x2d, 0x1f, 0x0, 0x0, r4}, &(0x7f0000001400)={0x0, 0x0, 0x0, 0x7, 0x5, r0, &(0x7f00000003c0)="4f4f4e0cd7ce21075d6dfc4f20defc90824544da751bcfdb6654edc64c8ab635058df89f50010978ff906129ce218fc66eb8c50077c9ea19a845031214f73fab98217600f12c653b480f7148c24adcc861d31e2fb435f0581b9f8e3a0c8792a4e5249b92c9e9607a4076cf6f82aff1729bde964cd662525b9b739decda82fd72ad5b2ae9485afda9ab73404391bd7d0d3b3124540d9e6140f85024334169dccadf8dc4477bce37e86aa4ec11ae5b97946f77e0ddd84c8bcf3f0acbafc54182faef6f78d129c867c9413999b7712daa927a6b45509d54d4b842386777349acbf89a8c5d0a7717d018166781afee77ae413766989e626075db721bb31dd02e9d31908d98bcb081850b6840a56305e8f0b3445f1b08054a8998402bab23c9f0746e46c99f03dfafbd1dd54ad606b8fcc368738cc86611e3c1eb9f02f398448b9d254b8b0740d55649f2edd2c96f807688b7cb08ed5bacfc6a995e75acb3fe26444e8021f37a30a0eee0c218eb0b074d18913d5af90f8cd68d1667204811c1c9412f3f08d587434e1352aec3ccc1e14728b18054c9c0763c32494739a1751cd1d1108cf3fef52244bfffa203baab2b71f7777067e65136e9e5f7005ac7ceb22539b55d076dbe638b622aafa65a9ef1f0a72956b029b54a985ae63a8ec639c2ac8da982d094a0be1728277f6b5f9582eaa55f7b89367006765c3bde7593f24494daf6463ac3584fa75be1a3b0079f508a3595f9aed52ee98904a75b5b644512754dbd8d07791783b2ad5285a7233d9b1711ce2b4c31aafca2981c68a23820f298520b646c6cb8269ff2cacefb97885f25d405071a400c07531c24275eb396bc861fd7071a14c52acd03c7075ac4cd92fab7c693c4fb6895007b5434afdf3795bd821d1f35f94911964f8da6c94a1632518fb0e805084c512d68bc97b1d6e0b920f2c0d3f755bbecdc777a59b98263bff89a32e3aa22b22a129ddb9f303ec633bd15dc9c0cfab03a9763256ecfca4a7da397d593f4534320b5e6fe9e4d933520ee635585819972104742065a7bd157f640b9c8dba724a23e1f572178a49fa0fe5eb485ec40d1b23f3d5fc7e0ca86414ddb28496d26189ca5db769bec6f60cde0d28425057280fff6515345e0f413d572bc07c729d257176c576bef8aed1e58d76710ab5b8856a8c2ccbbaf83e9512698a1d98a71fc0bcf199b7b64e5811868b7fd5665929fd6f18e8d5e8465cdc1b87fac3a643622221a10b36643f3b27e8dbe0669fd9033c8da18521e519f0ab698335826f5aae89b0b2dd281ee909a618fa2d076da3cef45dea39b20568e6020565741d8bec8c05201b75675d6ef066d808a04461a54d624535319f360f48a3b45134c4f5236961b8786c8adcb46b6e08c13bfd2d7dd687c9692340894c16a0f757d489fe3aa4e4110ae42908a40fcf0ee29c85045bcd99c47e6fe1ff9243350ca11f5d625edd391079c24355f22a899386687908651dae47b2708062542460d51bd88fcdbd52e28ca9851388ed3a62dd68200668a97be72162e957fea5be982a1427dc68c3592f95d1f1f08992516dc95ba73971fc435555b76747d1f15ec2068f2ec924f1468cdc07a9235b9dfc912d32dcc6ac76bb03aa5ccbd05eceb16ef19a5cfd5944ac1dec57db16f86f4d72ba83086648a6217a0c2aa209c4fe92722c1b476d67df47cfc4d31bfc048b442f7dddd7718dfd8dc867ccfbb1e7c31b4d3ff7b42cbdadf503fb954ce6e2710d3c1d10395696f882fe02c1dd555549491cd13dda36fbadce6b5cdc4faf09f46984bc896700972daff0a2eec26bcea44c260afe6c3fa34f0df8cc65a84d9be2a62f9838827d17331e783cc9e004aa42eecf217dcfd5d237aa41e05300e06a472d57c2d4020de815c6fa03812db589309a5fe24163bc94232bc60b13585b7f88ffa8a81fff703b3cc0644389a7ee6e964ac582a71e3bd0446dcd2fb36ec10698e76ba013b761297c29568c311ced815adf39e85903594949ac3c7a6fd37ad90d90a6fc781b67a301ca16aa0923860f37046fec4490910d6866de6ba5e268581d1028fd9be0adc681dcb6e8adb9043251576fa778917db4f01fbf6973035ff122faf429206e4405b0da82b580c72200d32c66cf52a298a1457233a0eff9fc4e5eff6216fe3547dabaa21c55869e4507f0067efa3096e2ed1332d00c28562fcacf0b143eab42cdd4f0b1432dfe04de4ce4966a80dcfd87a08094d6f0a954ccb915b0f7806d6aed43b8cf63bb13938a3c80f814af976df0488d09e7f4e7ba365988ff99327ec6681851bce0447b0557fdb2bdfc59c76d61cf0875e0ee05dd0dd0891fde4beb201690edf2b57fa033c1252b09bc778893752e7c5ea6000154a5cabbcdbc92086f7c02c520dd9f53c7d2208795cabb1454743afc216fe89bf9bd1850a4ddbb937e029d50cdcc85d2edb459a6ef26a82c6515af1d1ea8be81d104a23ee284a2844f4de47ff3ca0c3553622ea291fc9e861db798a1dec6da8097bf915e45e6e9c7b8eb3ed2cf8e6e52e9cefad0d11b8d5e6b9d27228a66ef617292d05c1f744cc1a224e07aebaaad07da3df2d61c3b0bf2d7f06bc9f4ace87ae4e74f5a10b37aba339470237ea7a8de0eba16023282256a94669b12141c4ffab2ad8e9605b49e0697f52de88dbcc6c74388daa5aefa979ebe79b7264a8955ecb8a13aa3e25634dc348494ed80a2aade0a7740cf48314c1bc0f25e4b2fe30880809e184282cc9079868b9af57662272db6ddd6551bbffdf5c4f39f2e8b3bf0f7bf375b10303ddaba948fb0fb5074e9908a684353162784c9cf5e46fb1ded7ff4a3f44d41029f3a5f9d8e91d863aae9db7f525f8168cadda5ed888790ac6e39efa02c6fcf498e74a9edc0c962b878c00e06a6e6a5be322b8a68c643a5a12b2440cb31dc0b09deb77e0c222ef3e963149875b4e427bbb6fcee3f6714f02a552db057cb60edda355b6a46ddb1464caa3daf9ce5ba7bb0d0062d52e4e9f2672f87a2da4d19157449706ab26f213d2e69a2de4fca9d9504ffe534f9851850c899d51ce71e57d5b9eda5da6c836a687978775abb0585d10e73233263e50539c4815c0faac39cf1b6d8aeb6f904bb1dbedaf6ac1abd1f10672263fe79cf08a4dd7b49e1541056c5fe4e2ec46ded455c1edfa6f64fbcfa091c99f5481c639826ec4e8ab69e6ae163316202a4e0603c49b09d8da3b5c91f470d8a17ddd4bc0af07e63ac3e713a1e2d3e0ad33d21e04db86e4bc1f1b1c0b3f58a04a2c92e18ccfac29114c9cb2f078b7369c5a98cf6170172370e11f524e8cb31a1fb1c93bb3f4dac97f4f5ad17f3c6ac6e4b3c2c23d718ca368a7112866df2da68cb7921df7f800d273ac56f3e340052aaa7cf0881b7a980c5827161c52dea20f1a7ec07e991bb941ddb25711016bd1951c19769d9fff40b7591af5ad9f46410c5d07ddad85d6f1551e35c320a6fa684893d66d6d40883d16d5f6ab9c0d5cf83ec43331d9426cf3a0ed5b959a95324c505390bf397b79651a4329d6a3eb605c085ecdd3e15039fd574bc6f978a50ec6f517639dcb14128d9971c953ddf2a39a48d7dc3a74eab6c2cc92e0e41de0b92139e03ae596fa18152a581530c579f29dd3bf0a830b11ed8e45f3371390ce0f43364bf3758df141d6fac219f321e821da3083384f7d3f124fee22ba2163265eb5a7c0188ab258392e886736447fc996c918a1428b4b3c48386f4163aad7245b7715f12a939eb3237f8dd35317c45d3f2327e2500855c3758d4b5064da34dd027c8d87fa40e26dd7b1eb8a640da5537d274063000fe7eda1a592925f97abbc7cea97c30274b8c2eaa1943018041fc7620869aa6804bc0d67fa3690029b7c2d64a190446f5a23ec14538dced1573e73e5814ba3a22810bf8802026c129bbb2046fe366605960a88d7d085cdf77751d5b5f5f8283da1ee1eb05aa2596b758cad0e112433476d8526c6a47136538cb50ee72c4779c7d7d62048efcac86e573631d8d780bf06e85761d2da89b55832e3315fd8e38bcdb9ae0f5f06bfa52cffa2371b38fb5bd23e5341da1c27c95e16b358963757249e644a615f20694c4f4ae5629d76774b73619026c22df48e5c80b5177dfbc141830c1f6e604c91da6f06073d1575bf827b2069c6da99fd2d70b628c0901d9c3f5036f4d748a1313ae5368de1be430bf325c24d5879440e3aa487fe8bea23764e551f6cb1c2bc1441860be85fcd8cb2e69bf11f36a573525da61eed5acf74bb0e04edf33ea655304025e359a9447a9d64193fc810ff3f5b1d61bf3a0161535c3e43b31be0792defba90171d4c3efd88cf96aae2765cc72f98040783e9a64cd6576420aff2196692cdcbee21e75a377fd838015350866233f39e1142968ee0364e92e739915e2a264faed0d8f1f755ef462898cec09cf97788f90af246d16310d89546290a03a7ae08ae7bf76c79cf17910a355f637789787f7c14c3d8ff703681ce7f737db508212ba2ed4ec55bb347b5b610fe61455a0faacd90ee291845f9f8d2f8607c15c9bbb74ed3dc877637deb5c9028e2e06d008687f640023abd6e44e7f71fe9690e88671e47bab5903ff14a1e2f4d38f30509068584b692782f56f03eef1b495c4f1c4b738dafcf0d75dfbb64fe75bcbf091e0954eca37d7d084de9d74012d6ab692d2bbb50d7bb7ecf8165eb3fc7506810e5e07bfafdf7f54a8a8f1d352b84971925732338034e88b369146b1880dc445a73464240a610769a5da220149c0db5288ce458f5a328995c5473be49c6f1162e3f71dc700a68de7f07e2ce817b77e1a3e52e2fe86b80157f59658451b6cefaf75dd02946489de99c148de68e155a8524152e7d6b3469caf802f3c6a26e045583ebd795e851eae9d3e3f146f651f5e6704003caa6fc8096113a0cc3725393b983d9319ce012c73bece5c7c191464ed4e6f1c57b265c79d9a222258b00f98c1c48577e2f19a932855c54098ae016233dcc12aff6e60897e9d4277ea2358b78f2ec11e346d619b8d0e739c4bec44bea36c22ccc5ccdbacf51bdc780360c25aa6afc4cc7642b39866db63476c7e1fad38c3964fe413a70fac0c068e43e2f3895ebdc4f0fe5121db045c47459534a5c7b31a76e85a477eb4a682070af462c959c01baea63005c95b93dcf1038aee007de93f519e8735e44ce48b70bf14d7cb8d13454ad757ea816f5e4d2d4dfb78f50d86564142a9f0b64ce415199981dfbb31db0b8635f0f81949d47de5cec223a4b83f6f7e8e6c4a367716038d8568ac3d25bb57df8cf9469db5996d71ec361261303de247454195c56ea543d55f66b17977dc77c7ee996b763dc70ed0a3f1d7238d4dcae5b119d0405feedc9c7af7a8ac63a78eeb6cf8905c89a1c4973a49e383d4cd59ea796c084ae812c4ed28664e7a72c474758a4b2accff57ccff2af7755f59eb8e3536b0f2ee0d9c65f004296051aede8853fea8307ccf91a27c0a7d3596894d4f817b28d94d12b36158fd957c8f71b845fb0c36257e55852a60a57ef58f330f53ee695b3e8181488cf350b6866406fff79d595d371464a18d346193679015fea69d7c0bd81e69fb95de73ff8485ba532e8ba567b452beb589f03b9acaa0978364d9ccc44a2aa2df99c421b35f93b51a23679c556df0c45f0681ba6d7f63bb40faaac18b7ffe9e0d8f04c932527f51dfb2c049daa51ea407678cb4c8480721ca1dc9afc44cb213ed473d0c0e18b869e58c875e109feeeefd2c1bb1e95cc80acbab8e2717675866eab56563726f1cbe6d0a", 0x1000, 0x4, 0x0, 0x1, r5}, &(0x7f00000014c0)={0x0, 0x0, 0x0, 0x2, 0x8, r0, &(0x7f0000001440)="4b85176361a688b32bc3858aa0b3536d08b9fb6cd419672dd6ec26b80f6db6e88974da2126fea4", 0x27, 0x8, 0x0, 0x1, r6}, &(0x7f00000015c0)={0x0, 0x0, 0x0, 0x2, 0x5, r0, &(0x7f0000001500)="abd45fced5349cca9547826d0547c171a71c774386f0eed2c2979bcd2db423c642da74a7a44c39d4c916e5ece568f840bd93e59e642461b3320b0ad18ea6be7fd19d4f10b3dc7df46cc1efd13abad550d0c59691390c77018bd201ac", 0x5c, 0x4, 0x0, 0x1, r7}, &(0x7f0000001680)={0x0, 0x0, 0x0, 0x3, 0x7, r0, &(0x7f0000001600), 0x0, 0x1, 0x0, 0x1, r8}, &(0x7f0000001800)={0x0, 0x0, 0x0, 0x0, 0x80000, r0, &(0x7f00000016c0)="02211fe867ab74f3ffdb9d305f8e6b13760cabe4c9925bbf040f634ab1aaba7fa288dabe3372869f0f4e65f2644c00a753645deba5112940708c9ad9659a3bc4180ad0569b1c734c4db0fdc01f8412251d94f0b2e9d4d864edb29aadda103e3e543dbf741b4067841e3f6ff13715047fcfd64c0a6b3bed23a16212db2d9834b4a19c6648530fee4b732154d574badb7592c61f26e69e5b62843159fd224e0b1d9f07dedacb77ebf1caafdb84c8e2b33433c65c1e8c4fa78caa5d9cd8351cfd48061d1805d281752055f5c85fc467eb1a40007061990b750b73451f03c1e2c37e0c6cc4086c522a81d726d4", 0xeb, 0x8fa0, 0x0, 0x0, r9}, &(0x7f0000001900)={0x0, 0x0, 0x0, 0x5, 0x1, r0, &(0x7f0000001840)="79e7736131bed756a8a10fb0c5faf86a5a16a29e23133d307c11256781d2677018c56ba6d048f3f01967c07991e0a5cd0e343821a10dde0faba32fc866a0e686b7acc930321bdcb27fd4f2d5632983a40eb2d87101f96ce541ac7d55df709a00c84dac0a2649e9", 0x67, 0x8, 0x0, 0x1, r10}, &(0x7f0000001a40)={0x0, 0x0, 0x0, 0x3, 0x0, r0, &(0x7f0000001940)="1fd2ef2a09118470bc1433256da810037ffc75dfee1021ceb43ad50b8eee3d2dcc3f5780d002b77d4a18b341878490642090fb00fc96cf305311eea7ab910146bea4057c3b425c58dc2fd2aa1b6e5c45d109d7591038e44e510d18d1f8c83e655ed769fc4efbcca001cb37bcc6ba6b05439bc68d4a080a0f0064e0c50c7257ae16b6a8decadf40de02670a78d4dc473352940eec7c7ccc044f2a", 0x9a, 0x7, 0x0, 0x1, r11}]) ioctl(r0, 0x8912, &(0x7f00000000c0)="0047fc2f07d82c99240970") splice(0xffffffffffffffff, &(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000040), 0x0, 0x0) [ 1077.275967] ? perf_trace_lock_acquire+0xe3/0x980 [ 1077.280844] ? kernel_text_address+0x79/0xf0 [ 1077.282286] binder: 29746:29749 BC_FREE_BUFFER u0000000000000000 no match [ 1077.285260] ? __unwind_start+0x166/0x330 [ 1077.285287] should_fail.cold.4+0xa/0x1a [ 1077.285311] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1077.305551] ? graph_lock+0x170/0x170 [ 1077.309370] ? save_stack+0x43/0xd0 [ 1077.313024] ? kasan_slab_alloc+0x12/0x20 [ 1077.317177] ? find_held_lock+0x36/0x1c0 [ 1077.321241] ? __lock_is_held+0xb5/0x140 [ 1077.325325] ? check_same_owner+0x320/0x320 [ 1077.329634] ? lock_downgrade+0x8e0/0x8e0 [ 1077.333771] ? rcu_note_context_switch+0x710/0x710 [ 1077.338701] __should_failslab+0x124/0x180 [ 1077.342932] should_failslab+0x9/0x14 [ 1077.346724] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1077.351825] __kmalloc_node_track_caller+0x33/0x70 [ 1077.356753] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1077.361511] __alloc_skb+0x14d/0x780 [ 1077.365216] ? skb_scrub_packet+0x580/0x580 [ 1077.369530] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1077.375060] ? ip_generic_getfrag+0x11c/0x2d0 [ 1077.379566] ? ip_reply_glue_bits+0xc0/0xc0 [ 1077.383891] ? raw_getfrag+0x15b/0x220 [ 1077.387768] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1077.392806] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1077.397825] ? raw_destroy+0x30/0x30 [ 1077.401534] ? perf_trace_lock+0x900/0x900 [ 1077.405765] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1077.411557] ? ipv4_mtu+0x375/0x580 [ 1077.415175] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1077.420644] ? lock_acquire+0x1dc/0x520 [ 1077.424622] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1077.430145] ? ip_setup_cork+0x4dc/0x7c0 [ 1077.434203] ip_append_data.part.48+0xf3/0x180 [ 1077.438782] ? raw_destroy+0x30/0x30 [ 1077.442494] ip_append_data+0x6d/0x90 [ 1077.446284] ? raw_destroy+0x30/0x30 [ 1077.449994] raw_sendmsg+0x1dae/0x29b0 [ 1077.453958] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1077.459067] ? graph_lock+0x170/0x170 [ 1077.462868] ? expand_files.part.8+0x9a0/0x9a0 [ 1077.467460] ? lock_downgrade+0x8e0/0x8e0 [ 1077.471605] ? lock_release+0xa10/0xa10 [ 1077.475574] ? __check_object_size+0x95/0x5d9 [ 1077.480066] inet_sendmsg+0x19f/0x690 [ 1077.483857] ? __might_sleep+0x95/0x190 [ 1077.487824] ? ipip_gro_receive+0x100/0x100 [ 1077.492146] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1077.497678] ? security_socket_sendmsg+0x94/0xc0 [ 1077.502423] ? ipip_gro_receive+0x100/0x100 [ 1077.506736] sock_sendmsg+0xd5/0x120 [ 1077.510440] __sys_sendto+0x3d7/0x670 [ 1077.514236] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1077.518902] ? wait_for_completion+0x870/0x870 [ 1077.523482] ? __lock_is_held+0xb5/0x140 [ 1077.527564] ? __sb_end_write+0xac/0xe0 [ 1077.531531] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1077.537058] ? fput+0x130/0x1a0 [ 1077.540333] ? ksys_write+0x1a6/0x250 [ 1077.544131] ? __ia32_sys_read+0xb0/0xb0 [ 1077.548180] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1077.553733] __x64_sys_sendto+0xe1/0x1a0 [ 1077.557783] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1077.562796] do_syscall_64+0x1b1/0x800 [ 1077.566673] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1077.571563] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1077.576486] ? syscall_return_slowpath+0x30f/0x5c0 [ 1077.581409] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1077.586765] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1077.591606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1077.596783] RIP: 0033:0x4559f9 [ 1077.599958] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1077.619300] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1077.627008] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1077.634269] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1077.641526] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1077.648783] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1077.656043] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000002e [ 1077.697189] binder: 29746:29749 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1077.705508] binder: 29746:29749 BC_FREE_BUFFER u0000000000000000 no match [ 1078.082896] ALSA: seq fatal error: cannot create timer (-22) 05:01:21 executing program 4: r0 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_buf(r0, 0x29, 0x20000000008, &(0x7f0000264000), 0x0) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7, &(0x7f0000000000), 0x4) fcntl$setstatus(r0, 0x4, 0x800) getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000000040)={0x0, @in={{0x2, 0x4e23, @rand_addr=0x8}}, [0x9, 0x8, 0xfffffffffffff000, 0x8, 0x1, 0x6, 0x80, 0x8, 0xffffffffffffffe1, 0x7fff, 0x8, 0x4, 0x7, 0x84b, 0x5]}, &(0x7f0000000140)=0x100) setsockopt$inet_sctp6_SCTP_MAXSEG(r1, 0x84, 0xd, &(0x7f0000000180)=@assoc_value={r2, 0x8000}, 0x8) 05:01:21 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x8912, &(0x7f0000000040)="295ed277a4200100360070") r1 = socket$alg(0x26, 0x5, 0x0) r2 = open(&(0x7f0000000140)='./file0\x00', 0x8000, 0x8) ioctl$sock_bt_cmtp_CMTPCONNDEL(r2, 0x400443c9, &(0x7f0000001200)={{0x0, 0x8, 0x2, 0x2, 0x800, 0x6}, 0x8004}) bind$alg(r1, &(0x7f0000000180)={0x26, 'aead\x00', 0x0, 0x0, 'rfc7539(ctr(serpent),poly1305)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r1, 0x117, 0x1, &(0x7f0000000100)="0a0775b005e3ffffffff00000000e6ffff8117ad4000030000000026c0000000", 0x20) r3 = accept$alg(r1, 0x0, 0x0) sendmmsg$alg(r3, &(0x7f0000003e80)=[{0x0, 0x0, &(0x7f0000002a80)=[{&(0x7f0000002700)="367322cdb55e553604b7808ce36025cb", 0x10}], 0x1, &(0x7f0000002b00)}], 0x0, 0x0) recvmsg(r3, &(0x7f0000000000)={&(0x7f0000f7ffa8)=@alg, 0x80, &(0x7f00000000c0)=[{&(0x7f0000000200)=""/4096, 0x1000}], 0x1, &(0x7f0000000040)=""/87, 0x57}, 0x0) 05:01:21 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x401f00000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:21 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6000000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:21 executing program 1 (fault-call:4 fault-nth:47): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:21 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xffffff7f00000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:21 executing program 5: r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x80, 0x3, @dev={0xfe, 0x80, [], 0x14}, 0xc}, 0x1c) syz_emit_ethernet(0x1, &(0x7f0000000000)=ANY=[@ANYBLOB="0180c2020000aa0400000000000000093a0600083a00fe75557813c2df80ec000000000000bbff02000000000000000000007f3ee2f45763abb3bce27af432ef323fdd202006242f0ccf1056071bb059df6ab9402478eed11b7c36cbad9fa76cc1d849942df345ea280201cfd087584d0700"], &(0x7f0000000100)={0x0, 0x0, [0xfffffffffffffff8, 0x10]}) r1 = openat$cuse(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cuse\x00', 0x204800, 0x0) r2 = getpgrp(0xffffffffffffffff) getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f00000003c0)={{{@in=@local, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast2}}, &(0x7f00000004c0)=0xfffffffffffffec2) ioctl$DRM_IOCTL_GET_CLIENT(r1, 0xc0286405, &(0x7f0000000280)={0x1, 0x1f, r2, 0xa52a, r3, 0x1, 0x1, 0x400}) 05:01:21 executing program 6: socketpair(0x2, 0x800, 0x2, &(0x7f0000000280)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$IOC_PR_CLEAR(r1, 0x401070cd, &(0x7f00000002c0)={0xffffffffffff57ce}) r2 = syz_open_dev$dmmidi(&(0x7f0000000040)='/dev/dmmidi#\x00', 0xffffffff00000000, 0x0) accept$inet(r0, 0x0, &(0x7f0000000400)) getsockopt$inet_mreq(r2, 0x0, 0x23, &(0x7f0000000140)={@multicast2, @broadcast}, &(0x7f00000001c0)=0x8) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000001d80)=""/4096, 0x1000}], 0x1) r4 = socket$inet_tcp(0x2, 0x1, 0x0) r5 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000240)={'bcsh0\x00', 0x1000}) r6 = socket$inet6(0xa, 0x1, 0x0) ioctl$ASHMEM_PURGE_ALL_CACHES(r2, 0x770a, 0x0) ioctl(r6, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") fcntl$F_SET_FILE_RW_HINT(r6, 0x40e, &(0x7f0000000480)) ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r4, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r3, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1078.252314] ALSA: seq fatal error: cannot create timer (-22) [ 1078.311788] binder: 29809:29810 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1078.333088] binder: 29809:29810 BC_FREE_BUFFER u0000000000000000 no match [ 1078.351135] binder: 29809:29810 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:21 executing program 4: r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) ioctl$BLKSECDISCARD(r0, 0x127d, &(0x7f0000000100)=0xffffffffffffc74b) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f00000000c0)="295ee1311f16f477671070") r2 = socket$inet6_sctp(0xa, 0x200000000000005, 0x84) setsockopt$inet_sctp6_SCTP_MAX_BURST(r1, 0x84, 0x14, &(0x7f0000000000)=@int=0x658, 0x4) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r2, 0x84, 0x6d, &(0x7f0000ad2000)=ANY=[@ANYBLOB='\x00\x00\x00\x00'], &(0x7f0000000080)=0x23c) 05:01:21 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x5}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:21 executing program 5: r0 = socket$kcm(0x29, 0x5, 0x0) ioctl(r0, 0x8912, &(0x7f0000000240)="0047fc2f07d82c99240970") unshare(0x64000400) r1 = syz_open_dev$adsp(&(0x7f0000000080)='/dev/adsp#\x00', 0x8100000000, 0x101080) ioctl$sock_bt_hidp_HIDPGETCONNLIST(r1, 0x800448d2, &(0x7f00000000c0)={0x4, &(0x7f0000000280)=[{}, {}, {}, {}]}) r2 = socket(0x40000000000a, 0x1, 0x0) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000100)={0x77359400}, 0x10) ioctl$fiemap(0xffffffffffffffff, 0xc020660b, &(0x7f0000000000)=ANY=[@ANYBLOB="0000000000000000000000020000000000000000000000000000001000000000"]) ioctl(r2, 0x8916, &(0x7f0000000000)) ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8914, &(0x7f0000000040)={'syzkaller0\x00', 0x1a00}) ioctl$FS_IOC_SETFSLABEL(r2, 0x41009432, &(0x7f0000000140)="e9d2d9c84208e4f410a299afa06ccd139f89da488a38623c2412bf0d89bebcd3bd914d4290709b2a553426ae1b6269f41acbeb3fb7bae35b2504281c4fb8e5323b1c52271e25a52e59b6d598a6fca843cd126fac4267c365881a6fe8e1678528d36f5cbedb4ce6a27b473e892d33d312b700ad8c23c10b5119d8dfd536788b0af1fa5c9cbb2c2564bd0893ebf973cdf56aefd1deda47c239d4aa09e6476daf5861afd5957dcbc32d099235a12570b82af2354c364bc5a2fbad5a35e610cadbe1ad7533e1d51632e673ab7ca7828a76427e89bcf98d6b889cbc2f0179a32359fe7844587cdcd6f4700bc2198c14c85a10b9c6e7e0a560c1420f1c8b958e2f3e3c") ioctl(r2, 0x8936, &(0x7f0000000000)) listen(r0, 0x4) [ 1078.358574] binder: 29809:29810 BC_FREE_BUFFER u0000000000000000 no match 05:01:21 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x4, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:21 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000240)='/dev/net/tun\x00', 0x0, 0x4) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") getsockopt$inet_sctp_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000280)={0x0, 0xccd}, &(0x7f00000002c0)=0x8) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000400)={0xa000000, 0xfffffffffffff000, 0x200, 0x9, 0x8, 0xabc, 0x4c, 0x4, r4}, &(0x7f0000000440)=0x20) getsockopt$inet_sctp6_SCTP_DELAYED_SACK(r3, 0x84, 0x10, &(0x7f0000000000)=@assoc_value={0x0, 0x1}, &(0x7f0000000040)=0x8) getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r0, 0x84, 0x66, &(0x7f0000000140)={r5, 0x10000}, &(0x7f00000001c0)=0x8) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) openat$cgroup_subtree(r0, &(0x7f0000000480)='cgroup.subtree_control\x00', 0x2, 0x0) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) connect$l2tp(r0, &(0x7f00000004c0)=@pppol2tpin6={0x18, 0x1, {0x0, r0, 0x2, 0x3, 0x1, 0x4, {0xa, 0x4e22, 0x6, @remote={0xfe, 0x80, [], 0xbb}, 0x1}}}, 0x32) [ 1078.478413] IPVS: ftp: loaded support on port[0] = 21 05:01:21 executing program 4: r0 = syz_open_dev$sg(&(0x7f0000000040)='/dev/sg#\x00', 0x0, 0x2) write$binfmt_elf64(r0, &(0x7f0000000480)=ANY=[@ANYRES16=r0], 0x2) ioctl$SG_SET_FORCE_PACK_ID(r0, 0x227b, &(0x7f0000000280)=0x1) r1 = openat$sequencer(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer\x00', 0xc0840, 0x0) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f0000000100)={0x0, 0x5, 0x20, 0x3, 0xfffffffffffffffb}, &(0x7f0000000180)=0x18) setsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f00000001c0)={r2, 0x2, 0x5, [0x2, 0x5, 0x7fffffff, 0x8, 0x4]}, 0x12) readv(r0, &(0x7f0000000140)=[{&(0x7f0000000080)=""/33, 0x21}], 0x1) epoll_ctl$EPOLL_CTL_DEL(r1, 0x2, r1) mq_unlink(&(0x7f0000000000)='vboxnet0\x00') [ 1078.538330] FAULT_INJECTION: forcing a failure. [ 1078.538330] name failslab, interval 1, probability 0, space 0, times 0 [ 1078.549710] CPU: 0 PID: 29843 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1078.556642] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1078.565985] Call Trace: [ 1078.568566] dump_stack+0x1b9/0x294 [ 1078.572184] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1078.577365] ? unwind_get_return_address+0x61/0xa0 [ 1078.582282] ? graph_lock+0x170/0x170 [ 1078.586077] should_fail.cold.4+0xa/0x1a [ 1078.590131] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1078.595225] ? __lock_is_held+0xb5/0x140 [ 1078.599274] ? __kmalloc_node_track_caller+0x47/0x70 [ 1078.604372] ? graph_lock+0x170/0x170 [ 1078.608164] ? __x64_sys_sendto+0xe1/0x1a0 [ 1078.612407] ? find_held_lock+0x36/0x1c0 [ 1078.616520] ? __lock_is_held+0xb5/0x140 [ 1078.620576] ? check_same_owner+0x320/0x320 [ 1078.624885] ? rcu_note_context_switch+0x710/0x710 [ 1078.629802] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1078.635071] __should_failslab+0x124/0x180 [ 1078.639302] should_failslab+0x9/0x14 [ 1078.643089] kmem_cache_alloc_node+0x272/0x780 [ 1078.647657] ? __kmalloc_node_track_caller+0x47/0x70 [ 1078.652775] __alloc_skb+0x111/0x780 [ 1078.656481] ? skb_scrub_packet+0x580/0x580 [ 1078.660793] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1078.666339] ? ip_generic_getfrag+0x11c/0x2d0 [ 1078.670830] ? ip_reply_glue_bits+0xc0/0xc0 [ 1078.675146] ? raw_getfrag+0x15b/0x220 [ 1078.679023] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1078.684032] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1078.689050] ? raw_destroy+0x30/0x30 [ 1078.692761] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1078.698549] ? __schedule+0x809/0x1e30 [ 1078.703118] ? ipv4_mtu+0x375/0x580 [ 1078.706738] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1078.712184] ? lock_acquire+0x1dc/0x520 [ 1078.716149] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1078.721685] ? ip_setup_cork+0x4dc/0x7c0 [ 1078.725736] ip_append_data.part.48+0xf3/0x180 [ 1078.730318] ? raw_destroy+0x30/0x30 [ 1078.734020] ip_append_data+0x6d/0x90 [ 1078.737809] ? raw_destroy+0x30/0x30 [ 1078.741511] raw_sendmsg+0x1dae/0x29b0 [ 1078.745397] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1078.750495] ? rcu_report_qs_rnp+0x790/0x790 [ 1078.754898] ? graph_lock+0x170/0x170 [ 1078.758696] ? expand_files.part.8+0x9a0/0x9a0 [ 1078.763265] ? check_same_owner+0x320/0x320 [ 1078.767587] ? lock_downgrade+0x8e0/0x8e0 [ 1078.771725] ? lock_release+0xa10/0xa10 [ 1078.775694] ? check_same_owner+0x320/0x320 [ 1078.780023] ? __check_object_size+0x95/0x5d9 [ 1078.784526] inet_sendmsg+0x19f/0x690 [ 1078.788316] ? __might_sleep+0x95/0x190 [ 1078.792280] ? ipip_gro_receive+0x100/0x100 [ 1078.796593] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1078.802118] ? security_socket_sendmsg+0x94/0xc0 [ 1078.806864] ? ipip_gro_receive+0x100/0x100 [ 1078.811177] sock_sendmsg+0xd5/0x120 [ 1078.814881] __sys_sendto+0x3d7/0x670 [ 1078.818671] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1078.823351] ? wait_for_completion+0x870/0x870 [ 1078.827925] ? __lock_is_held+0xb5/0x140 [ 1078.831984] ? __sb_end_write+0xac/0xe0 [ 1078.835956] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1078.841477] ? fput+0x130/0x1a0 [ 1078.844745] ? ksys_write+0x1a6/0x250 [ 1078.848537] ? __ia32_sys_read+0xb0/0xb0 [ 1078.852598] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1078.857452] __x64_sys_sendto+0xe1/0x1a0 [ 1078.861502] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1078.866507] do_syscall_64+0x1b1/0x800 [ 1078.870380] ? finish_task_switch+0x1ca/0x840 [ 1078.874866] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1078.879785] ? syscall_return_slowpath+0x30f/0x5c0 [ 1078.884703] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1078.890057] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1078.894888] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1078.900061] RIP: 0033:0x4559f9 [ 1078.903235] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1078.922513] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1078.930213] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 05:01:22 executing program 7: r0 = socket(0x40000000015, 0x5, 0x0) ioctl$sock_SIOCOUTQNSD(r0, 0x894b, &(0x7f0000000040)) setsockopt$bt_rfcomm_RFCOMM_LM(r0, 0x12, 0x3, &(0x7f0000000080)=0x40, 0x4) r1 = geteuid() r2 = geteuid() getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000180)={{{@in6=@remote, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @remote}}, 0x0, @in=@broadcast}}, &(0x7f00000000c0)=0xe8) stat(&(0x7f00000002c0)='./file0\x00', &(0x7f0000000300)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) chown(&(0x7f0000000280)='./file0\x00', r1, r4) setsockopt$nfc_llcp_NFC_LLCP_RW(r0, 0x118, 0x0, &(0x7f0000000400)=0x3d02, 0x4) r5 = syz_open_dev$midi(&(0x7f0000000100)='/dev/midi#\x00', 0x100, 0x511100) getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r5, 0x6, 0x23, &(0x7f0000000380)={&(0x7f0000ffd000/0x2000)=nil, 0x2000}, &(0x7f00000003c0)=0x10) ioctl$PERF_EVENT_IOC_PAUSE_OUTPUT(r5, 0x40042409, 0x0) setreuid(r2, r3) setsockopt$inet_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000440)={0x6ede, 0x8, 0x200, 0x95, 0x7f}, 0x14) epoll_create1(0x80000) dup(r0) capset(&(0x7f0000000000)={0x19980330}, &(0x7f0000001fe8)={0xfffffffc, 0xffffffffffffffff}) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000140)='/proc/sys/net/ipv4/vs/sync_sock_size\x00', 0x2, 0x0) [ 1078.937467] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1078.944722] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1078.951982] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1078.959242] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000002f [ 1078.983076] binder: 29845:29849 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:22 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x207fd) r2 = socket$inet6(0xa, 0x1, 0x0) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") recvmsg$kcm(r0, &(0x7f0000000140)={&(0x7f0000000240)=@nl=@proc, 0x80, &(0x7f0000000680)=[{&(0x7f0000001d80)=""/4096, 0x1000}, {&(0x7f0000000400)=""/96, 0x60}, {&(0x7f0000000480)=""/199, 0xc7}, {&(0x7f0000000040)=""/8, 0x8}, {&(0x7f0000000580)=""/219, 0xdb}], 0x5, 0x0, 0x0, 0x3}, 0x20) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(0xffffffffffffffff, 0x8955, &(0x7f0000000d00)={{0x2}, {0x306, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f00000001c0)=0x0) ptrace$setregs(0xf, r3, 0x2, &(0x7f0000000700)="2841bfefd5a6e4d129033e0ba74aa925c94fe742e26cc114d67fc2f35fdc0b75000c94301a1ac6b5e96b6c7528cbcd687f848e3d56ea63a75b712a39e6c8b09aa99e0c4cfbbbe2cf4a17abc16a2145271006237bc0916c8600f07074a892857aa9cab3cda20b46f2440827f8451b05892228fd97c8d09b65f7a34c3e983d3567a49f85cedc0b1895fded297aedeb35c0ac35380712e3b6ec2c") 05:01:22 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x7}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:22 executing program 1 (fault-call:4 fault-nth:48): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1079.023260] binder: 29845:29849 BC_FREE_BUFFER u0000000000000000 no match [ 1079.048874] IPVS: ftp: loaded support on port[0] = 21 [ 1079.060956] binder: 29845:29849 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1079.118593] binder: 29845:29849 BC_FREE_BUFFER u0000000000000000 no match [ 1079.189629] FAULT_INJECTION: forcing a failure. [ 1079.189629] name failslab, interval 1, probability 0, space 0, times 0 [ 1079.200939] CPU: 0 PID: 29874 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1079.207878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1079.217247] Call Trace: [ 1079.219860] dump_stack+0x1b9/0x294 [ 1079.223514] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1079.228723] ? unwind_get_return_address+0x61/0xa0 [ 1079.233668] ? graph_lock+0x170/0x170 [ 1079.237490] should_fail.cold.4+0xa/0x1a [ 1079.241564] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1079.246662] ? __lock_is_held+0xb5/0x140 [ 1079.250710] ? __kmalloc_node_track_caller+0x47/0x70 [ 1079.255803] ? graph_lock+0x170/0x170 [ 1079.259593] ? __x64_sys_sendto+0xe1/0x1a0 [ 1079.263817] ? find_held_lock+0x36/0x1c0 [ 1079.267871] ? __lock_is_held+0xb5/0x140 [ 1079.271926] ? check_same_owner+0x320/0x320 [ 1079.276242] ? rcu_note_context_switch+0x710/0x710 [ 1079.281160] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1079.286426] __should_failslab+0x124/0x180 [ 1079.290649] should_failslab+0x9/0x14 [ 1079.294434] kmem_cache_alloc_node+0x272/0x780 [ 1079.299002] ? __kmalloc_node_track_caller+0x47/0x70 [ 1079.304098] __alloc_skb+0x111/0x780 [ 1079.307805] ? skb_scrub_packet+0x580/0x580 [ 1079.312118] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1079.317645] ? ip_generic_getfrag+0x11c/0x2d0 [ 1079.322132] ? ip_reply_glue_bits+0xc0/0xc0 [ 1079.326459] ? raw_getfrag+0x15b/0x220 [ 1079.330338] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1079.335350] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1079.340358] ? raw_destroy+0x30/0x30 [ 1079.344065] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1079.349853] ? ipv4_mtu+0x375/0x580 [ 1079.353472] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1079.358919] ? lock_acquire+0x1dc/0x520 [ 1079.362884] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1079.368408] ? ip_setup_cork+0x4dc/0x7c0 [ 1079.372459] ip_append_data.part.48+0xf3/0x180 [ 1079.377035] ? raw_destroy+0x30/0x30 [ 1079.380739] ip_append_data+0x6d/0x90 [ 1079.384537] ? raw_destroy+0x30/0x30 [ 1079.388244] raw_sendmsg+0x1dae/0x29b0 [ 1079.392128] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1079.397226] ? rcu_report_qs_rnp+0x790/0x790 [ 1079.401631] ? graph_lock+0x170/0x170 [ 1079.405426] ? expand_files.part.8+0x9a0/0x9a0 [ 1079.409992] ? check_same_owner+0x320/0x320 [ 1079.414313] ? lock_downgrade+0x8e0/0x8e0 [ 1079.418449] ? lock_release+0xa10/0xa10 [ 1079.422411] ? check_same_owner+0x320/0x320 [ 1079.426720] ? __check_object_size+0x95/0x5d9 [ 1079.431204] inet_sendmsg+0x19f/0x690 [ 1079.435002] ? __might_sleep+0x95/0x190 [ 1079.438968] ? ipip_gro_receive+0x100/0x100 [ 1079.443279] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1079.448804] ? security_socket_sendmsg+0x94/0xc0 [ 1079.453545] ? ipip_gro_receive+0x100/0x100 [ 1079.457855] sock_sendmsg+0xd5/0x120 [ 1079.461560] __sys_sendto+0x3d7/0x670 [ 1079.465354] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1079.470015] ? wait_for_completion+0x870/0x870 [ 1079.474588] ? __lock_is_held+0xb5/0x140 [ 1079.478647] ? __sb_end_write+0xac/0xe0 [ 1079.482610] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1079.488130] ? fput+0x130/0x1a0 [ 1079.491399] ? ksys_write+0x1a6/0x250 [ 1079.495189] ? __ia32_sys_read+0xb0/0xb0 [ 1079.499242] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1079.504768] __x64_sys_sendto+0xe1/0x1a0 [ 1079.508814] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1079.513820] do_syscall_64+0x1b1/0x800 [ 1079.517698] ? finish_task_switch+0x1ca/0x840 [ 1079.522183] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1079.527107] ? syscall_return_slowpath+0x30f/0x5c0 [ 1079.532026] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1079.537382] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1079.542217] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1079.547392] RIP: 0033:0x4559f9 [ 1079.550565] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1079.570236] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1079.577932] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1079.585189] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1079.592445] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1079.599700] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1079.606955] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000030 [ 1079.616644] ALSA: seq fatal error: cannot create timer (-22) [ 1079.795110] ALSA: seq fatal error: cannot create timer (-22) 05:01:23 executing program 7: r0 = syz_open_dev$sndctrl(&(0x7f000000a000)='/dev/snd/controlC#\x00', 0x0, 0x0) fcntl$getownex(r0, 0x10, &(0x7f0000000000)={0x0, 0x0}) wait4(r1, &(0x7f0000000040), 0xa, &(0x7f0000000080)) perf_event_open(&(0x7f0000001000)={0x0, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8ce, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000005000), 0x2}, 0x1000000000c}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r0, 0xc0045516, &(0x7f0000004ffc)=0x8001) ppoll(&(0x7f00001b9fb8)=[{r0}], 0x1, &(0x7f0000e5d000)={0x77359400}, &(0x7f000034a000), 0x8) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffff9c, 0x84, 0x73, &(0x7f000000d000), &(0x7f0000001000)=0xfea6) ioctl$SNDRV_CTL_IOCTL_PVERSION(r0, 0xc1105517, &(0x7f0000001000)) 05:01:23 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') r1 = semget$private(0x0, 0x1, 0x8) semctl$GETNCNT(r1, 0x4, 0xe, &(0x7f0000001d80)=""/4096) r2 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$DRM_IOCTL_ADD_BUFS(r0, 0xc0206416, &(0x7f0000000040)={0x3, 0x6, 0x8, 0x201, 0x2, 0x7}) r3 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x7fff, &(0x7f0000000400)="00000000000000000000b256708175ba117b3877d2c0751cd639996506dc1b1d30369734b07634418017c6c7affc525ca5b69a3a41ee48f7451c93c3d99570aa2af420b8437e2c16c54ad4661bf41f2635a93a51d2423d5054455c360c31f9959627d971b7230a06203906950140364c305e36aeb71b0550a79d237b295baf1c26ee142e1e37b9928101769633c183d3a5260a9ebe6a2aff315a463d4b10483b30411d0fb415c863e8d293c27bbf873424f66609a61839cf982b06511b28262dc864f6da57d70e8355") ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r2, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:23 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x6000, 0x0, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:23 executing program 1 (fault-call:4 fault-nth:49): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:23 executing program 5: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) close(r0) bind$alg(r0, &(0x7f0000000000)={0x26, 'hash\x00', 0x0, 0x0, 'sha224\x00'}, 0x58) r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000219fa8)={0x26, 'hash\x00', 0x0, 0x0, 'ghash\x00'}, 0x58) setsockopt$ALG_SET_KEY(r1, 0x117, 0x1, &(0x7f0000001f3a)="ad56b6c5820faeb995298992ea54c7be", 0x10) r2 = accept$alg(r0, 0x0, 0x0) sendmmsg$alg(r2, &(0x7f00000030c0)=[{0x0, 0x0, &(0x7f0000000380), 0x0, &(0x7f0000000400)}, {0x0, 0x0, &(0x7f00000008c0)}, {0x0, 0x0, &(0x7f0000002f80), 0x0, &(0x7f0000003040)=[@assoc={0x18, 0x117, 0x4}], 0x18}], 0x3, 0x0) 05:01:23 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x100000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:23 executing program 4: r0 = syz_open_dev$sg(&(0x7f0000000000)='/dev/sg#\x00', 0x0, 0x0) openat$zero(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero\x00', 0x2, 0x0) mmap(&(0x7f0000c00000/0x400000)=nil, 0x400000, 0x0, 0x12, r0, 0x0) 05:01:23 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x700000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1080.125108] binder: 29902:29904 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1080.132141] FAULT_INJECTION: forcing a failure. [ 1080.132141] name failslab, interval 1, probability 0, space 0, times 0 [ 1080.132162] CPU: 1 PID: 29901 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1080.132173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1080.132179] Call Trace: [ 1080.132204] dump_stack+0x1b9/0x294 [ 1080.132226] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1080.132246] ? unwind_get_return_address+0x61/0xa0 [ 1080.132272] should_fail.cold.4+0xa/0x1a [ 1080.132298] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1080.171876] binder: 29902:29904 BC_FREE_BUFFER u0000000000000000 no match [ 1080.176051] ? __lock_is_held+0xb5/0x140 [ 1080.176072] ? __kmalloc_node_track_caller+0x47/0x70 [ 1080.176090] ? graph_lock+0x170/0x170 [ 1080.176110] ? __x64_sys_sendto+0xe1/0x1a0 [ 1080.176128] ? find_held_lock+0x36/0x1c0 [ 1080.176149] ? __lock_is_held+0xb5/0x140 [ 1080.199322] binder: 29902:29904 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1080.201386] ? check_same_owner+0x320/0x320 [ 1080.201406] ? rcu_note_context_switch+0x710/0x710 [ 1080.201423] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1080.201441] __should_failslab+0x124/0x180 [ 1080.201462] should_failslab+0x9/0x14 [ 1080.213162] binder: 29902:29904 BC_FREE_BUFFER u0000000000000000 no match [ 1080.213520] kmem_cache_alloc_node+0x272/0x780 [ 1080.213539] ? __kmalloc_node_track_caller+0x47/0x70 [ 1080.213564] __alloc_skb+0x111/0x780 [ 1080.267368] ? skb_scrub_packet+0x580/0x580 [ 1080.271701] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1080.277250] ? ip_generic_getfrag+0x11c/0x2d0 [ 1080.281760] ? ip_reply_glue_bits+0xc0/0xc0 [ 1080.286109] ? raw_getfrag+0x15b/0x220 [ 1080.290009] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1080.295047] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1080.300086] ? raw_destroy+0x30/0x30 [ 1080.303829] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1080.309652] ? ipv4_mtu+0x375/0x580 [ 1080.313296] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1080.318770] ? lock_acquire+0x1dc/0x520 [ 1080.322757] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1080.328300] ? ip_setup_cork+0x4dc/0x7c0 [ 1080.332375] ip_append_data.part.48+0xf3/0x180 [ 1080.336966] ? raw_destroy+0x30/0x30 [ 1080.340690] ip_append_data+0x6d/0x90 [ 1080.344495] ? raw_destroy+0x30/0x30 [ 1080.348228] raw_sendmsg+0x1dae/0x29b0 [ 1080.352154] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1080.357276] ? zap_class+0x720/0x720 [ 1080.361014] ? graph_lock+0x170/0x170 [ 1080.364838] ? expand_files.part.8+0x9a0/0x9a0 [ 1080.369455] ? lock_downgrade+0x8e0/0x8e0 [ 1080.373605] ? lock_release+0xa10/0xa10 [ 1080.377570] ? check_same_owner+0x320/0x320 [ 1080.381884] ? __check_object_size+0x95/0x5d9 [ 1080.386376] inet_sendmsg+0x19f/0x690 [ 1080.390170] ? __might_sleep+0x95/0x190 [ 1080.394136] ? ipip_gro_receive+0x100/0x100 [ 1080.398449] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1080.403975] ? security_socket_sendmsg+0x94/0xc0 [ 1080.408720] ? ipip_gro_receive+0x100/0x100 [ 1080.413034] sock_sendmsg+0xd5/0x120 [ 1080.416737] __sys_sendto+0x3d7/0x670 [ 1080.420527] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1080.425219] ? wait_for_completion+0x870/0x870 [ 1080.429811] ? __sb_end_write+0xac/0xe0 [ 1080.433793] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1080.439319] ? fput+0x130/0x1a0 [ 1080.442593] ? ksys_write+0x1a6/0x250 [ 1080.446386] ? __ia32_sys_read+0xb0/0xb0 [ 1080.450450] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1080.456003] __x64_sys_sendto+0xe1/0x1a0 [ 1080.460067] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1080.465074] do_syscall_64+0x1b1/0x800 [ 1080.468947] ? finish_task_switch+0x1ca/0x840 [ 1080.473436] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1080.478355] ? syscall_return_slowpath+0x30f/0x5c0 [ 1080.483292] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1080.488664] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1080.494113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1080.499290] RIP: 0033:0x4559f9 [ 1080.502462] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 05:01:23 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x7400, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:23 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x20000100000001, &(0x7f0000000040)="0000e0ff00000000000000") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1080.521742] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1080.529438] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1080.536694] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1080.543954] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1080.551213] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1080.558471] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000031 05:01:23 executing program 4: r0 = syz_open_dev$sndseq(&(0x7f0000000080)='/dev/snd/seq\x00', 0x0, 0x0) r1 = socket$inet6(0xa, 0x800, 0xffffffffffffffff) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x4e21, 0x10000, @loopback={0x0, 0x1}, 0x3}, 0x1c) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x200000, 0x0) getsockopt$ARPT_SO_GET_INFO(r2, 0x0, 0x60, &(0x7f00000001c0)={'filter\x00'}, &(0x7f0000000040)=0x44) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO(r0, 0xc08c5334, &(0x7f0000dc5f98)) 05:01:23 executing program 5: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000001000)={0x26, 'rng\x00', 0x0, 0x0, 'drbg_pr_ctr_aes128\x00'}, 0xfffffffffffffe28) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r1, 0x8912, &(0x7f0000000280)="025cc83d6d345f8f760070") setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f00005ec000)="366521ab415b7ac7", 0x8) r2 = accept$alg(r0, 0x0, 0x0) sendmmsg(r2, &(0x7f0000006f00)=[{{&(0x7f0000003b80)=@pptp={0x18, 0x2}, 0x80, &(0x7f0000006e80)=[{&(0x7f0000005dc0)="d92299facf69eb601e0633897635c3d884d7e6ecdc74244a5745ce0df8828ea098511bee666097bfd9eeecadf7cac346c39bb627fec92025685faa40fbc387caab146311ce53c40cc7d952e0f11004590b88de8e399646f0dd83fe83176c0be0041cb69fb6d3256bf28480b6533a8f833907ae6b56eb773c5f741f11824331ab8c9bc3b13f1bafd2a159e264f90e98f9bffc34eb89a8b739509006f479d79f7705350ee385cdf49610bec6727b995d485960ecd7f16d4aee79e72b2f150815f4f0f9a99baba25088eb0544b3a4866af336a74055e708d7f79a2a0ffdc1fa8e94768d11097cd6e42c278e3c805c9b6465802dee01b935971a4393263930e584dfcffd40cb0b8089b39db6d1b3ad80ebd28ca6d2a61cb6f86a4b0be23652fa6310ceb58fa26a379bbaf61fcf79ad1a7256868c466efcefa21937603e26784184d7fa8bf8dc437da4913069727dc2d11295e695d31862dfa6ff47c4a73328937aafadbd4d667417b8e080b80279cfe36ddc7d5380685354eefca89c5a151cce35ca08e52f7febcbc42e35a6328a18d68e6960533ac6eea39188d5cb5f642c6f29e01aa5a7534d1d5c808b747947287ab113ab3a3a4aa6080fe21af2690a5f748e594069b42a132ff0f3fae3f549154a1a5b9cec1aa83e7bd16f92b7a83b42a474c368626a1da29f9d192b315f4cc5f4408210708ae7bc4d9da939ddb7ddbe4f4764f8f6b13e9b599a79185b4a118293077a6ee38ac446d4ebe92334f494951b9672424b7561fe024f8bd58c6f3e15086c810c46225e0f0b4f4a26d726b0038ba39dd85334dfaf494f663919d28e392be8d6ca59e17069bd49be56", 0x259}], 0x1}}], 0x1, 0x0) [ 1080.610462] binder: 29916:29917 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1080.648427] binder: 29916:29917 BC_FREE_BUFFER u0000000000000000 no match 05:01:23 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f0000000140)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) ioctl$PPPIOCGFLAGS(r0, 0x8004745a, &(0x7f0000000040)) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1080.675849] binder: 29916:29917 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:24 executing program 4: r0 = socket$inet6(0xa, 0x4, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f4774b1070") r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r1, &(0x7f0000000100)={0x26, 'hash\x00', 0x0, 0x0, 'cryptd(hmac(sha256-generic))\x00'}, 0x58) r2 = syz_open_dev$loop(&(0x7f0000000000)='/dev/loop#\x00', 0x1, 0x0) ioctl$LOOP_SET_STATUS64(r2, 0x4c04, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x1, 0x80000001, 0x0, 0x0, 0x5, 0x10, "e52b4169c110b26883fdce4692cf3e02fd35b0f90e531a8e3d63c233a1e3bdb104e6b87486aef435cbd3bf0c8c2a4c25787cce38a344493f62077cf916558530", "ffe18c8b8a9225c814002f854f83f48b3c6d7e9e81ba9c900a3cb7aec43af7f2ec316a60dda73507c85fe1dadee087893c91170b9570fe056d418d9469d231fb", "6af327a597d12250814a8c7b097b1f60ded4251b890dd2f600945765051f449f", [0x3ff]}) r3 = accept$alg(r1, 0x0, 0x0) setsockopt$ALG_SET_KEY(r1, 0x117, 0x1, &(0x7f0000000180), 0xd0) write$binfmt_elf64(r3, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x38}, [{}]}, 0x78) [ 1080.718514] binder: 29916:29917 BC_FREE_BUFFER u0000000000000000 no match 05:01:24 executing program 1 (fault-call:4 fault-nth:50): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:24 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23}, 0x1c) listen(r1, 0xffffffffffffff7f) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) sendto$inet6(r2, &(0x7f0000e33fe0)='X', 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback={0x0, 0x1}}, 0x1c) setsockopt$inet6_int(r0, 0x29, 0xff, &(0x7f0000000000)=0x9, 0x4) setsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f00000000c0)={0x4}, 0x20) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f0000000140)={0x0, 0x2}, 0x8) sendto$inet6(r2, &(0x7f0000000080)="ba", 0x1, 0x0, 0x0, 0x0) [ 1080.873571] FAULT_INJECTION: forcing a failure. [ 1080.873571] name failslab, interval 1, probability 0, space 0, times 0 [ 1080.884954] CPU: 0 PID: 29943 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1080.891895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1080.901257] Call Trace: [ 1080.903866] dump_stack+0x1b9/0x294 [ 1080.907526] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1080.912737] ? is_bpf_text_address+0xd7/0x170 [ 1080.917253] ? kernel_text_address+0x79/0xf0 [ 1080.921678] ? __unwind_start+0x166/0x330 [ 1080.925850] should_fail.cold.4+0xa/0x1a [ 1080.929928] ? __save_stack_trace+0x7e/0xd0 [ 1080.934273] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1080.939405] ? graph_lock+0x170/0x170 [ 1080.943226] ? save_stack+0x43/0xd0 [ 1080.946869] ? kasan_kmalloc+0xc4/0xe0 [ 1080.950768] ? kasan_slab_alloc+0x12/0x20 [ 1080.954936] ? find_held_lock+0x36/0x1c0 [ 1080.959011] ? __lock_is_held+0xb5/0x140 [ 1080.963100] ? check_same_owner+0x320/0x320 [ 1080.967436] ? rcu_note_context_switch+0x710/0x710 [ 1080.972388] __should_failslab+0x124/0x180 [ 1080.976630] should_failslab+0x9/0x14 [ 1080.980438] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1080.985567] __kmalloc_node_track_caller+0x33/0x70 [ 1080.990512] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1080.995285] __alloc_skb+0x14d/0x780 [ 1080.999014] ? skb_scrub_packet+0x580/0x580 [ 1081.003345] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1081.008885] ? ip_generic_getfrag+0x11c/0x2d0 [ 1081.013395] ? ip_reply_glue_bits+0xc0/0xc0 [ 1081.017738] ? raw_getfrag+0x15b/0x220 [ 1081.021644] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1081.026686] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1081.031727] ? raw_destroy+0x30/0x30 [ 1081.035451] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1081.041262] ? ipv4_mtu+0x375/0x580 [ 1081.044907] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1081.050381] ? lock_acquire+0x1dc/0x520 [ 1081.054354] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1081.059892] ? ip_setup_cork+0x4dc/0x7c0 [ 1081.063943] ip_append_data.part.48+0xf3/0x180 [ 1081.068542] ? raw_destroy+0x30/0x30 [ 1081.072300] ip_append_data+0x6d/0x90 [ 1081.076097] ? raw_destroy+0x30/0x30 [ 1081.079809] raw_sendmsg+0x1dae/0x29b0 [ 1081.083711] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1081.088812] ? rcu_report_qs_rnp+0x790/0x790 [ 1081.093231] ? graph_lock+0x170/0x170 [ 1081.097045] ? expand_files.part.8+0x9a0/0x9a0 [ 1081.101629] ? check_same_owner+0x320/0x320 [ 1081.105966] ? lock_downgrade+0x8e0/0x8e0 [ 1081.110113] ? lock_release+0xa10/0xa10 [ 1081.114087] ? check_same_owner+0x320/0x320 [ 1081.118400] ? __check_object_size+0x95/0x5d9 [ 1081.122902] inet_sendmsg+0x19f/0x690 [ 1081.126706] ? __might_sleep+0x95/0x190 [ 1081.130668] ? ipip_gro_receive+0x100/0x100 [ 1081.134978] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1081.140522] ? security_socket_sendmsg+0x94/0xc0 [ 1081.145278] ? ipip_gro_receive+0x100/0x100 [ 1081.149598] sock_sendmsg+0xd5/0x120 [ 1081.153310] __sys_sendto+0x3d7/0x670 [ 1081.157117] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1081.161806] ? wait_for_completion+0x870/0x870 [ 1081.166403] ? __lock_is_held+0xb5/0x140 [ 1081.170482] ? __sb_end_write+0xac/0xe0 [ 1081.174467] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1081.180014] ? fput+0x130/0x1a0 [ 1081.183313] ? ksys_write+0x1a6/0x250 [ 1081.187129] ? __ia32_sys_read+0xb0/0xb0 [ 1081.191200] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1081.196764] __x64_sys_sendto+0xe1/0x1a0 [ 1081.200839] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1081.205862] do_syscall_64+0x1b1/0x800 [ 1081.209759] ? finish_task_switch+0x1ca/0x840 [ 1081.214267] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1081.219217] ? syscall_return_slowpath+0x30f/0x5c0 [ 1081.224170] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1081.229555] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1081.234418] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1081.239619] RIP: 0033:0x4559f9 [ 1081.242808] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1081.262201] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1081.269917] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1081.277191] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1081.284463] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1081.291731] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1081.298998] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000032 [ 1081.306892] ALSA: seq fatal error: cannot create timer (-22) 05:01:24 executing program 6: socket$bt_hidp(0x1f, 0x3, 0x6) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) fcntl$setstatus(r3, 0x4, 0x4400) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x400, @random="90da5bc97747"}, 0x20, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:24 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFCONF(r0, 0x8910, &(0x7f0000000080)=@req={0x28, &(0x7f0000000040)={'syz_tun\x00', @ifru_map={0x9, 0x1ff, 0x100000000, 0x7fffffff, 0xd4c, 0x7}}}) ioctl$sock_ifreq(r0, 0x4000000000089f0, &(0x7f0000000000)={'bridge0\x00', @ifru_hwaddr=@dev={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa]}}) 05:01:24 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x7400000000000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:24 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x3fffffff}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:24 executing program 4: r0 = bpf$PROG_LOAD(0x5, &(0x7f000000d000)={0xa, 0x3, &(0x7f0000000000)=ANY=[@ANYBLOB="850200000095000d0000000004010000180000863efa21593ef6806e1b886b45e27e0000000000445e7b5d77b121bc3062ca24926866912cd40569675ae5c108e3ca4a73c35f36e47dce6d2e0ffc72d64a0e9a61fffe45f92d27c609a3f60f70338d89e6ab1344cefc25dd4b684a212a8d"], &(0x7f0000006000)='syzkaller\x00', 0x6, 0x1000, &(0x7f000000d000)=""/4096}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f00000000c0)={r0, 0x0, 0x0, 0x9d, &(0x7f0000000080), &(0x7f000000ff63)=""/157, 0xffffffffffffffff}, 0x28) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = add_key$user(&(0x7f0000000080)='user\x00', &(0x7f0000000100)={0x73, 0x79, 0x7a, 0x1}, &(0x7f00000001c0)="30ad7ae182cfd1f67bf1c28d95949d110ac765702cfcce39d5722eec1dfa29d8b1bc33f65107d651e0d00bcea72f82bfea583bdbfcefbc80af6e29e1cfde551a11a56b94840b8ed4737e6c2c61f01ca76ed37294c7fe7258fef7aac4f5ca8fb29b54bf283e070136ef3c011549d5f4dab5c834d6063c3945a95e06cb20a9148cdbfc5f598ef4d99be61e03889f4eb04ef1da957ff6c9cac1d4369ef5edbf543cad6bf510b94440b42083bb42043acff67e785e15cd980fa5765db5cf13fe1b5f23b766e9bd3ea893319b72d3e85b51b497913b1cbbf9ddde576fb76d838918e4d6c5b8114fe4ea4fe5848c4996392c52a866c6cd6c29f60a0beed5c46b1bff18d05520bdfa6ec2cc55391ff3223d7c7f705bfaa059fe9d0a9ac03b01ef9d1196285f4c952cf5bfcd1a61feb97f43c33ed8e042827a459213be5f6f8d8844bf8dfba207ff16f4e2a9b119cf068805e61d7af28049750b95ca668b89019d60f589e9fc68dc66f8f91ad9ad619eeb9a6260d4ecd50ab5b9117d564f1ad53b645e02acacc9c82d6b42588a492c1dcb95a8c83329c031525100de786539def08aee73ad7efb5fef12d4371803a12534e7e0ae7ba3eb632c41b085979e47333d543c8513518a9a50e97dff7310f7c8568c9ff9486716e14635efca4f62fe3cf87ac4b745c46541862254c2a0605281b8f64d781bbb43867f7ef3e7c1bcce9ae4f8382b98a293ed9375cced197c22634e52c7125c9e52482245d60ded7fc6299634c6360bdbf80f6a57c553fdb7771c1021e48968afc9043e111a34a7fb7539178b5a5ac6a35036c88b422ecef48e27c96c7331f008988f0a6ec46cd46f7139c4fbe916caf4d30218460210bc28191f963a7100504e6d94d93532cf8d089a7f981473131c07e327128b0bf24d611ec204bd24495ae887c6b8eaebf1c7b32afcfc20b0b96e9ebe443de026745ce5929bcf0d315c471f12c25d616ad22ec3c796efc3997c023bcc296b2e789fc298b39009312ff24d472791d6892e275d79dc17726a187bf5a7c0a5d620d0d5e953eb9d8ba8c9b591db435b0b50e429f83f553f400d33fae310cbfccabf32136a7cfed3d5b3efb6a4f6b76086a31b424bcf4b35616ab2eacac3880f87cad808a95f53ae85e7e85ec847f8b40947361dc2b425fba62905bb4f20c119e8286000b933450c7244de03c08d70bc60bf964d1da4b8fa43c884438611c693fdcc3a19a6f3639476417a5972c5952d01b6509cd1f82909bca7d099609de4998a98024d308bc21ac35c534cf45f8a5d6ca59fc951bdeea606c34a20eb62e79ebb9b939d0b96bab301e23e2aaceee73350d2ab8cffe6e72ffbc5961b58affc79bb577c44809061b23152236e68d84581e37cabceefdd6deef56833dc9e171055fc18e2b9708a97a7ad1a324ba5b6d912f6d7fe493b2231db27791c76348c3b326edf88fd2c9a658a2621bbae9ece74f83d7a45cab1b1b03b27113802072e91084a03a38e534298a2c10163fa52e0a4cf447695286aa79c4b29499e2e222d897ed75d0ad67d1536ddf1f3a1217692a64097dc1022bc88cd2904ab6f76a5547b04322dadafca3f08064c0bdbe1e2d95ae8d8d4da27986c1df9c83d7886356bd4ff85c60a4e5349153a2aa131384929a222aba5cca948a6c5daa61db71aef449653e9aed36dbde0e5b8137af53b2884f1f10c7f08670c7cd07fafebf8091f80f1007952e368b418067d696dc5e76ac643d5afee26094d1b10fac7a46540754cff570dee6ef9300d9f72ab1ab18ec426ddc83fe80aa96d9b8693c75ed4a0ea63fa17f31c4b5b2ecdbd00e959d56396464f9894d9b2b7c1f431554dbf9dbde96bf8df26b61a07626542ba6d570386492fbf6891792b00082f5a0a0cda7d58a212867bef144c7e7b564427f4f2ff2f09658994cebb870316d35477ea24ee8431428e7100caf07a9fba5ba2ddf361136d5db501a74e70f87f15756a70fef5a6a46ae8e1b3b1dc8387ec1ba2e0b09b40cd2d1fdd47bbe3cc037844bb632f5c80580b428b4b0ca585dd8db2381e842078a76001f7137ffcf01275da298198bd7c4cef17efbe4698ae5b701046c02a456bceb4aef2b6caefb560dd21c2253a0725854e5fce6eb13b57951035d3571bf05aa000a96bfdacb8c0b61fb4a636f63a9df1acc49864d3851540284f88760588808fd2964bea9fa94a4215fdb9c57f742e1292c00bf0101e324723a762a7712e06952fecdb5cd1840ae4d0533722a133a29d5984bc8173329b8ba0d708243f26220e7c257d52ee5e87a0ac316ca0106833bc4497f77457b8b49d7b5d7b98a6d38c53a63acceb4594a12c50f683b416f56942ff65ff044addc43b17b8366bd3f9478649392d5848d9472b233745ec7edebe6d57acf63b529260e2395636ae0550d312ff4cda675b2e610daab7b7e48efbc6cc22653424c02fc6301a7b26345c79a055a7d7f0c3996e311a7869d98438b07ad6a2b433b9c11942fe76184b645673514f27700a733b5b83fe5beadbf00f35e09e3653921ad01a75a09cd7c7202b316321e29ed1186c3b929210a7fe736f0fa80180d2109dcd085d63489366278a67def456686ffa171a6b4e581d6e060db2a3529587f9cacacbb5178442ff51d430f7c87a22c4a58b1d9f3712349f66f8e010860993199a9d4a8c555ead1ac57673ff7a0cdd2bd0260e79a8ced0aa3b3663bcf74b856082064df6066f0a63dab89d3f990167f778304be6f49622c411e82c9b5a0dc42942a4c7549d704a2b37ecaee823f6eb7bb1c355a83336b1405a9d898215a1704ca457d6ce1c694d94aa45a2692382240d8295b9aedca584ec252a021e0a3d898ba19f1df51e361b4a8920787ea8f580fcef9c8e1cbb42317b7bc1d7cc5d92b2bc1619c13811b094095f1187dd409f2d661116c12ceb7ac5595fdea77e5238d15d18b01a9602a3576728b9dadd5caf7389db8d83693b850bb8a12eb0ed2c5425d621356fb07c832c758af76752a4fc0084a6828b81d4cb2a78f58c7121a48c1386982ba15ec7869aaaa4ef7970e21d557db943e88ca15218729a3aa585913b18ce3cee59569c5031771b693cf9ece427e232071031c65aa72d040d5a3a981ebde86baacbd786cb9e4604370b3b18808a1718a02c6801cfdcea3ca01f6b2cbbee5fd26a77f22490b249e72e2add294f6e5c9238f9021e12ec01aba0afe468898128585f59f5c694dbf0bf1e728967436ae1d37be74818557b08c968dee6d554ebbc4e82fd70561178e081cc94e9cba96c1917457acee3c86778975bd75400a5d3522741ddf14767a1f9b5d97efd26292995f686e2340e6c7cdba0d834b08011e32c4af4d081df53d0700f148000149d5e99127db96d0b665f1c84c0d70588f88e1a54c0f72c1eac934ba427ef9204425d2bf2d3bd336f6e840e19b4977af0b52ef24bc1a04cd534b83ffd02189adcfaab12e5565aa7aebabf3884cd0d8f8e73def1acfdbd27b50959f901340522b5bae26374894a02e9bb6a043ee5479144ab9924b4622c81c6aeeaa261afa099770ae7be86e0e320c1f43bed804beb2228aeb0f162df2e00712975c6b948df48e6cf81fa58a4454d8be859ecd9ecbacc962b6dac869bd084b96381b3f4775002dcc0cf9d7fa32a31a70752d37d0b4fa98b3bf51071ed139738305d12be3ac4fbd624b355e7e1efb996cb53c723b8f7893bafb4ca34147c006b2ab606fc1957dca5010dd2c9d8118bc311cf4c31e6e0dd92c65975b2d3b6ca1ea06fbf2d0c9d18a5b65fa03116ede3a7e305f22a4ca641cbd69f76dc0c69c0d7c6d6acc7f391f429643f0980ce2adbd1e1ed5a6daeef45ee01d1cc485507d62bda30492fec20b18b8ff78473387f92f3e0824e857256a9afc9417a8e15e7118884650ff4b8552aae9a2952679defced3de2185dc063531d590d823addf368070f36c5757bd45d7064f90e2f87310f55a19567ad313837866a3b8eca4247bcc18292f5d24e427d34d2043854db303d254964dbe5413e27dbdca20a207f7964fc259513901a7e878f9f99787496af032a9243109b36e1e2c85584d0bb540d6b64e72bc13e695425ecda59188461c5d9456e6327f6fdaff2c3191bd5c54c749679d3cf15019c5d0ac86ffe070bb2da199938619071a05619ebe790886e20e07344a48ddbbcba849cc6bf46b96fcbf41782c53a27785fba411050c9089fe5050092ea251fc6feeae04e24d9ae34a01c3133d8af7b50906f1a8a91aaa4c456b649d3e862c267674055aec0df4334e4c4956800d937fc38b3245dfdc8d751408e9c4038c1e1e88f5a1112c80a2be7a0887e53a2f2bf125644cd44ae4403de0b69bc6ffb31257afd835383349072c75ef276587832e6e426b766c7ee745f7e77934ca803e38af6df4ad5a87a489a782eb175844fd47d185ecc91027a9eafa66776b625b1feaeb5192b704fc0652a6affa8e619fa75f95ffa162d98a3a52172316a016f8d89a26f7c0dcdced012e3dff7ff8f06eef0f6f5b686f5be77c10515ecec4dacaf199d742de0037c271cfef67d1c89e009d100174c231847b20bfa0ab79bfaca2e25a9e90dcd8491213df5a620fdb131afeee82e34fcb41ca3cc34cb600cce2b3ad4a25c1a71e975f08bbdb62324e0b81447956731cb6d0308b83d140b70c201d57ba5b72547f5caa1ee60d443ee3bba5f0e78ccc783b9012fd4cea1382dfb2bf6b785add4516d7634169b4765f488ea7810297ca0581e50174c495415d01b0eaec92222697952406a839ac95d74808a9a1c415b6a32682ea60c83786b96b874bb0559e8ecac3d060b88ce36d776dc57bb19abdfed40a1ea8b4f3f7ca2ac7a78bce05837a2774b0f9cdbf9fcb27e8f5ac4596ee3ad93d9aa70ea3363496cebb49bf29111743e069547f0359bc4e006efefcfa4c45600b85900f7c84303e881710bcb1f697b621ff2a0ca805bc080e1693d562c97890090adbd06f3421ab7678500c4e0748b3fc5240abad7e79589a6068ccb4642a2245dc10678f9dea696798545e0045ffbce822c49c227f9082303974c0ce4057176685683ba8e55d9448125df6ed567a7b7c1eddace097ecd7951d3db7208261cfeebff10e8daf1fdbfd8715d3a8780ccf5f6df2f6a812e18bb481bd7d6b56ae58dd7501931d4eb47f9b4b95c7c04c0b57b452038d1e43400e9ea6b677a17a02da9e0eb5a0f66c99083d6c798d094996340d3e67b0e069e6f2904e2aba3d48eff093f3973ec5a719fff26933e5f504e3e834c53e31b526224cef13b99190aefee15408123f7a6ad127b05b8de8e74cdffc65078ce2b62b7fbf9f27bf7052b097fa8fab397d24cc1c5d1f06ef2dfc5989556cf60c090e6fb31a9ce5685f7ba970b70ee4ce51fc0b4d3e32645201a4f6432b5a074ddf57f76fb3086736655f740730416342843ccef9502fd31ccf5e5f1c2f60789848950bf439a863104b79d0a646bc465aa1f99697b8b949ca87dce22980664dc8adeaf0e26ee77ecb8e291b95c39f90f975c8e9caeeabd2d978d8deaa2db48894e8a0618c983a413c7c538dc446e7c750507832c51fc15e112fd17fc019b2024f1f556ccce297e5ee7c25d34e18190eb22c4522c6e7a27a3abddc63e08415999bd1eb5a7e61089b0bf8fbaba7096b1f2507683ce08ed33ac30e2f1e78c2b1b4c09f23e7e13fed2c0d28a6e521ea1a0ebb7fd9805646662bf6c4f3ccd70baa8979f81deff40552cc4b851c3633c7ef1304b040430682d5e6a4917193ec51206364d2aab95a4dac30604c4ee9574eb0eb", 0x1000, 0xfffffffffffffffc) r2 = request_key(&(0x7f00000011c0)='rxrpc\x00', &(0x7f0000001200)={0x73, 0x79, 0x7a, 0x3}, &(0x7f0000001240)='syzkaller\x00', 0xfffffffffffffff8) r3 = add_key(&(0x7f0000001280)='logon\x00', &(0x7f00000012c0)={0x73, 0x79, 0x7a, 0x2}, &(0x7f0000001300)="263a3b48087cb7b76bb1f8705f53c184a298fdf2071f73ef311921157fec07056e5c77b5584ad55a49063cddcbd328d87de5642c1cf5586bfa282092a8b82ff511b31dc33ccdfef6d5ab973829d2ce084064c57430e764095b3dfe1632b1324eaed8a410ddce7547c969acb896f531a2ad860b055b3e27ad7b6960f7a6138abcbefa162db91fa0da1aac9d63cc4407025c5c6eac444ba84a7e348ab2658932f916d06655b60cbdef1fab67b916713d1a2e2882be9ce8c073e69491e5330de2bc6bfe41c83ea036efe66f86b1418aff1e678d2e44bad6628ff5958e7735406f74415933a3de3c7ce10ba93a1947992e", 0xef, 0xfffffffffffffffc) keyctl$dh_compute(0x17, &(0x7f0000001400)={r1, r2, r3}, &(0x7f0000001440)=""/245, 0xf5, &(0x7f0000001640)={&(0x7f0000001540)={'rmd160-generic\x00'}, &(0x7f0000001580)="897698f3f1bad469e995b8a756f50d55f0a4d7222c5b1c4645567830d153501a58ec08c3789386674eee136cb121966b23ba762f326075aa560c4fb98862b03da13c3fdb591ae127e968eaeea89acd44eff007d45f56894b655848c1379e39bce3b1fa7814c487bf666ec77e1dc2a40786f314dab3b5fba151facdb0e32f48343ae1b28af5423e8081cd", 0x8a}) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000012ff0)={r0, 0x50, &(0x7f000000f000)}, 0x10) r4 = dup(0xffffffffffffffff) setsockopt$l2tp_PPPOL2TP_SO_RECVSEQ(r4, 0x111, 0x2, 0x0, 0x4) 05:01:24 executing program 7: r0 = dup(0xffffffffffffffff) ioctl$EVIOCGABS20(r0, 0x80184560, &(0x7f0000000180)=""/131) mkdir(&(0x7f0000000000)='./file0\x00', 0x0) mount(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='proc\x00', 0x0, 0x0) rename(&(0x7f0000000040)='./file0\x00', &(0x7f0000000080)='./file0/bus\x00') 05:01:24 executing program 1 (fault-call:4 fault-nth:51): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:24 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x2000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) [ 1081.369304] ALSA: seq fatal error: cannot create timer (-22) [ 1081.429731] binder: 29971:29974 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1081.438619] FAULT_INJECTION: forcing a failure. [ 1081.438619] name failslab, interval 1, probability 0, space 0, times 0 [ 1081.449952] CPU: 1 PID: 29970 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1081.456892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1081.459027] binder: 29971:29974 BC_FREE_BUFFER u0000000000000000 no match [ 1081.466253] Call Trace: [ 1081.466284] dump_stack+0x1b9/0x294 05:01:24 executing program 5: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000080)=@broute={'broute\x00', 0x20, 0x1, 0x138, [0x0, 0x0, 0x0, 0x0, 0x0, 0x20000140], 0x0, &(0x7f0000000000), &(0x7f0000000140)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000050000000000000000000000000000000000feffffff01000000030000000000000000006272696467653000000000000000000076657468305f746f5f7465616d0000006970365f76746930000000000000000069705f7674693000000000000000000000000000000000000000000000000000000000000000000000007000000072000000a8000000646e6174000000000000000000000000000000000000000000000000000000001000000000000000aaaaaaaaaa000000feffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff00000000"]}, 0x1b0) getsockopt$EBT_SO_GET_INIT_ENTRIES(r0, 0x0, 0x83, &(0x7f0000000380)={'broute\x00', 0x0, 0x4, 0xdb, [], 0x4, &(0x7f0000000040)=[{}, {}, {}, {}], &(0x7f0000000280)=""/219}, &(0x7f0000000100)=0x78) sigaltstack(&(0x7f0000ffb000/0x4000)=nil, &(0x7f0000000400)) [ 1081.466306] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1081.466327] ? unwind_get_return_address+0x61/0xa0 [ 1081.466355] should_fail.cold.4+0xa/0x1a [ 1081.466379] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1081.498768] ? __lock_is_held+0xb5/0x140 [ 1081.502848] ? __kmalloc_node_track_caller+0x47/0x70 [ 1081.507972] ? graph_lock+0x170/0x170 [ 1081.511799] ? __x64_sys_sendto+0xe1/0x1a0 [ 1081.516055] ? find_held_lock+0x36/0x1c0 [ 1081.520145] ? __lock_is_held+0xb5/0x140 [ 1081.524240] ? check_same_owner+0x320/0x320 [ 1081.528587] ? rcu_note_context_switch+0x710/0x710 [ 1081.532816] binder: 29971:29974 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1081.533530] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1081.533563] __should_failslab+0x124/0x180 [ 1081.549995] should_failslab+0x9/0x14 [ 1081.553810] kmem_cache_alloc_node+0x272/0x780 [ 1081.558407] ? __kmalloc_node_track_caller+0x47/0x70 [ 1081.563523] __alloc_skb+0x111/0x780 [ 1081.567233] ? skb_scrub_packet+0x580/0x580 [ 1081.571551] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1081.577080] ? ip_generic_getfrag+0x11c/0x2d0 [ 1081.581567] ? ip_reply_glue_bits+0xc0/0xc0 [ 1081.585888] ? raw_getfrag+0x15b/0x220 [ 1081.589819] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1081.594829] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1081.599842] ? raw_destroy+0x30/0x30 [ 1081.603559] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1081.609405] ? ipv4_mtu+0x375/0x580 [ 1081.613021] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1081.618518] ? lock_acquire+0x1dc/0x520 [ 1081.622489] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1081.628013] ? ip_setup_cork+0x4dc/0x7c0 [ 1081.632066] ip_append_data.part.48+0xf3/0x180 [ 1081.636638] ? raw_destroy+0x30/0x30 [ 1081.640347] ip_append_data+0x6d/0x90 [ 1081.644140] ? raw_destroy+0x30/0x30 [ 1081.647845] raw_sendmsg+0x1dae/0x29b0 [ 1081.651732] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1081.656825] ? zap_class+0x720/0x720 [ 1081.660553] ? graph_lock+0x170/0x170 [ 1081.664352] ? expand_files.part.8+0x9a0/0x9a0 [ 1081.668936] ? lock_downgrade+0x8e0/0x8e0 [ 1081.673660] ? lock_release+0xa10/0xa10 [ 1081.677630] ? check_same_owner+0x320/0x320 [ 1081.681943] ? __check_object_size+0x95/0x5d9 [ 1081.686431] inet_sendmsg+0x19f/0x690 [ 1081.690217] ? __might_sleep+0x95/0x190 [ 1081.694183] ? ipip_gro_receive+0x100/0x100 [ 1081.698498] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1081.704033] ? security_socket_sendmsg+0x94/0xc0 [ 1081.708778] ? ipip_gro_receive+0x100/0x100 [ 1081.713090] sock_sendmsg+0xd5/0x120 [ 1081.716792] __sys_sendto+0x3d7/0x670 [ 1081.720598] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1081.725268] ? wait_for_completion+0x870/0x870 [ 1081.729854] ? __sb_end_write+0xac/0xe0 [ 1081.733820] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1081.739346] ? fput+0x130/0x1a0 [ 1081.742616] ? ksys_write+0x1a6/0x250 [ 1081.746408] ? __ia32_sys_read+0xb0/0xb0 [ 1081.750459] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1081.755992] __x64_sys_sendto+0xe1/0x1a0 [ 1081.760046] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1081.765074] do_syscall_64+0x1b1/0x800 [ 1081.768948] ? finish_task_switch+0x1ca/0x840 [ 1081.773436] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1081.778359] ? syscall_return_slowpath+0x30f/0x5c0 [ 1081.783283] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1081.788638] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1081.793472] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1081.798649] RIP: 0033:0x4559f9 [ 1081.801824] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1081.821113] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c 05:01:25 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") readv(r1, &(0x7f0000000600)=[{&(0x7f0000000400)=""/254, 0xfe}, {&(0x7f0000001d80)=""/4096, 0x1000}, {&(0x7f0000000040)=""/36, 0x24}, {&(0x7f0000000140)=""/61, 0x3d}, {&(0x7f0000000500)=""/211, 0xd3}, {&(0x7f0000000240)=""/94, 0x5e}], 0x6) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x4000000000000003}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) getsockopt$ax25_buf(r0, 0x101, 0x19, &(0x7f0000000680)=""/219, &(0x7f00000001c0)=0xdb) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x100000000000019e) [ 1081.828812] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1081.836069] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1081.843326] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1081.850599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1081.857855] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000033 [ 1081.869356] binder: 29971:29974 BC_FREE_BUFFER u0000000000000000 no match 05:01:25 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = socket$inet6(0xa, 0x1, 0x8010000000000084) bind$inet6(r1, &(0x7f0000ef8cfd)={0xa, 0x4e23, 0x0, @ipv4={[], [0xff, 0xff]}}, 0x1c) listen(r1, 0xffffffffffffffe0) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX(r2, 0x84, 0x6e, &(0x7f0000000080)=[@in={0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, @in={0x2, 0x4e23, @local={0xac, 0x14, 0x14, 0xaa}}], 0x20) r3 = socket$inet6(0xa, 0x1, 0x0) socketpair$inet_udp(0x2, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff}) setsockopt$ARPT_SO_SET_ADD_COUNTERS(r4, 0x0, 0x61, &(0x7f0000000040)={'filter\x00', 0x4}, 0x68) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r5 = socket$inet6(0xa, 0x3, 0x3) sendmsg$inet_sctp(r5, &(0x7f0000a29000)={&(0x7f0000000a00)=@in6={0xa, 0x0, 0x0, @loopback={0x0, 0x1}}, 0x1c, &(0x7f0000000980)}, 0x0) dup3(r3, r5, 0x0) 05:01:25 executing program 4: symlink(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='./file0\x00') r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000ff7)='/dev/ppp\x00', 0x0, 0x0) vmsplice(0xffffffffffffffff, &(0x7f0000001000)=[{&(0x7f0000000040)='\x00\x00', 0x2}], 0x1, 0x0) ioctl$EVIOCGPROP(r0, 0xc004743e, &(0x7f0000001000)=""/246) ioctl$EVIOCGREP(r0, 0x4010744d, &(0x7f0000001000)=""/174) 05:01:25 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0xfdfdffff, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:25 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x7000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:25 executing program 5: r0 = socket$inet6(0xa, 0x4, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = syz_init_net_socket$nfc_raw(0x27, 0x5, 0x0) r2 = dup(r1) recvfrom$ipx(r2, &(0x7f0000000080)=""/110, 0x6e, 0x2, &(0x7f0000000140)={0x4, 0x0, 0x0, "e44b2f03fe0e"}, 0x10) 05:01:25 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000040)={"1e6680000000000001000000cb0b00", 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) mkdir(&(0x7f0000000300)='./control\x00', 0x0) mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0) r4 = userfaultfd(0x0) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000140)={0xaa, 0x20000000}) ioctl$UFFDIO_REGISTER(r4, 0xc020aa00, &(0x7f0000000200)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r5 = creat(&(0x7f0000000040)='./control/file0\x00', 0x0) write$sndseq(r5, &(0x7f0000011fd2)=[{0x0, 0x0, 0x0, 0x0, @time, {}, {}, @time=@time={0x77359400}}], 0x30) mkdir(&(0x7f0000000100)='./file0\x00', 0x0) unlink(&(0x7f00000000c0)='./control/file0\x00') r6 = getpgid(0x0) sched_setaffinity(r6, 0x1cd, &(0x7f0000da3000)=0x2) rename(&(0x7f00000001c0)='./file0\x00', &(0x7f00000002c0)='./control\x00') mkdir(&(0x7f0000000080)='./control/file1\x00', 0x0) close(r4) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:25 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="2957e1311f16f477671070") fcntl$setlease(r0, 0x400, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_opts(r1, 0x29, 0x3b, &(0x7f0000000100)=@fragment, 0x8) setsockopt$inet6_opts(r1, 0x29, 0x36, &(0x7f0000000240)=@fragment, 0x8) [ 1082.048039] binder: 30004:30007 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1082.086965] binder: 30004:30007 BC_FREE_BUFFER u0000000000000000 no match [ 1082.134674] binder: 30004:30007 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1082.166514] binder: 30004:30007 BC_FREE_BUFFER u0000000000000000 no match 05:01:25 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x600000000000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:25 executing program 1 (fault-call:4 fault-nth:52): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:25 executing program 7: r0 = socket$inet6(0xa, 0x5, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000040)="295edb311f16f4a5fd1eb3875dcaab82ac1b671070") socketpair$unix(0x1, 0x5, 0x0, &(0x7f000001a000)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000ab9ff0)={0x2, &(0x7f000039a000)=[{0x20, 0x0, 0x0, 0xfffffffffffff03c}, {0x6}]}, 0x10) recvmmsg(r1, &(0x7f00000020c0)=[{{&(0x7f0000000080)=@pppol2tpin6={0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, @loopback}}}, 0x80, &(0x7f0000000000)=[{&(0x7f0000000100)=""/222, 0xde}, {&(0x7f0000000200)=""/186, 0xba}, {&(0x7f00000002c0)=""/217, 0xd9}, {&(0x7f00000003c0)=""/94, 0x5e}], 0x4}, 0xbaf}, {{0x0, 0x0, &(0x7f0000000940)=[{&(0x7f0000000440)=""/220, 0xdc}, {&(0x7f0000000540)=""/166, 0xa6}, {&(0x7f0000000600)=""/102, 0x66}, {&(0x7f0000000680)}, {&(0x7f00000006c0)=""/128, 0x80}, {&(0x7f0000000740)=""/175, 0xaf}, {&(0x7f0000000800)=""/131, 0x83}, {&(0x7f00000008c0)=""/122, 0x7a}], 0x8, &(0x7f00000009c0)=""/213, 0xd5, 0x8}}, {{&(0x7f0000000ac0)=@llc={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000001040)=[{&(0x7f0000000b40)=""/121, 0x79}, {&(0x7f0000000bc0)=""/167, 0xa7}, {&(0x7f0000000c80)=""/124, 0x7c}, {&(0x7f0000000d00)=""/254, 0xfe}, {&(0x7f0000000e00)=""/133, 0x85}, {&(0x7f0000000ec0)=""/241, 0xf1}, {&(0x7f0000000fc0)=""/92, 0x5c}], 0x7, &(0x7f00000010c0)=""/4096, 0x1000, 0x6}, 0xf2cb}], 0x3, 0x1, &(0x7f0000002180)={0x77359400}) socket$inet6(0xa, 0x6, 0x9) connect$vsock_dgram(r2, &(0x7f00000021c0)={0x28, 0x0, 0xffffffff, @host=0x2}, 0x10) 05:01:25 executing program 4: r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000005c0)='/dev/rfkill\x00', 0x4000, 0x0) ioctl$KVM_SET_BOOT_CPU_ID(r0, 0xae78, &(0x7f0000000600)=0x1) r1 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x3, 0x506502049118ba85) bind$inet(r1, &(0x7f0000000140)={0x2, 0x4e23, @local={0xac, 0x14, 0x14, 0xaa}}, 0x10) setsockopt$RDS_CONG_MONITOR(r1, 0x114, 0x6, &(0x7f0000000180), 0x4) sendmsg$inet_sctp(r1, &(0x7f0000000580)={&(0x7f00000001c0)=@in={0x2, 0x4e22}, 0x10, &(0x7f0000000480)=[{&(0x7f0000000200)="ac61e83253325473394594e547c2b4ef8f65f733f68156403525ede2be26d94dcf028d4ad0df84b53d6736f1ced4fc48e941838baea467c132be3ee5495c5ffedbfedd0c8c023d73931c2e739a650df972764a", 0x53}, {&(0x7f0000000280)="cde929734936b02aeb39f3366dcd9ac87675897864996a3d51a08a8bd420185a6a9ddc59d1de044bbcef2525d9f26fe6cb1ab7b702654e1a9aaaf55317e0d729cc13e1537e02ee9523faec11a1141068daf293d846a10874fda22d79beba83bd4955588aaa270c6240e963a5e90290d38864cf4ad08269d0f3655fd259b7f462138e03afbba090470d649926d1721507a424a642100d90e68d4569e9f3c6a023cb05039aeb3e6e9ee26405cfab5cc1107af642c477554e28fc2005c3f3efe7006ede8c88952eae9ca0cb03d9b311b6586d921f4c136ca665a37024", 0xdb}, {&(0x7f0000000380)="2113f4f3b8243c42011ad0b894527c271c328f6d530fd7928d8da7e14bc7d0e098f0c02621d66b1597ac2186981683f9298062d184d98ca3a2d3577ea46b1a2b87a0618e943158b01bfb2a6b0cb98b58e7dcbfa8b6c68a5ae72d818d2ceec1692755766b78c760795c405cf5a59411c239d75ec34bc6898d73aeb814190f85088c4e091147adf1293c597a18cb2010c44c303d52ce07ac057f4c0896abeeed2b3b150334495adea84645f198ea60f9642b0bd67213bbec4564bbc7ba8c7f46e84a399be85bd4dc27ca9403e1a78e7916a4c03cf3f2ffed05113e7ca86d6ce07716f938372af9813e", 0xe8}], 0x3, &(0x7f00000004c0)=[@dstaddrv6={0x20, 0x84, 0x8}, @dstaddrv6={0x20, 0x84, 0x8}, @init={0x18, 0x84, 0x0, {0x300000, 0x1, 0x101, 0xffffffffffffffff}}, @init={0x18, 0x84, 0x0, {0x3, 0x5, 0x100, 0x1}}, @dstaddrv6={0x20, 0x84, 0x8, @ipv4={[], [0xff, 0xff], @broadcast=0xffffffff}}, @prinfo={0x18, 0x84, 0x5, {0x30}}], 0xa8, 0x44}, 0x40004) setsockopt$inet_opts(r1, 0x0, 0xd, &(0x7f0000000040)="ae04beaea81560cf4ec297ee67d1059a13b3991e98f7827b7eadec32098987b236adf6b6f06230599da654b83126f519d3c6c51ebbcf37b762bf2dbb1801cc12bca74e4b29ad00164f7c426fff9b434e620684acada8c159db0ddb0be91c6f21f686997eb3a739f5abc97ff51499f6ea39f9a86dba5e51f6b872a4ce7ee34b8d75ba9584b1537bd424fc346a04898651137361c1f50f5d76c288c8f7fb9a92d254e210ff2de896a91b37737e1aadc279c686e1b6b036e4ba8672fa1948102cb0fa9bcf27f9ea6b25000e0a8b07daa76a9d7626af033e79dfeb9000", 0xdb) r2 = syz_init_net_socket$bt_sco(0x1f, 0x3, 0x3) sendto(r2, &(0x7f0000000000), 0x0, 0x240008c0, 0x0, 0x0) restart_syscall() 05:01:25 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) ioctl$KVM_CREATE_IRQCHIP(r0, 0xae60) 05:01:25 executing program 5: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) r1 = openat$cgroup_ro(r0, &(0x7f0000000000)='cpu.stat\x00', 0x0, 0x0) ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000140)={r0, r0, 0x10001, 0x0, &(0x7f0000000040)="83ce92621f64f7c47cdc0c788faa01cceea538be01a15166f10114e4eb389bcd2ca6e1b6382e322354541417c3a3172e0d210ede2890046d4948eff76bd0dba29e3fe44ec81baa5d2e9c4056fb692fe73945767ab5fa13a9d6ea9ce0c6bfe2db4464b654e21a7a8b740cb036ccb50f691be637e670d0780ccd46794d63bf123384bb64c480048f2b74082c25e6a57d7a5be0516b38eae612a849672e1aa5ce42c8fee192b0a7de6160c49bcf355fb01ca4b31d582ba530aade1ef0527af80ab0f8109b5c1f", 0xce5e, 0x3, 0x2, 0x8, 0x8, 0x81, 0x80000000, "a3036349585511570fc660ca210d9daf9590c13b8e1b72a57d4370440687742a624d0f8035ebf487bc5554b12d0f417f0826e9dfe8ddb881196c76d4323c0833fa5897b44350b61d2434c1ea2bb0bfddb0d3f3a491d2307b0d566ce9804a203c60032ee967b76799f5088e038a038e5e836618f4c5766983b3f5083cb29e016d80630aeceb7d8451cc88852d78cba5e5b0a814ff56b863bfc6d159ef80489d69048c89a1a3c966c6282ad5986aef9e3c111b33e373e798202b01f3ba7cd8d6de51106e599fc153f82a3373d9e12da280ae45eedb2a85778464f6efe83dc2ee5d9ea5a0f30759e9d40f"}) mmap(&(0x7f0000ffe000/0x2000)=nil, 0x2000, 0x0, 0x1c0853, r0, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="025cc83d6d345f8f760070") r2 = syz_open_dev$binder(&(0x7f0000000540)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_MAX_THREADS(r2, 0xc018620b, 0x0) 05:01:25 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x6c}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:25 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1f3ffff8}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1082.581501] binder: 30045:30047 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1082.597687] binder: 30036:30038 ioctl c018620b 0 returned -14 [ 1082.601798] FAULT_INJECTION: forcing a failure. [ 1082.601798] name failslab, interval 1, probability 0, space 0, times 0 [ 1082.614933] CPU: 1 PID: 30039 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1082.617056] binder: 30045:30047 BC_FREE_BUFFER u0000000000000000 no match [ 1082.621861] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1082.621867] Call Trace: [ 1082.621894] dump_stack+0x1b9/0x294 [ 1082.621917] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1082.621933] ? is_bpf_text_address+0xd7/0x170 [ 1082.621962] ? kernel_text_address+0x79/0xf0 [ 1082.636910] binder: 30036:30054 ioctl c018620b 0 returned -14 [ 1082.638238] ? __unwind_start+0x166/0x330 [ 1082.638263] should_fail.cold.4+0xa/0x1a [ 1082.638285] ? __save_stack_trace+0x7e/0xd0 [ 1082.676916] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1082.682037] ? graph_lock+0x170/0x170 [ 1082.685831] ? save_stack+0x43/0xd0 [ 1082.689457] ? kasan_kmalloc+0xc4/0xe0 [ 1082.693330] ? kasan_slab_alloc+0x12/0x20 [ 1082.697466] ? find_held_lock+0x36/0x1c0 [ 1082.701518] ? __lock_is_held+0xb5/0x140 [ 1082.705578] ? check_same_owner+0x320/0x320 [ 1082.709955] ? rcu_note_context_switch+0x710/0x710 [ 1082.714874] __should_failslab+0x124/0x180 [ 1082.719100] should_failslab+0x9/0x14 [ 1082.722888] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1082.727986] __kmalloc_node_track_caller+0x33/0x70 [ 1082.732906] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1082.737648] __alloc_skb+0x14d/0x780 [ 1082.741352] ? skb_scrub_packet+0x580/0x580 [ 1082.745665] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1082.751196] ? ip_generic_getfrag+0x11c/0x2d0 [ 1082.755680] ? ip_reply_glue_bits+0xc0/0xc0 [ 1082.759998] ? raw_getfrag+0x15b/0x220 [ 1082.763873] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1082.768885] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1082.773893] ? raw_destroy+0x30/0x30 [ 1082.777600] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1082.783390] ? ipv4_mtu+0x375/0x580 [ 1082.787009] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1082.792457] ? lock_acquire+0x1dc/0x520 [ 1082.796420] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1082.801957] ? ip_setup_cork+0x4dc/0x7c0 [ 1082.806011] ip_append_data.part.48+0xf3/0x180 [ 1082.810593] ? raw_destroy+0x30/0x30 [ 1082.814310] ip_append_data+0x6d/0x90 [ 1082.818103] ? raw_destroy+0x30/0x30 [ 1082.821807] raw_sendmsg+0x1dae/0x29b0 [ 1082.825693] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1082.830787] ? rcu_report_qs_rnp+0x790/0x790 [ 1082.835186] ? graph_lock+0x170/0x170 [ 1082.838977] ? expand_files.part.8+0x9a0/0x9a0 [ 1082.843544] ? check_same_owner+0x320/0x320 [ 1082.847863] ? lock_downgrade+0x8e0/0x8e0 [ 1082.852001] ? lock_release+0xa10/0xa10 [ 1082.855961] ? check_same_owner+0x320/0x320 [ 1082.860271] ? __check_object_size+0x95/0x5d9 [ 1082.864756] inet_sendmsg+0x19f/0x690 [ 1082.868555] ? __might_sleep+0x95/0x190 [ 1082.872524] ? ipip_gro_receive+0x100/0x100 [ 1082.876840] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1082.882366] ? security_socket_sendmsg+0x94/0xc0 [ 1082.887108] ? ipip_gro_receive+0x100/0x100 [ 1082.891486] sock_sendmsg+0xd5/0x120 [ 1082.895187] __sys_sendto+0x3d7/0x670 [ 1082.898990] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1082.903667] ? wait_for_completion+0x870/0x870 [ 1082.908239] ? __lock_is_held+0xb5/0x140 [ 1082.912309] ? __sb_end_write+0xac/0xe0 [ 1082.916274] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1082.921800] ? fput+0x130/0x1a0 [ 1082.925072] ? ksys_write+0x1a6/0x250 [ 1082.928860] ? __ia32_sys_read+0xb0/0xb0 [ 1082.932924] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1082.938452] __x64_sys_sendto+0xe1/0x1a0 [ 1082.942501] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1082.947508] do_syscall_64+0x1b1/0x800 [ 1082.951384] ? finish_task_switch+0x1ca/0x840 [ 1082.955867] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1082.960784] ? syscall_return_slowpath+0x30f/0x5c0 [ 1082.965702] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1082.971056] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1082.975886] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1082.981063] RIP: 0033:0x4559f9 [ 1082.984234] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1083.003499] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1083.011196] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1083.018454] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1083.025711] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 05:01:26 executing program 5: r0 = socket$inet_tcp(0x2, 0x1, 0x0) io_setup(0x8, &(0x7f0000000140)=0x0) ioctl$DRM_IOCTL_AGP_ALLOC(0xffffffffffffffff, 0xc0206434, &(0x7f0000000240)={0x0, 0x0, 0x5, 0xfffffffffbfffe8b}) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffff9c, 0x84, 0x6f, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000240)}, &(0x7f0000000100)=0xffffffffffffffce) r3 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x201, 0x0) getsockopt$inet_sctp6_SCTP_MAXSEG(r3, 0x84, 0xd, &(0x7f0000000040)=@assoc_id=r2, &(0x7f0000000080)=0x4) io_submit(r1, 0x12f, &(0x7f00000000c0)=[&(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, r0, &(0x7f0000001000)}]) 05:01:26 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') openat$vnet(0xffffffffffffff9c, &(0x7f0000000140)='/dev/vhost-net\x00', 0x2, 0x0) readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) setsockopt$netrom_NETROM_N2(r0, 0x103, 0x3, &(0x7f0000000040)=0x9, 0x4) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1083.033053] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1083.040310] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000034 [ 1083.059400] binder: 30045:30047 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:26 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x700}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:26 executing program 4: r0 = socket$inet6(0xa, 0x801, 0x3) mkdir(&(0x7f0000000000)='./file0\x00', 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="2957e1311f16f477671070") llistxattr(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)=""/179, 0xb3) [ 1083.102612] binder: 30045:30047 BC_FREE_BUFFER u0000000000000000 no match 05:01:26 executing program 1 (fault-call:4 fault-nth:53): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:26 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x4c000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:26 executing program 5: r0 = memfd_create(&(0x7f0000000000)=':em1#vmnet1vboxnet0^lotrusted.\x00', 0x2) ioctl$KVM_GET_MP_STATE(r0, 0x8004ae98, &(0x7f0000000080)) r1 = syz_open_dev$sg(&(0x7f0000000040)='/dev/sg#\x00', 0x0, 0x0) ioctl$BLKTRACESTART(r1, 0x1274, 0x0) ioctl$BLKTRACESTOP(r1, 0x1275, 0x0) [ 1083.260705] FAULT_INJECTION: forcing a failure. [ 1083.260705] name failslab, interval 1, probability 0, space 0, times 0 [ 1083.272173] CPU: 0 PID: 30080 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1083.279115] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1083.288479] Call Trace: [ 1083.291084] dump_stack+0x1b9/0x294 [ 1083.294728] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1083.299912] ? is_bpf_text_address+0xd7/0x170 [ 1083.304398] ? kernel_text_address+0x79/0xf0 [ 1083.308793] ? __unwind_start+0x166/0x330 [ 1083.312935] should_fail.cold.4+0xa/0x1a [ 1083.316988] ? __save_stack_trace+0x7e/0xd0 [ 1083.321302] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1083.326400] ? graph_lock+0x170/0x170 [ 1083.330193] ? save_stack+0x43/0xd0 [ 1083.333804] ? kasan_kmalloc+0xc4/0xe0 [ 1083.337678] ? kasan_slab_alloc+0x12/0x20 [ 1083.341816] ? find_held_lock+0x36/0x1c0 [ 1083.345870] ? __lock_is_held+0xb5/0x140 [ 1083.349930] ? check_same_owner+0x320/0x320 [ 1083.354238] ? rcu_note_context_switch+0x710/0x710 [ 1083.359162] __should_failslab+0x124/0x180 [ 1083.363408] should_failslab+0x9/0x14 [ 1083.367198] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1083.372296] __kmalloc_node_track_caller+0x33/0x70 [ 1083.377218] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1083.381965] __alloc_skb+0x14d/0x780 [ 1083.385667] ? skb_scrub_packet+0x580/0x580 [ 1083.389978] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1083.395506] ? ip_generic_getfrag+0x11c/0x2d0 [ 1083.399992] ? ip_reply_glue_bits+0xc0/0xc0 [ 1083.404302] ? retint_kernel+0x10/0x10 [ 1083.408184] ? raw_getfrag+0x15b/0x220 [ 1083.412062] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1083.417075] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1083.422088] ? raw_destroy+0x30/0x30 [ 1083.425805] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1083.431600] ? ipv4_mtu+0x375/0x580 [ 1083.435221] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1083.440667] ? lock_acquire+0x1dc/0x520 [ 1083.444631] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1083.450159] ? ip_setup_cork+0x4dc/0x7c0 [ 1083.454209] ip_append_data.part.48+0xf3/0x180 [ 1083.458782] ? raw_destroy+0x30/0x30 [ 1083.462487] ip_append_data+0x6d/0x90 [ 1083.466275] ? raw_destroy+0x30/0x30 [ 1083.470078] raw_sendmsg+0x1dae/0x29b0 [ 1083.473964] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1083.479056] ? rcu_report_qs_rnp+0x790/0x790 [ 1083.483456] ? graph_lock+0x170/0x170 [ 1083.487254] ? expand_files.part.8+0x9a0/0x9a0 [ 1083.491821] ? check_same_owner+0x320/0x320 [ 1083.496140] ? lock_downgrade+0x8e0/0x8e0 [ 1083.500292] ? lock_release+0xa10/0xa10 [ 1083.504255] ? check_same_owner+0x320/0x320 [ 1083.508566] ? __check_object_size+0x95/0x5d9 [ 1083.513060] inet_sendmsg+0x19f/0x690 [ 1083.516844] ? __might_sleep+0x95/0x190 [ 1083.520814] ? ipip_gro_receive+0x100/0x100 [ 1083.525130] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1083.530654] ? security_socket_sendmsg+0x94/0xc0 [ 1083.535396] ? ipip_gro_receive+0x100/0x100 [ 1083.539707] sock_sendmsg+0xd5/0x120 [ 1083.543426] __sys_sendto+0x3d7/0x670 [ 1083.547217] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1083.551879] ? wait_for_completion+0x870/0x870 [ 1083.556452] ? __lock_is_held+0xb5/0x140 [ 1083.560512] ? __sb_end_write+0xac/0xe0 [ 1083.564476] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1083.569997] ? fput+0x130/0x1a0 [ 1083.573264] ? ksys_write+0x1a6/0x250 [ 1083.577056] ? __ia32_sys_read+0xb0/0xb0 [ 1083.581104] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1083.586631] __x64_sys_sendto+0xe1/0x1a0 [ 1083.590681] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1083.595687] do_syscall_64+0x1b1/0x800 [ 1083.599565] ? finish_task_switch+0x1ca/0x840 [ 1083.604054] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1083.608972] ? syscall_return_slowpath+0x30f/0x5c0 [ 1083.613893] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1083.619248] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1083.624081] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1083.629257] RIP: 0033:0x4559f9 [ 1083.632432] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1083.651705] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c 05:01:26 executing program 6: r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000280)='/dev/hwrng\x00', 0x0, 0x0) ioctl$sock_bt(r0, 0x8906, &(0x7f0000001d80)="1ea1b70391567cd0b60c6087e93fb41da7ced5a5329804923ac4fa6ef36b462eb58b75e66434555125cdc52b21bc474739445838cf8f3fdbf0edac7ebc5c3b5c27379ed068e3363f892f625ca11a2bede4a6aed70f2cfde3d7411b02bfa30797ee8cffb94177ac8d7b402dffe4d981fa847bbe35f484384957af21f916fc4e53d8e0c279855b4e240c401584e41c7e593312238bc06cc2f2df6f46bf2b182a8bbc670dc116239b38a1ed9a72935da1ec7f3bc846f5b8da3c2aa7d965d8e70b5b0361dd20b4af8a1aac00a1c0ba7a7c6add77f7fc339d3d3adb83d7864fb6247e87221778d572b3e02275b74088e9696b2e230aeb5a394459009672bc9d21e623eb6b4897eb8b5573fe37a132e8b6258e224f41bdc8121e71f97b55b3bfcc2fb26fe31659887fd43a11696ef8404afd1ea5698cfa06406ce9272c09f509220c992e231dbf32a962d6287f07e10caa50608a27d89ade0fc66cc180c8368d1650640c4a97519867403dd9b8f9f9fa98cd8f207ce796e1b4398c61619dce5ce9c772b99e7c927580d3343c3469bfcff1591bfead84796770bc8df4174ed8034f567ab2b2fcd504e9f2f890927f0cf1166b6d494955790cf16fd9a28297f6457e5a69b4344b85622ed5608c98263f02d65ac8dc490e536a80827ee3ce50bcda203481f70e3f1520bd7a13f0ab44b434e5959a725c03a570df72e468b96333ad718d29e8030a9a600039eaf8df3530dfddfa90aae889cd698ee94837f4e0a806fc6f0760909029febdd50476d8566669df81b2733cdfe7128fc2767b36b153c4aacd96473745b5adef809b57530b53a73d441bdfc710712d82705c9c87855f6c07aa6f02422a69f05adf7d792207b1764133f732e1f0cae99cf97b01d326ec6541c7821b95624bcb36065f5a278cbf8ba43101b611d64b21b45bc422e9b3261c0b4d80539d7eec5d9eb045bc5674f0f32f3d3b20608a0b0201cdc939ac943eaff8ae5afa480296f0b87eeb19d0827ccfc678dee5726a3f099b782d10ad913d3b502a32a99fc294aeb8a48ebff85335d9597a67941b9a0082e3af5983366b6fcc5f705102801d19c80b1813d2032bf6904f5e0c64b149ff533b3d6391d1440e18eb38fdf187093d7cf4a99549d8b49a2382674d7f588dc4c73bf7b0874d5fa61c8e5e08d58ab5b559c56fe4eb32773a3d2d16fbba5122a0eef1498031ca10a9748e613087285ffcfd82f66e933eb96e159295ccbe43fff37c0fccd9f9ced5c77ea5f3a3da493b784abdd70ae570cb6737625f6ceba890698b371f2d8c631c96e1983d5f24d3d109f5838a83432acbc0d06d6bd7a72b375dfc240a72c6848d010643934a85b8b12272423fa68232a68fd77c88ced6e1dfe44b2a44e04db79fde659738327c6105dfbfddd0b461796d612e946c28e02e182a046b4599a50dd156852fd32c1a90f09eea75db40eb02425c8638ccb99a57f9290a38e4ba9669f97175eab81340af37ac2d299cc9fbb81047e572b41546ffda73beff738c649a958fba57035e5bbf6ead81414fe85bcb01938bb228d164d8302594cbaad89e4f6524abca57ffffc4eb83a027db426067faef866f1e0b1910f5c88be7cb2d6274e6bf6a8499f65d4e6dfdb1521342b14f343ea6ff5866e0ba304d080c34524196c3901105f8a7a4315d3d580cd3778098b6c4d426b41d273545fe8b65e0270ac98937c77bdc6d19d29528b8dba18494ce3604423a3ac62c75839abe6cbd417aa81f0bd09effa364392caa1b51899e08da762a839698ef4453ad26931ba2f29e15a08a6c7c15bfc55f1b76c9b5b002ef19fdc486c36bf48ca59bf3a0b83e15ed7f41f2553592c6029dede9e28924fe8a18e5c938edc99e85aaef4147a556ac768df54c970fa55db40993882c628d3285b7d06ee834bf9779f5bff191319ad21ec73bcef3fc032b5182f1f931acdf7cdbc946f6730ad6bbb049c43fbfdd8b6d13a47613dbbf6c1092224e71bd347d1405170e0941d2d2194fea123539a8039a9010f651cc05082df1956f891378f02084b8d101be2800b3f9c6d14c2fa18c044191412b5235563b458631438181d47365c4389fc95d479ab119c6123784b59b526995b4a936dd141067eecd589677a2b1460f566e300bea4bf4a2b8e23b7f1602247058c3c1f6bdc3165da2aa1e9fe61c69d570f7d853bdebfcbc179ad42777867d1b04071a0df0ac3dc70d36df5ec047930f186ede0369a8e1813913276a71b629f74b60702046008b89ae1e185ab826e4ef24e10437858bcc3398f372fb333f560e559ebb61da286a94a9666c7285d56123c206c0b69d824bacfc32166775e6d53bbbe12c1d176be7f5f2685ba6872524ec5b858fd4b30f6c960c7130c1e1ae9ba6c96145302ed8bd98947688905e6691a48203f5d76c0522bb0355bd508e6feadd7ccb15270077e44a71740ae4ec6c3c80c89a71406f4c3b4fbc2a4dae36e74c84a2236354a5e81f1777644bc766eb86a73cb4019cbecf40b5f7d98ce8b83975d6215c66d7af1ba932fbc4b5b2ffaeb8e9447f77df1ef20814e8088a46aaafa6a19decd3466d90802575f33c58bc45bd815e3e41e039662fd8867af420d969679edfb76e8167a2d58b9c8a9dc6724b2d547ae2f960649aadb21dcac10af8cdc66e5ca0f7c3fce5a643fc4da474eb4d3d1b951809afed7fc35e3461a5825f05165479f79987b83b70348f855615f18ecc9e73a9aacaa3c15a283d98be081d141a71836a2aec89bca3f5c36ffe6346997e0a8efd21ddaa2398ae29c6115baf26a260987e062028eff61bedb0353a2c58b5e05187a2d1d8493c230a4eff78f791e34f5b880681d2929bad0df1a762b44ef655c675f67da390fb54502067e55777e1d77441bc2e8e533ecac86fcaac6d710a77954a5d1ad076ecf5619d51baf391f0e43c79d5b324a4244c966adcfeab6ee7456afa346ef78757925cfaa8d7aa25db722b941c56f1a155fd301cf197d21f79be0c10c358cd5c458d6dd709b3c897bb85173cd8b6237af7505c3c69a72761a3376635f4b4aef9a2beddd0751cfb69684222af26fa5c2b47d19413c066c9f2142fc357fb022f9abda948b6efc7cb1b8518ffe4c9f1cb2e4b094755f2762e02043e5287a2b07755f03ce9366b31a39da8d4a84a5ffb0515b7411596389730114964675835a4a3749cf24d0317ab21019471c27ea4ba3dbf3f2e8c65f5869d1c7d3ed4eb5cba913f29a81e3db2891150f4bfb70ba52455602890cbd9b1c64ce91c63db69192934b00f412086c0591c574e8743aa715d92b5c05e696c813e262f11b97eadba45ff5ff4e077e41813e6f7f28a69ce4ed957179ecef7a7c10fc231cd17262d31da2532564cd6bd05a9d148f69b1a73e77274778f4052228a0962808000048e1bf7a82c8fdf59e7821356ce0240233a7b61452f1e17b119283162b9ebc78064905f618c03cd4b89349acf3191f4e731d963a404255934e67c6212f87000faf8442e8b78e068d40860eb44f47161df494b9e961e98ec898eab577fe0b83dedb2fa4c7bc873eba3bb18989c4765c35b00dfeedf14a82b77a3180939ed9f071a6d49477b98e87cc74a6e129bb88d01a8ffd7e6763535ed171ca1f8238f5a83bdd8e95048ed0f5156dd3561ecee49b4e2e18a42182accfcf255c1ecb2d138a00fe57c49a6ced9caad68e479d00a7e6d41852f8cd89a0c01d11f46cd61dc4db9ff5f4bf169536befef5f8d1887a4094159e25cc02e64fc1fbca169721bdcbf8be5778db8e8616cf0dea3dc7d9a5365bd7ada413f9bcc79264935e62e813e136d3b57a873e89cc27b1159f1d3573d2b165b9dbb8101b78934ea3d2006ba49ef9e04aa89a7bfea9293313d9a44f9ce7e873cd3ae68a882c93da43daf874de72cd796d3fefa9838dc76bdffaba6c0e822dbed13ad5678c29a08ff6421e28ab177281b56020e889cbdf1e2676ae424bf059febe35e1475c6a230d1bac09c159ff7e0894ab04f3b66711f23834e4495cb6402cd1cd4ee65ff2f25e88f7466723653b10d18862db6b51c19000901e2ed4643fa1eb3a0b909e5fd6530a2ee82954d4853589e3fc1cc02432a3f84a8571d559c04c4a583a15292e337c9a025da02a308e4ab720b90703ea51da67dfa85c96964023657d41f6da9bfd55d5fe203adac0ce36b3420419f8fadf00a6248cc2674c97d3c8931ff8a876bb923d269b304245552438d78e1b3580460f2efe7f24fb0e50912ec1dfe1e4e2ae4b6bb47fdc57acf831657ca579438622224275006555028501112354329b74f8d8fe6300d60abafa3407e730ee27c90e59133fff1131ca65f59f5b9a713aef6f1d85fca7ddd95bf00983011e98d552f763931a504918601d629d4e9466ed453faaecedacd254e0951b5c7694fb7d9ebd3e0002711aed8faaeb1ec0666415fe194bd19123ad08d4e5d6767fa1b51f262c4af9eb58a3a234ff1523084b6f602ef5a47e07ccbe778d959ddaef6cb8e62e33a15fe0112c84c58eac636b524ba3c3b9873676aac57010973e8b2a17bee46746d3e42d9b20d2b1a4d699bc1f8dcac917f0f5030aaa9732dc8dc887b9a52f6765a18b0ebf0580e66af349f4da745b077c0015c6102ce0f3bca819fa405608b3f09889239e2502a38495e589765240d5fac580b55d24569bd63a7ba851ee0eb3261e780ba884b8cc20a41fbff74c56cb07a23b23ab93a03baaa09e39d7991a542282f72a3c34b5c1cfbd34698ba6b5793d4b3e9b9f2ecbe5d98a928ce827e4a4b11fa59759bb54729f665621de11151e2eb3801e3b2c325011505b3fb8f02ff51c3fc28fd37f9d62d3a41c57c70e2f423337e703bca293204d83b027fc01c672112de962412974b7ba676b19c5bcbbe87ccc98a6474491bfd66034c636bdad7563ba1744a57f39afc2826886cab61ebaca50f2dc46e00567f73eba85c8efb1fd7d003b8a84e004678f26e6029ce2c362d3ffa3e8aee9460f21222402fbee5ebcd1d3efbe22b6c3212712255bf12ae20609d686a96e68e5c0ea37e7e9937f5d1fe690fa1d77b470ee6faedd9b90fa54ba555345034bfaca0de0598b9dcb3ccc9cda26a0aa48a691f0dcc9726e2bbc8bc89f8e3776f693e1bdf33539d9e2df3ce79b7fb04ef0f42140e6faade6cf839ced8dbf82b66d54764eb6974d871005da137731f37f2f7ce69855b0bbf5b0f3ef9f12923c6a5dbccb9d6c56a53ae09c5126a5c652475cc502b082dad2548ee957062cfe1b9644961a09d306ddf005435b79168cdf19b124c43caae520ab2a5cabb6b1354b4af1ae541f8639020a4be9ec3b05c44c4b7ff924f47d2a3705e5290ea7a1fb080848fc6d9a056a0642cb8301070423efc51533aed4bb848d765e9fa20834185a8a8392c76a5fa24c3d1ae59238d9fdf411ca412a9aa773e3f7776e387500eba3f4b81ef75d7c38368740c051ca5be0620418ccd135013a5e5612264448aceffcc0c7299a5ea8e6c3b2c424708c5128b1d59bf9476643d8bea03c23b527ad2c251d735780077b6292ffd4ce46b2fc05cb2b3b1610a6f2d65744d376d0e1c5a265af02dfa89148f3ea839ecb48021219bc78af137e9b5a90c030d1a6059e61d451e17628aaec3b2567ca7c738e0815c28565519918b9703938bc012a517a3c969b0a35f384d59d0624e99b5a41b7f683b52eca9f0127b39290c9087b2c1f62fcd7f8ee131962882d523307bb9b2fd58b5d5931bdb417f16083dc0f877b8dd3acca3709a6f37534e05ac4240c1505c25b5cf009bd4299ecc83906f329a") r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r1, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r2 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$PERF_EVENT_IOC_PERIOD(r1, 0x40082404, &(0x7f00000001c0)=0x80000000) r3 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000140)={"000000006800000000000000000100", 0x10}) ioctl$BLKPBSZGET(r1, 0x127b, &(0x7f0000000040)) ioctl$LOOP_CLR_FD(r1, 0x4c01) ioctl$sock_inet_SIOCSARP(r2, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r1, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) getsockopt$inet_sctp6_SCTP_NODELAY(r1, 0x84, 0x3, &(0x7f0000000200), &(0x7f0000000240)=0x4) [ 1083.659905] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1083.667161] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1083.674419] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1083.681690] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1083.688947] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000035 05:01:27 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x4c}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:27 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000000)="295ee1311f16f477671070") r1 = accept4(0xffffffffffffffff, &(0x7f0000000140)=@l2, &(0x7f00000000c0)=0x80, 0x800) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r1, 0x84, 0x8, &(0x7f00000001c0), &(0x7f0000000640)=0x4) socket$netlink(0x10, 0x3, 0x0) r2 = accept4$netrom(0xffffffffffffff9c, &(0x7f0000000480), &(0x7f00000004c0)=0x10, 0x800) pwritev(r2, &(0x7f0000000300)=[{&(0x7f00000002c0)="89be8339", 0x4}], 0x1, 0x0) ioctl$sock_netrom_SIOCGSTAMP(r2, 0x8906, &(0x7f0000000940)) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$DRM_IOCTL_AGP_ENABLE(r3, 0x40086432, &(0x7f0000000700)=0xfffffffffffffffd) socketpair$inet_smc(0x2b, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl(r3, 0x8001, &(0x7f0000000ec0)="dbc34f32f04d15fd67445fdbec4fd373f1804efb07309281f5eec657ea18442cf6c49562241dc3ce5894847422474c4bdf254ac5b112e50beb40d38b13d3bf07d0f29f1bce0a11ea9aa7fcf75b45a9f15c30c5cb9a1e67b911bad42d8aa0e819f7ebc065759dde3b0b55a500c66f1d10327fc34f14e9c6edb898fdbe4cf5f48c9e1a10759a517cae6dee11b277696b60cc1ff625ee877cbfcdde9486e76981ef313c650a01c2422248fdea4d530847d54bbd137ac5a39a21de9cfa7a29d765246c269a05757c46fe9a9e75cb9cccf8a8b3a2713d6e7fc42d0bf773570076363a575da7fa02bfcf70621f162d0bea8c77c9b2a2889325ba26adc6d8301569ddebaad2485f5843ef77731fb1dc2f1722c819ff1ca2c0ff4f1e5fd90d3848e0e8b9ce7ccfc504f7343408c3f47d040f5539957db65405c55f2c2924ec9aa5d2731cb0617b") socketpair$inet(0x2, 0x20000002, 0xffff, &(0x7f0000001680)={0xffffffffffffffff}) getsockname$packet(r1, &(0x7f0000000880)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f00000008c0)=0x14) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000580)={0x0, 0xfff, 0x1, 0x7fffffff}, &(0x7f00000005c0)=0x10) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r1, 0x84, 0x7b, &(0x7f0000000680)={r7, 0xa6}, 0x8) read(r5, &(0x7f0000000380)=""/235, 0x4a) r8 = socket(0x400000000010, 0x3, 0x0) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000280)={r6, r3, 0x1, 0x1}, 0x10) write(r8, &(0x7f0000000340)="2400000021002551071c0165ff00fc020200000000100f000ee1000c08000f0000000000", 0x24) bpf$BPF_GET_MAP_INFO(0xf, &(0x7f0000000200)={r4, 0x28, &(0x7f0000000180)}, 0x10) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$SO_ATTACH_FILTER(r10, 0x1, 0x1a, &(0x7f0000000040)={0x2, &(0x7f0000000000)=[{0x50}, {0x6}]}, 0x10) sendmmsg(r9, &(0x7f0000003840)=[{{0x0, 0x0, &(0x7f0000002240), 0x1ba, &(0x7f00000022c0)}}, {{0x0, 0x0, &(0x7f00000026c0), 0x0, &(0x7f0000002700)}}], 0x75a, 0x0) [ 1083.743904] binder: 30085:30092 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1083.763150] binder: 30085:30092 BC_FREE_BUFFER u0000000000000000 no match [ 1083.827618] binder: 30085:30092 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1083.858514] binder: 30085:30092 BC_FREE_BUFFER u0000000000000000 no match [ 1084.681692] ALSA: seq fatal error: cannot create timer (-22) 05:01:28 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x4, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:28 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) socket$inet6(0xa, 0x1, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:28 executing program 5: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) r1 = perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000240)='/dev/qat_adf_ctl\x00', 0x0, 0x0) ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f00000002c0)=0x0) sendmsg$nl_generic(r2, &(0x7f00000014c0)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x20}, 0xc, &(0x7f0000001480)={&(0x7f0000000300)={0x1168, 0x35, 0x420, 0x70bd29, 0x25dfdbfc, {0x5}, [@generic="6cf92fb7de3302cc06613574751176b3f6f6db82a5ccaf80df6268f330a205b4ebc39b90006fdb9f3e4b09863a08d1f540abddbbf69300236f1ca4f60e2710febbd2d657f4fdef397fbf7a100780bbd2fd49", @generic="6b9e56df1f51f3f91d47642579d7efe79901ddc7a20bb51d09e21d2d7356abc0cfff0612e2b2c92ccbdf61bd051f0d0b2c62c1e6192dd70d50c19becc994fb2978ac36e8ad3df06e4228ceae846f4ae6e65841aa91909cf950153df2d498534057115805989804bfd0e3a77ba3bd1e4660375664b35b4f701191863b1208de62c73b92d4f51aaffddec722554531607226caf4d48f816163ab0f5ad0832e4e24ef4453ed40c94bff5a9ddd89e6d92aac98243a4655f23f21e404bd7297fb23725b0cd8aa5872a4ce15d3c9ac21294f5c87fa52008ea856ce5b287c3850b98a783e31c9fddcf0a9794262bbc95049e6e2f8aab14a071046bf80429ef587cbf7b1779c22544e6649bdbc951ffdd81091f2b4af3189739fd754f9ebb2d310499ceb68e7fa6d54d2638e02ae30dca5fe63f64d1680d57ffba8c352dab4eaac08019d1f7c2192c1b1968e2afdcf9281a3b2a8286f2884775d03e2c11092e03da1e63e27fe65bc9e740c63a4d80b502e5060cad23f90bdbf442ff82c062c7134fdbd70c6c7485d52e0c334537c41aec0674e4e907bed782daf19871570275ddf41eb09f4f3abb17de441a47123d69bb8da05155db77ce8c21631773f3c4b93192aae5e739f542f7ed03e5a3e9c63d048bd0fc003c2818f4f6965ee6b1a4b728766d74daa75d82a4df2fdaec56ce5d92d8528852ec16d06be3aa87df00520691e63771a7d03ed8856468163e4d2ae98253faa2ab343a38489c3dc5b336f8c16d95bb65ea1348e94f166cf7a5aaed6756ea0490cc607264676da0d6c5ff7efdcb961f4f6f771859d797609cfd3509587c104fcff8d59fce10dd1b8174afdfa18b9249c1d477e4f47d56a56202a25360bb82c88804004c507c754921545c1067ea7da102fcad952736f8971fad78dc432904108e9d387ad618b2aee13f6ee680a43bc90c7fac7649bb61d1e5bafe41fabcc2a27d262359e3c421add91b9ae15ab330b1a5c26b6bc1580c6d5015be7b8ee5037700e95c904078acd404fecc5d775d82720d7fb969677a9fe6744b68d6f91a3e7d9fd189f4968acaf56a8bd1f3d68087baa17c981afaecf0a3a031bce8f07434910103eb849427b96686568a145459348b105368bedfbf62e91f12efd1bad4028b73d58f3341c3c47342aa3d7e7262ff819883d9004033720544fce1bc13f25a043eda0a8bb8dadc0358a1171461d53b8b5749bafad4a48568f74ad6afbd3294b1650cc7907c2e6adbf500cdcf947545418f0673a721ada2be294c4769dac7d0ad15e464aafd26e174cc3d58c78713b92df2766f51a6f1221b81810c581eaaef564b837224bdbf8b900df6c42c45c4cb3694ed0c7f13cb04e7d826ac4ff44fb94d6ed9bb7737c59afbf01088759eceb0ea837d5de2756e84d0193cb2e7398dc2775b153e90ec327c3857db4deeb4fd28ff1cdf1c350c74ced53c7cb94baf5420d9007cf466972c400817a406761a831f1a783af93e7c713baf1a701cb728d03a309b5c8b81b3c655b1cfd0b7a70a313177662b3301e820e3af6f99789b014ac587e474aab96c33de09d4455ef85e0a39dbbc0f08e3112d42e231a5cc0096b5cfde368b73f34370e24b1c3e43980d42edfa9b8845a0df828b62819ffe35268e89e60dff88e81e8f5e797428cb452570d7100c8d0cce7294878e71f146b14397537926c8162d72741cb3903150bde3a0e4a12ac36866921464fda2a05a24d7c89d533a95396cfb9914364c3437043a61f0cc4a0c7ed2ae305caaa968ecdbaea2ef3f77bbe833fb280d661f7823438b7546def6f78b784c5e0451e3561d389b879f96153028f0093e12a7f0d75e140ee005d6ab6bd8c5bea399902dc62f855b2dfa2ff3d4db39a7295530ade6cd9404ab4247a044b5f2fc53bcca0d38b7b0b138bec158f01fc99cb3164e3b318d4f1b990576f48c9f95966cd78e3b913e4f6c829b3adfa793ad0ada93c938cbba1069cb40e0319f4a53a2a65a015e0c100e7c0fde51d01acb9774a405de0cbf0e60a816101279e70fc91b8094937665d4ef378f8505fa0708b5a94e97e03f9905a8867f12bac2e1c2ead1f7ed040e66d10de0886249adf253e4850ce069fe607feeaa2d1a2c69be4c5b1a9e473d72939e11cc0b0f06a0aea76bf99fa518e8022063ff57d0d1b5e71d8f252d439ee72bd031ee7acb9252691c4937d7ee0248b772630d66be348321af4ccb1e25face9d274263b83d74a066e3108b59af89a0b64bce441c088d9d51b750983c097e7d60ce0711d722ad5ceed5a225688c04954b176cbdda37cba075352c3e5b8852baf48d3c934c7205f3f8f336b1d664ff22320758d28b9d0375c8d6102e4679be394572d2f093fbdc3cbd20fe1a086829e215a31a3fbd87448d032cb3b868436577854a1fbb6d9df49714907c0cf98a78e8c55e22e9615b3114f2ea29e2ec30d985fb99ac5e564d594636d5065bc433094241fede50ce730dc1f3933367106f6209ec95a66d2413281be2965aea6917bb564dd8b392932b1b83ad7d29f0812e170a2eb3640b42d0f799cc148ff331d0d3c047d9c3e2d31bf655cacfbe5d9cc590b292ec5a3baac9f8c9bc9e9ad5df44722f05a151b4548477812f498140e80458e28d81fa61235b80497585a288a5a218f690b4597c58a62994e857220039ba7f6ab283b2e44d605cfbd9653e6a5103892a19188c2ca9131d71dcbea1ea4b6692c551b76286dcab90e850f28d397377279506e9878e42dbac10f2b02d51c6c2655299d65452ee8ee034acccb966deb68ea704c465b8b0e4928126aa26d8e477c60a1714bab574ac3ad8a89ff4f486b56995401bf3779f367ee8808a87bcb5d5910562506aee2f2043188d8b17e77cee7c11185d3dbc7d468d1f2bbba1eb8f0c8e113b2d1033179915129c63167898615da01fc739e32e0da3e96cb6f677e045ef3a9155ba4c451cc9e8b9af54bb3e06c3f13281867755c723b70617a9392d0cc705bd177d6cb36b2516389b3320e5f0ec5b12f17152420511775704aadfdc449934d6d292c447fb0892a1319ef9ee4c0326dd159119a281e37e9b16205c804bc226416b7c445a1dc37454ed49fb89d5074911100b7e9f5a48e29fa19ab932f1f488630dfb6eb0e0389af694d585dddb67b06a06842e9aaa2f5569c90b14ff217173343157a22ac6d88b746d6c0d3dd3a9f8017ff736428811f3aeb8be3b7e34febf18131c97736b733c198ea48024dfb7a6b87c80286563bd46453143702ad255f16b2808ab5a71ed91bf97b8ab65f7e5536f6e16819e48be180cb65602a961e75949cc2590207743dabe6312babae98831397fa688cf42eebd8bed16652aa000b096d8eeaa8a7de3064d61020240d86314ee70ba1097deeed293528bc44f0d0b0b0e86fcc433499eed8be707eca0a004d11e9ab575d04e40d3625f8f3bbf8f0e960337414be3ab4ba00d35fbffa0f26ac7c7a32fd0c8c1aee2cde62e21ffe2b794db0b713eda2f93ce78423a405b5be8953cbc7a5414da8520f228951f404d361a441cfad19ee795f8ba98235c18785b8a8bb06df0c54838a54a2647b763d0a8fbbf73f6c3e1e36062f62be231b295c9f5989fa15f731f8c65ec36d06b528a22418d0cdf7ea745a85a130ea81236b9895ac5c0e0c99fed03144be660ad133bf20c682a139b2dc92156a801badcc8130727754d33b4c6af6fc465461fc8904beeea81a45dd5b9026b7c48a3c48353a6c1190dd4956bf1079d0ec1ff4c811edef99e41feb3c1a9bce18b45b9cb24259cbd2ad2486a1ac1d722fb94825ee8229feaa626d8d70a82aa36fa72b71acd328370412789ae9713075251b7b67f190c680817ef351fe33bfde7d77e01071422ec3dca864c6dc333eb96fac313120684e490bf67df70c24f1d6d26528112836b5364133fe536ad538266310edaf4b397da9eacf5f804b81e88cc9d829421d18c7b19ba0bcaf2962e2ad6001490e52523a72e3d03940e524fabaa82fac1bcbe46ba4a8c58013b6a18c69b02131e139743a82cbd9c1d730b8068788771a7e3ae80cd24037c6f5066233fccd00f664d3901c6c21f4a81d4a72039eb795309c6349847f2976711ccc3496658b0bd8c13ff55b9a82c41168fefddde994c968a9ab278f42268fc5870421a57c4fe41abbc74861ce606e6f7d88a8215b1e16eb74d09c1bac12415dd51a64d7167b2d7892c356d3334171a06342914f61dafb2b9c8bff16f8ce6989945b7b22ad07b3a09c546213df74c418310a10cd2d922d1caffc2a689c5af4a1d4551009fe0df85d1bcd20279f9774a71211a48af2273770ada95a5f2a2565015d8dd79bd7b8a83b0c621b4440fe4b58d09ccb5c1e94e524ed140810c3c5ae97df8133cc4dc9cab9fe10cfb8cd49e9942d2ca51bebf55aa466a3c0faf32a87dfa1e3853c91dc2adb96f477f29b8e3877333424983a2b30bf197ffdedbcc6abefbe157b6bc9fc7a0337528ceba997fa436806408e1b06bbf559e5aa8df046dfd21d01fdce0e2d5230727bdee7b009a831ff39e1b3bbe7d0ffc7884879d446b441abcaf39f1ea17278e7fdd55b0a542c873a31aa8b8eda056ac1c7fec3e5c31ebbf623530a204df9eff3ad78eeb0dced54c5aff6493a62634f53dfae2ee58c994abade2782fde7da530a32252913fec782127d80b378a6386a0aeff5582bb1100f91834119af0ea29e613d70dbe1a819b6ff904db6194f98b8ad4e90df21e963123404db84cccac616445562511cba42a6a304730a9fb2f2dce235c506fa00473dfe0265cb7ffce309f0a02169e4c28a072a23cc11056a056cf9aebb288d3c4ae7a09516d2f93b753e126bba6fd08c00ebd4e20f3613f9a996ce1bbd31946e170dfa0a93aa3e3d389d2ece1f2c59ca07b703d60884568548d16a5a87b128e8cf9e38616dde80bcde34d358a4b59ac9eed18b1ece9156b3d10fdc3081548580c549536ec7101699b2c7a9b7229846a9d586b9f4003d9feab5a39b1b3dbb153fa17559e75573991e7c1f179b407d8e53fc17d363ff82a114d24e24a64dd13b545c9d9c7654962fa61fca2e61c328999d51735223d3a2f3ab393e2a615368a94b32ae127ab3fbbeccf0340d10616f54e601941c44d20817f9e776136ebeffac105c17fcb40d711798100ea9035c659d6fa8594ea38c57f2b76d90b34b004c8f4ac4e79502bfa4caaea611cf14f3fc27d9951b836bf23466de6062521a7c7e347f23df6d08af5c00deb3a8a69dd38a7a7e03453a9f267e9f99e29f41efc81257e0a9a99a881299608161dec6e14c233f605f02d25dfaa809b07bf7b4d046607b45b8ace70789978ed0b60861691c2bec7fc42d5094fde317d28f0bac544413de257cf288b6c30e6bf21a271e7902edc4bd71a1af3a9a105b6a1e44a75f1515c34295a7e1c6021d24138cb94cf902572667dc96ce4702e3703511e0922c24a8ecb8584896a52ef4efed9b2deba34f0344979ff75e08c4ed5d211c4313bc3e47fced31bb7244c7cfeff24df1a83898d1fe74936e947c67861850021afd9f5b8716ad7e39dd8fbc3c659555cece2326e2f4a801c378e3b9d8f4626653605ff414e58aebc91f5ff0beff2cf5a4b7b56c98397725c7e3e0124f0ff3ba95dd6ca4cd8bc2bb02479f6aa57b82a2d23f6258add4e2e7d4cc679a180366ee5a8d810ada5f8a470098e92ff3e47fef8d636f3f16ec7b318d8ff73e9d91386684241f9ab09a048dbf38e33e3c204f70bedacc809ddde5dc7fc8903b1994b3c38582a52a2bd5935ca9021c191bcd399e", @nested={0x100, 0x8f, [@generic="5858d1f62369eacd4e87d8ebb12f059658197d22fdba97b4c46a51c13f123d97e2cddfa5903649285e6443e60cf8deb37c5e0bda4033df5439cd9bf805041f72c768e3c2407198f60ad3265a1230e5e912962d371b307cc0c8f5256721d05db132b0e79fd3802f228bcf2d2657133e2cde77a5e4977464c2cf48fae61f080ef16808b8e6a2081376b418a9958e227bf1512ae71f01649839d1413c331c09a5d4f75d5ce813551d40aee8f799ca7dd7", @typed={0x4, 0x8d}, @typed={0x8, 0x46, @pid=r3}, @generic="543e7b44e00d22f7aa152f9d49c75e5e61ded503efb1ada2ded87e878f7707da299c9bf6928966cfc8698b35962f06fcc522cc483153c1e2ac90f5975efb28"]}]}, 0x1168}, 0x1, 0x0, 0x0, 0x20000000}, 0x4004000) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r1, 0x84, 0x13, &(0x7f0000000000)={0x0, 0x2}, &(0x7f0000000040)=0x8) ioctl$TUNSETVNETHDRSZ(r1, 0x400454d8, &(0x7f00000000c0)=0x40) getsockopt$inet_sctp_SCTP_DELAYED_SACK(r1, 0x84, 0x10, &(0x7f0000000080)=@assoc_value={r4, 0x2}, &(0x7f0000000100)=0xffffffffffffff42) utime(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000200)={0x3af, 0x4}) sendmsg$nl_netfilter(r0, &(0x7f0000498000)={&(0x7f0000d55000)={0x10}, 0xc, &(0x7f0000c8d000)={&(0x7f0000001500)=ANY=[@ANYBLOB="1400c5dd5bd50c04fa370000c8a2904cbe57a78ff6298dc33379c4d7c8291ee892f46a0410"], 0x14}, 0x1}, 0x0) 05:01:28 executing program 1 (fault-call:4 fault-nth:54): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:28 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x4000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:28 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x7a00}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:28 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000000)="295ee1311f16f477671070") r1 = accept4(0xffffffffffffffff, &(0x7f0000000140)=@l2, &(0x7f00000000c0)=0x80, 0x800) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r1, 0x84, 0x8, &(0x7f00000001c0), &(0x7f0000000640)=0x4) socket$netlink(0x10, 0x3, 0x0) r2 = accept4$netrom(0xffffffffffffff9c, &(0x7f0000000480), &(0x7f00000004c0)=0x10, 0x800) pwritev(r2, &(0x7f0000000300)=[{&(0x7f00000002c0)="89be8339", 0x4}], 0x1, 0x0) ioctl$sock_netrom_SIOCGSTAMP(r2, 0x8906, &(0x7f0000000940)) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$DRM_IOCTL_AGP_ENABLE(r3, 0x40086432, &(0x7f0000000700)=0xfffffffffffffffd) socketpair$inet_smc(0x2b, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl(r3, 0x8001, &(0x7f0000000ec0)="dbc34f32f04d15fd67445fdbec4fd373f1804efb07309281f5eec657ea18442cf6c49562241dc3ce5894847422474c4bdf254ac5b112e50beb40d38b13d3bf07d0f29f1bce0a11ea9aa7fcf75b45a9f15c30c5cb9a1e67b911bad42d8aa0e819f7ebc065759dde3b0b55a500c66f1d10327fc34f14e9c6edb898fdbe4cf5f48c9e1a10759a517cae6dee11b277696b60cc1ff625ee877cbfcdde9486e76981ef313c650a01c2422248fdea4d530847d54bbd137ac5a39a21de9cfa7a29d765246c269a05757c46fe9a9e75cb9cccf8a8b3a2713d6e7fc42d0bf773570076363a575da7fa02bfcf70621f162d0bea8c77c9b2a2889325ba26adc6d8301569ddebaad2485f5843ef77731fb1dc2f1722c819ff1ca2c0ff4f1e5fd90d3848e0e8b9ce7ccfc504f7343408c3f47d040f5539957db65405c55f2c2924ec9aa5d2731cb0617b") socketpair$inet(0x2, 0x20000002, 0xffff, &(0x7f0000001680)={0xffffffffffffffff}) getsockname$packet(r1, &(0x7f0000000880)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f00000008c0)=0x14) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000580)={0x0, 0xfff, 0x1, 0x7fffffff}, &(0x7f00000005c0)=0x10) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r1, 0x84, 0x7b, &(0x7f0000000680)={r7, 0xa6}, 0x8) read(r5, &(0x7f0000000380)=""/235, 0x4a) r8 = socket(0x400000000010, 0x3, 0x0) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000280)={r6, r3, 0x1, 0x1}, 0x10) write(r8, &(0x7f0000000340)="2400000021002551071c0165ff00fc020200000000100f000ee1000c08000f0000000000", 0x24) bpf$BPF_GET_MAP_INFO(0xf, &(0x7f0000000200)={r4, 0x28, &(0x7f0000000180)}, 0x10) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$SO_ATTACH_FILTER(r10, 0x1, 0x1a, &(0x7f0000000040)={0x2, &(0x7f0000000000)=[{0x50}, {0x6}]}, 0x10) sendmmsg(r9, &(0x7f0000003840)=[{{0x0, 0x0, &(0x7f0000002240), 0x1ba, &(0x7f00000022c0)}}, {{0x0, 0x0, &(0x7f00000026c0), 0x0, &(0x7f0000002700)}}], 0x75a, 0x0) [ 1084.851073] ALSA: seq fatal error: cannot create timer (-22) [ 1084.905208] FAULT_INJECTION: forcing a failure. [ 1084.905208] name failslab, interval 1, probability 0, space 0, times 0 [ 1084.916551] CPU: 0 PID: 30124 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1084.923486] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1084.932839] Call Trace: [ 1084.935430] dump_stack+0x1b9/0x294 [ 1084.939058] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1084.944247] ? is_bpf_text_address+0xd7/0x170 [ 1084.948736] ? kernel_text_address+0x79/0xf0 [ 1084.953138] ? __unwind_start+0x166/0x330 [ 1084.957275] should_fail.cold.4+0xa/0x1a [ 1084.961322] ? __save_stack_trace+0x7e/0xd0 [ 1084.965651] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1084.970752] ? graph_lock+0x170/0x170 [ 1084.974542] ? save_stack+0x43/0xd0 [ 1084.978152] ? kasan_kmalloc+0xc4/0xe0 [ 1084.982028] ? kasan_slab_alloc+0x12/0x20 [ 1084.986174] ? find_held_lock+0x36/0x1c0 [ 1084.990227] ? __lock_is_held+0xb5/0x140 [ 1084.994287] ? check_same_owner+0x320/0x320 [ 1084.998595] ? rcu_note_context_switch+0x710/0x710 [ 1085.003515] __should_failslab+0x124/0x180 [ 1085.007759] should_failslab+0x9/0x14 [ 1085.011549] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1085.016642] __kmalloc_node_track_caller+0x33/0x70 [ 1085.021560] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1085.026304] __alloc_skb+0x14d/0x780 [ 1085.030006] ? skb_scrub_packet+0x580/0x580 [ 1085.034320] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1085.039847] ? ip_generic_getfrag+0x11c/0x2d0 [ 1085.044338] ? ip_reply_glue_bits+0xc0/0xc0 [ 1085.048657] ? raw_getfrag+0x15b/0x220 [ 1085.052532] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1085.057537] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1085.062544] ? raw_destroy+0x30/0x30 [ 1085.066262] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1085.072053] ? ipv4_mtu+0x375/0x580 [ 1085.075674] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1085.081118] ? lock_acquire+0x1dc/0x520 [ 1085.085082] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1085.090608] ? ip_setup_cork+0x4dc/0x7c0 [ 1085.094658] ip_append_data.part.48+0xf3/0x180 [ 1085.099230] ? raw_destroy+0x30/0x30 [ 1085.102933] ip_append_data+0x6d/0x90 [ 1085.106718] ? raw_destroy+0x30/0x30 [ 1085.110487] raw_sendmsg+0x1dae/0x29b0 [ 1085.114373] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1085.119468] ? rcu_report_qs_rnp+0x790/0x790 [ 1085.123886] ? graph_lock+0x170/0x170 [ 1085.127681] ? expand_files.part.8+0x9a0/0x9a0 [ 1085.132247] ? check_same_owner+0x320/0x320 [ 1085.136587] ? lock_downgrade+0x8e0/0x8e0 [ 1085.140728] ? lock_release+0xa10/0xa10 [ 1085.144691] ? check_same_owner+0x320/0x320 [ 1085.149001] ? __check_object_size+0x95/0x5d9 [ 1085.153486] inet_sendmsg+0x19f/0x690 [ 1085.157271] ? __might_sleep+0x95/0x190 [ 1085.161237] ? ipip_gro_receive+0x100/0x100 [ 1085.165549] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1085.171088] ? security_socket_sendmsg+0x94/0xc0 [ 1085.175865] ? ipip_gro_receive+0x100/0x100 [ 1085.180193] sock_sendmsg+0xd5/0x120 [ 1085.183896] __sys_sendto+0x3d7/0x670 [ 1085.187683] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1085.192340] ? wait_for_completion+0x870/0x870 [ 1085.196909] ? __lock_is_held+0xb5/0x140 [ 1085.200967] ? __sb_end_write+0xac/0xe0 [ 1085.204932] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1085.210457] ? fput+0x130/0x1a0 [ 1085.213731] ? ksys_write+0x1a6/0x250 [ 1085.217537] ? __ia32_sys_read+0xb0/0xb0 [ 1085.221583] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1085.227108] __x64_sys_sendto+0xe1/0x1a0 [ 1085.231156] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1085.236166] do_syscall_64+0x1b1/0x800 [ 1085.240039] ? finish_task_switch+0x1ca/0x840 [ 1085.244523] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1085.249442] ? syscall_return_slowpath+0x30f/0x5c0 [ 1085.254363] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1085.259720] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1085.264556] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1085.269736] RIP: 0033:0x4559f9 [ 1085.272911] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1085.292159] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1085.299855] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1085.307109] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1085.314364] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1085.321617] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1085.328890] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000036 [ 1085.337942] binder: 30118:30120 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:28 executing program 4: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) r1 = socket(0x1b, 0xa, 0x4) write(r0, &(0x7f0000000000)="fc0000001a000700ab092500090007000aab80ff010000000000369321001d004e3d951e6a5914fe6a61783b6f2614d8ff010000000500000000000000036915fa2c1ec28656aaa79bb94b46fe0000000700020800008c0000036c6c256f1a272f2e117c35ebc205214000000000008934d07302ade01720d7d5bbc91a3e2e80772c74fb2cc56ce1f0f156272f5b00000005defd5a32e280fc83ab82f605f70c9ddef2fe082038f4f8b29d3ef3d92c83170e5bbab2ccd243f295ed94e0ad91bd0734babc7c3f2eeb57d43dd16b17e583df150c3b880f411f46a6b567b4d571558759c8a1ad7cf81eeee5cc68eade445e0a4f01731d05b0350b0041f0", 0xffffffffffffff06) r2 = syz_genetlink_get_family_id$team(&(0x7f0000000140)='team\x00') accept4$packet(r1, &(0x7f0000000900)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, &(0x7f0000000940)=0x14, 0x800) getsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f0000000980)={{{@in=@remote, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@local}}, &(0x7f0000000a80)=0xe8) ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000000ac0)={'vcan0\x00', 0x0}) getsockopt$inet6_mreq(r1, 0x29, 0x15, &(0x7f0000000b00)={@loopback, 0x0}, &(0x7f0000000b40)=0x14) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000000180)={{{@in=@remote, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@rand_addr}, 0x0, @in6=@ipv4}}, &(0x7f0000000c80)=0xe8) getpeername$packet(r1, &(0x7f0000000cc0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f0000000d00)=0x14) accept$packet(r1, &(0x7f0000000d40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @random}, &(0x7f0000000d80)=0x14) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000dc0)={'ipddp0\x00', 0x0}) accept4$packet(r1, &(0x7f0000000e00)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @random}, &(0x7f0000000e40)=0x14, 0x800) ioctl$ifreq_SIOCGIFINDEX_team(r1, 0x8933, &(0x7f0000000ec0)={'team0\x00', 0x0}) getsockopt$inet6_IPV6_IPSEC_POLICY(r1, 0x29, 0x22, &(0x7f0000000f00)={{{@in=@local, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@rand_addr}, 0x0, @in=@local}}, &(0x7f0000001000)=0xe8) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000001040)={'lo\x00', 0x0}) getsockname(r0, &(0x7f0000001080)=@xdp={0x0, 0x0, 0x0}, &(0x7f0000001100)=0x80) getsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000001140)={0x0, @empty, @local}, &(0x7f0000001180)=0xc) getsockopt$inet6_mreq(r1, 0x29, 0x1b, &(0x7f00000011c0)={@local, 0x0}, &(0x7f0000001200)=0x14) recvmsg$kcm(r1, &(0x7f0000001680)={&(0x7f0000001240)=@ll={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @broadcast}, 0x80, &(0x7f0000001600)=[{&(0x7f00000012c0)=""/106, 0x6a}, {&(0x7f0000001340)=""/187, 0xbb}, {&(0x7f0000001400)=""/112, 0x70}, {&(0x7f0000001480)=""/81, 0x51}, {&(0x7f0000001500)=""/128, 0x80}, {&(0x7f0000001580)=""/125, 0x7d}], 0x6, 0x0, 0x0, 0x6}, 0x43) getsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f00000016c0)={{{@in6=@mcast1, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@loopback}, 0x0, @in6=@mcast2}}, &(0x7f00000017c0)=0xe8) getsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000001840)={0x0, @local, @remote}, &(0x7f0000001880)=0xc) getsockopt$inet6_mreq(r1, 0x29, 0x7ffcaf58202be86c, &(0x7f00000018c0)={@empty, 0x0}, &(0x7f0000001900)=0x14) accept4$packet(r1, &(0x7f0000002d00)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f0000002d40)=0x14, 0x80000) getsockopt$inet_mreqn(r1, 0x0, 0x24, &(0x7f0000002d80)={@remote, @local, 0x0}, &(0x7f0000002dc0)=0xc) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000002e00)={'vlan0\x00', 0x0}) getsockopt$inet6_mreq(r1, 0x29, 0x1f, &(0x7f0000000300)={@remote, 0x0}, &(0x7f0000000380)=0x14) getsockname$packet(r1, &(0x7f0000002ec0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @remote}, &(0x7f0000002f00)=0x14) getpeername$packet(r1, &(0x7f0000003000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @remote}, &(0x7f0000003040)=0x14) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000003080)={{{@in6=@mcast1, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@ipv4={[], [], @broadcast}}, 0x0, @in6=@mcast1}}, &(0x7f0000003180)=0xe8) sendmsg$TEAM_CMD_OPTIONS_SET(r1, &(0x7f0000003c40)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100200}, 0xc, &(0x7f0000003c00)={&(0x7f00000031c0)={0xa40, r2, 0x220, 0x70bd27, 0x25dfdbfb, {0x1}, [{{0x8, 0x1, r3}, {0x1f0, 0x2, [{0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x101}}}, {0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x800000000}}}, {0x4c, 0x1, @lb_tx_method={{0x24, 0x1, 'lb_tx_method\x00'}, {0x8, 0x3, 0x5}, {0x1c, 0x4, 'hash_to_port_mapping\x00'}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, r4}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x1}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8, 0x3, 0xb}, {0x8, 0x4, 0x200}}, {0x8, 0x6, r5}}}, {0x3c, 0x1, @enabled={{{0x24, 0x1, 'enabled\x00'}, {0x8, 0x3, 0x6}, {0x4, 0x4}}, {0x8, 0x6, r6}}}, {0x44, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8, 0x3, 0x5}, {0x14, 0x4, 'activebackup\x00'}}}]}}, {{0x8, 0x1, r7}, {0x7c, 0x2, [{0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0xffffffffffff38c2}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8, 0x3, 0xb}, {0x8, 0x4, 0xe6}}, {0x8, 0x6, r8}}}]}}, {{0x8, 0x1, r9}, {0x100, 0x2, [{0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8, 0x3, 0xb}, {0x8, 0x4, 0x100}}, {0x8, 0x7}}}, {0x40, 0x1, @lb_port_stats={{{0x24, 0x1, 'lb_port_stats\x00'}, {0x8, 0x3, 0xb}, {0x8, 0x4, 0x2}}, {0x8, 0x6, r10}}}, {0x7c, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8, 0x3, 0xb}, {0x4c, 0x4, [{0xd6, 0x2, 0x6, 0x1000000000000000}, {0x4, 0x3ff, 0x1, 0x3f}, {0x3f, 0x8000, 0x3, 0x3}, {0xfffffffffffffff8, 0x4, 0x4, 0x3f}, {0x2c, 0x2, 0x3, 0x2}, {0x485, 0x2, 0x0, 0x9}, {0x40000000000000, 0xff, 0xffffffffffff7fff, 0xfffffffffffffff7}, {0x4fa0, 0x80000000, 0x1, 0x8000}, {0x9, 0x5, 0xfffffffffffffffd, 0x7ff}]}}}]}}, {{0x8, 0x1, r11}, {0x150, 0x2, [{0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, r12}}, {0x8, 0x7}}}, {0x54, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8, 0x3, 0xb}, {0x24, 0x4, [{0x100000001, 0x3, 0xffffffffffffffff, 0x7ff}, {0x7, 0x6, 0x3, 0x4}, {0x0, 0x80000001, 0x7f, 0x3}, {0x8, 0x5, 0x1, 0x5}]}}}, {0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, r13}}, {0x8, 0x7}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8, 0x3, 0xb}, {0x8, 0x4, 0x4}}, {0x8, 0x7}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, r14}}}]}}, {{0x8, 0x1, r15}, {0x174, 0x2, [{0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8, 0x3, 0xb}, {0x8, 0x4, 0x8000}}, {0x8, 0x7}}}, {0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x100}}, {0x8, 0x6, r16}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, r17}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, r18}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8, 0x3, 0xe}, {0x8, 0x4, 0x1}}, {0x8, 0x6, r19}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8, 0x3, 0xb}, {0x8, 0x4, 0x9}}, {0x8, 0x7}}}]}}, {{0x8, 0x1, r20}, {0x3c, 0x2, [{0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x4}}}]}}, {{0x8, 0x1, r21}, {0x44, 0x2, [{0x40, 0x1, @queue_id={{{0x24, 0x1, 'queue_id\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0xffe00000}}, {0x8, 0x6, r22}}}]}}, {{0x8, 0x1, r23}, {0xe8, 0x2, [{0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x7}}}, {0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8, 0x3, 0x6}, {0x4, 0x4}}, {0x8, 0x6, r24}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, r25}}}, {0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x9}}}]}}, {{0x8, 0x1, r26}, {0x1c8, 0x2, [{0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8, 0x3, 0x5}, {0x10, 0x4, 'loadbalance\x00'}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, r27}}}, {0x38, 0x1, @mcast_rejoin_count={{0x24, 0x1, 'mcast_rejoin_count\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x3ff}}}, {0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x5}}}, {0x64, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8, 0x3, 0xb}, {0x34, 0x4, [{0x8, 0x3f, 0x100000000, 0x4}, {0x8001, 0x6, 0x7, 0x2f9}, {0xfed, 0x0, 0x8000, 0x6}, {0x3b4d, 0x3, 0x0, 0x5}, {0x200, 0x9, 0x5, 0x10000}, {0x3c9, 0x1, 0x3ff, 0x4}]}}}, {0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8, 0x3, 0x5}, {0x10, 0x4, 'roundrobin\x00'}}}]}}, {{0x8, 0x1, r28}, {0x7c, 0x2, [{0x3c, 0x1, @lb_tx_method={{0x24, 0x1, 'lb_tx_method\x00'}, {0x8, 0x3, 0x5}, {0xc, 0x4, 'hash\x00'}}}, {0x3c, 0x1, @lb_tx_method={{0x24, 0x1, 'lb_tx_method\x00'}, {0x8, 0x3, 0x5}, {0xc, 0x4, 'hash\x00'}}}]}}]}, 0xa40}, 0x1}, 0x1) [ 1085.352455] binder: 30118:30120 BC_FREE_BUFFER u0000000000000000 no match 05:01:28 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x6}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:28 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) [ 1085.380199] binder: 30118:30120 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1085.406941] binder: 30118:30120 BC_FREE_BUFFER u0000000000000000 no match 05:01:28 executing program 5: r0 = syz_open_dev$sndtimer(&(0x7f0000000140)='/dev/snd/timer\x00', 0x0, 0x2040000) ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r0, 0xc0145401, &(0x7f0000000080)={0x3, 0x0, 0x0, 0xfffffe}) r1 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000180)='/dev/uinput\x00', 0x400000100, 0x0) getsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f00000001c0)={{{@in6=@mcast2, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@loopback}, 0x0, @in6=@local}}, &(0x7f0000000000)=0xe8) setsockopt$inet_pktinfo(r1, 0x0, 0x8, &(0x7f0000000040)={r2, @local={0xac, 0x14, 0x14, 0xaa}, @local={0xac, 0x14, 0x14, 0xaa}}, 0xc) ioctl$PPPIOCSMRU(r1, 0x40047452, &(0x7f00000000c0)=0x8) ioctl$PPPIOCSMRU(r1, 0x40047452, &(0x7f0000000100)=0x200) 05:01:28 executing program 4: mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0xfffffffffffffffc, 0x31, 0xffffffffffffffff, 0x0) setsockopt$IPT_SO_SET_REPLACE(0xffffffffffffffff, 0x10f, 0x82, &(0x7f0000000080)=ANY=[@ANYBLOB="7261770000000000000000000000000000000000000000000000000000000000090000000300000000020000b8000000ffffffffffffffffb8000000ffffffffe8010000ffffffffffffffffe8010000ffffffff03000000", @ANYPTR=&(0x7f0000000440)=ANY=[@ANYBLOB="000000000000000000000000000000000000000000000000000000000000000000000000000000000f204dfdf43781cdb9c9649ac6fde43a0b28940fb8270b5154bfd42040a0151d6c094f168a2d8f0000"], @ANYBLOB="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000900000000000000000000000000000000000000000000000000020004e4f545241434b0000000000000000000000000000000000000000000000e00000010000000000000000000000006970365f767469300000000000000000766c616e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000d80000000000000000000000000000000000000000000000000068004354000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000073797a3100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000980000000000000000000000000000000000000000002800000000000000000000000000000000000000000000000000000000000000feffffff00000000"], 0x260) ioctl$sock_netdev_private(0xffffffffffffffff, 0x89f4, &(0x7f0000000340)="fc21b6926a775d889bd30f2e9612198c9fe5fe567ca8196412c3ccb6aa2e4eff16b08002a0b6aaff395d8814588d2ab42f5e0323498ff91db84ee6fc80511d423fb2fdef2491997202280cc932a2fd651c204823eb455fcdfe12c22742e56a6458e9d13699f6b0d8b0c2edb9343bc15b77cd9c2155769195cbadac4298ea4b9e33f32680808736e1844135969da9d72be5ad76012aa4b66dc851aee56e046b4108b35fbb003e1a8a50b1d8d0f55e7c999e99ecb70b04736f39685e2eae0627aead5034d8d7c8fd97c9") 05:01:28 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x100000000000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:28 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xf8ff3f1f}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1085.608874] binder: 30159:30163 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1085.658720] binder: 30159:30163 BC_FREE_BUFFER u0000000000000000 no match [ 1085.702249] binder: 30159:30163 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1085.726348] binder: 30159:30163 BC_FREE_BUFFER u0000000000000000 no match 05:01:29 executing program 4: r0 = socket$alg(0x26, 0x5, 0x0) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r1, 0x8912, &(0x7f0000000000)="025cc83d6d345f8f760070") bind$alg(r0, &(0x7f0000000040)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(aes)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f00000028c0)="b7f2288a933d66593ae164c990a0028e", 0x10) r2 = accept$alg(r0, 0x0, 0x0) getsockopt$inet_sctp6_SCTP_CONTEXT(r1, 0x84, 0x11, &(0x7f00000000c0)={0x0, 0x3}, &(0x7f0000000100)=0x8) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r1, 0x84, 0x7c, &(0x7f0000000140)={r3, 0x8, 0x7}, 0x8) write(r2, &(0x7f0000000000)="3798b23629cadd4dbd9e28ca6e7696ae", 0x10) read(r2, &(0x7f0000000bc0)=""/93, 0x20000bfd) 05:01:29 executing program 1 (fault-call:4 fault-nth:55): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:29 executing program 5: syz_mount_image$ceph(&(0x7f00000004c0)='ceph\x00', &(0x7f0000000500)='./file0/file0\x00', 0x7, 0x6, &(0x7f0000000980)=[{&(0x7f0000000540)="0c30e29c1f1557a0a5d2f9de9bce3758c1659252d1fd5968d0c55950aff77f48ebe3dc576dd424b7a22bf70401dbc195583cb65a2a7209e651c4c920392b4d9b9a03655448cd82df4f1415dfda0cebe5ed0880a14bbd7d6c1fdfa19d07f92d8d9b8803adae2815275225fe3197123529c586c3ffb2ca3a1307fe35abb79d35431b7da548c3e90c87ce3c26a6df478231e5d6178e67acdcbcda7e3b881e23b5a8247b5cfe24464e9016393aaf20", 0xad, 0xff}, {&(0x7f0000000600)="c6e9f3a14d2c2ebe4acd467190d933a5c57560d48e9769b2685cce2f93eebc90b468112ded3744cbb3968fb0498c60d165826e8ad3083049299c716bbe0bfa2e0babd99f05f52edf52d8f1097ea9379259fef203c0e4e3a514d0ee1b35ae7dc0db436efa02052e5c19e9a85c5d9ba59e5e9e1dd31e300143ca9a21c4486f8b14945156e17e420f4df46cefac43225779ff958ea2b363f1fa449a17b857b4a42c75773b795dbc4bd6d1476f48d09faad88c753f07545ce2869e87b976f95d5793348874ab399bddc0fc3eb971cf19e689c83582c10529163f15429900ee", 0xdd, 0x8}, {&(0x7f0000000700)="4cf49c40b7068cdf7cfe841c9ae3c5fc132754ec8fc13f40d327d4518f8b0dcc2797b261de0ae3c35a9a38e1d9c04e5ec928cc766e0fb444674c6164915ea937c6b130be3ba30771f9993380bba0c699a2248c9742967a70fd7ee8910eae0937392b76647bb47dd61fd1d7e486dd7aa4f9e19a0092aee83d6831d698a7f4e5c3700e103ad6ff012cdd826c222b273148b38c", 0x92, 0x4}, {&(0x7f00000007c0)="2ebb1acc37c9d1955fc7748270df32c57ffa2df317ed554b2e558e3e0bcc846c3c13eb2e18505f805bc1db2662dff2a6479bf4d3b983151d0d723b581a0e2909d4da2270a731f5450461a50cda06e7729c5250ca2bb8ec2aa0a33e9cb8829297f52729445892af86478a2662418cb1dc9d65421876f185baa761d3764ca3eb7ae7fda0cfd91850e5dbb5c45be6bd4fdac9d7d58279a4b25ff225c849741433a84a1d99eaab14d4565cffd48314a353d0c20d94244d9ee67774ed570f06bed5ed4711289b2c975da117ddacaabaf83e9eeb5a7c0dd85c3f207073da97f9ace43f", 0xe0, 0x100000001}, {&(0x7f0000000900)="f22510594b60f45ace42647c5e1c54b9520778c2a332cd30c0cb3e", 0x1b, 0x8}, {&(0x7f0000000940)="ebd0cec756184f2aba1beb31ba385b6868f7bdac0c509e838af55bffc2c7f55124836d91e4be8deae54b7e881743634140a4803b33", 0x35, 0xa1e}], 0x400, &(0x7f0000000a40)='vboxnet0[\x00') r0 = syz_open_dev$vcsn(&(0x7f0000000480)='/dev/vcs#\x00', 0x2, 0x420000) ioctl$BINDER_SET_MAX_THREADS(r0, 0x40046205, 0xdb1f) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r1, 0x8912, &(0x7f0000000040)="025cc83d6d345f8f760070") fsync(r0) r2 = socket(0x10, 0x803, 0x8) sendmsg$nl_route_sched(r2, &(0x7f00000001c0)={&(0x7f0000000040)={0x10}, 0xc, &(0x7f0000000180)={&(0x7f00000000c0)=ANY=[]}, 0x1}, 0x0) syz_mount_image$ext4(&(0x7f0000000a80)='ext4\x00', &(0x7f0000000ac0)='./file0\x00', 0x3ff, 0x3, &(0x7f0000000c80)=[{&(0x7f0000000b00)="a7dca46a3451096f8eed2cfe1864acaa489412344a86a7795b4e57583a37984b", 0x20, 0xe7a}, {&(0x7f0000000b40)="01195e998d028945b3cda478640323b2e197955b85151399563d53be93b603cab831326b112d0f16939d51eccb2dc37ff29471c86bca3b6bfa3912c6bfac0c98e52966b723d5b8a1dc703ed96c8c8875f9cd9b44be9b7e6900a55ca62fa6f6da07541a6a82c6b366aaa4c7caf34bfa9d9d2ddb84c282136541c616ce124c29993af27186dfcc737229e3706f5a6f7b397967c0d6ec24161b7a2126bec07ef2726edbb371517a7a803d5faa90471844dce045a59c2326", 0xb6, 0x3}, {&(0x7f0000000c00)="813cb78aa0dbaf8fd7b7d2c80839a8a6e8fff553b5c83d233821be571590ae52c64598f3a36e7d1215d1dfff9a82eb052925c3f3a40b3a7154bcc7b9729ee60f6cf7", 0x42, 0x8}], 0x1000000, &(0x7f0000000d00)={[{@data_ordered='data=ordered', 0x2c}, {@bh='bh', 0x2c}, {@noblock_validity='noblock_validity', 0x2c}, {@data_err_abort='data_err=abort', 0x2c}]}) syz_mount_image$iso9660(&(0x7f00000000c0)='iso9660\x00', &(0x7f0000000100)='./file0\x00', 0x3f, 0x3, &(0x7f0000000400)=[{&(0x7f0000000200)="d3352e1835efa9a2bbd695c300f9990c2724eef266ecd91e8f0c23a46db7933f945c51e4023f9abf5ccb08768f7aa5886d4d7c57031a3a01837e4f54d977ecb67f5e89d84c959111671aba34a7a449af25516596237a60e19fd9655bb921251bec32f777d00149a5c9f9ae62210cba76ec8fee4f585984c72eb816e881e469b673c5fd6998612516daf407006970a4c33b30c104133ea51a3b7671414a7e6e0d9f6de90cb179a5a1961ab6bfcceae64f108bcaabcb12f7fcc632e70304134fcae80b9b6e3f0909e45fa1619becad8f4adba7cdb69365010464cffc0fac2d22bd7ade5330d0d37582339973f74c080269f3f44565", 0xf4, 0x7}, {&(0x7f0000000e00)="f36fc3ee464c84e333e7ea06b9d67b46c1a089a25c1c999ea1b936cac1ee83fd7e76b1748faa67c5ba2d46a5681eff9d2f1b4e83e731885bbab046e0149dae0e79ab5467f82d18e45457819fb631930ce51e1c4302214caf65859d6f61da43bbdc9de13799e00d2179b5de0aa3e8e124ac6c54f428c235eef5faf03fed56d373088a2ac49d882ab458eff5a6197e94dd6762fea4071f3d2ff9772e70294f35c287fc6a6781d56222fce393ffbb1595c8e10c8e7bba71fe80e5d1d93445e3b84377572881986400c8015650edb079c985566729d47a1ce99d279d887ba2ca0c0bd105a5b7e4bbed6df4a377eb5f07dcaf0fa8575fba60c19e7c36a73a4e5fbc319d68b834f7bdd6ed8da775bb19137d55463692677f3fa9c743c54beacee6d454632535ed5efcdb5ec9fe02538c89d71cf592efd95f4b82a64462bbaad79df8bc18f5e1845ad1d01ac384b423418c73dd237ffa08215e8973c3f74aaea23f82b31856c74538d6567bc79b7547121cb0d97edc967b44c005fc13e0a1b72932f504c91924e733bc1e87d2f83a8bfe4a21dce99704d04c0ad5a70b5c0a30a79cfde33141daea5b877ec707460cc0819169f0f72fa0b316a626c8b9205df4e15aeffb239a2eb496a6a3f6f7b6d223d90fdd67a69864e2f785f4ef1859afd5b4df32e06dd74b938aeee2e606bfffad927cbf140b3b76497a1fecaf7107e21c059b7e4df05a27c56d5acdaaab2eb04ddce47a73f169529f840849a19858ba6cb7df4564594b4ae132674a443683ce55cf2e8736f04fd3c5373aa3a9145c630457f158d42ca1bf1296da2ad5d71535312c0a376cb464fee3ed4ec5167f21ab15e9b659664de66e4154a641bd5baefe04851e864353a2f82461d174f834fd66373595192f4f30502625ac86bf295a8509d628d02420179c0c18bc18d93719d84e28ad589a873efffdfe65ef2aff8dfcc0613ba9e2014e85dd0ca836e34da5b66d9ac54c468dd8663a9424c7a07d982b00ddc27f9b68778f5677cc9499f1e8f5c079ad82e5f2d15d016b22394cde0dffc85448bc99436c7c53b2c81ddb5e353028fcc83f471176a2f71edd42e99205079d319b635f5a7fd5e1376cdab37b8462f6309428f1cb19eaeb0385d14af7e9466be680659bcb821fc5fe1b0472e2beff701fdb39593b9506b78025a7974c8c48c30b34a0687c83017a725878a70c7e508391e93cd4d46d99f6a1c43c53bdf4dcc528670ca09ddf4ded81fd6d8582a699ccea5972ea69898f57203d303ef63751f2c00db20ec13e0ab071a752cb21e5045da7cfe5e81a019cf7dde9d6db5eeb3c1ada9b8a7b1a8146215b87d8b321493b9f00e3eec238c993bdb36224fd7ec3ecc88a4b9eca222354abfa9920db801f505433d2c748b48d5fc213965367912b73f40a9b896c7df6a2aa0b40c945a9e83da765512ceedb1d57d8da308f24226af5b2ba66b83676b12ab89d45a5fb09f0fae8f8209787fa88336c88da62d26a4da73b050efbce8a2ffce271f774e9a3a7befb4a1861d3731716aab3e0020b32e16b91eddff04595b1df81d66dd4199f2ea84e5e898291c2a3496ed4400223d5bdcc2c680b5c2d3d270c1dfeea65d5ac786194a56ecb65ebe7c17f54cb41a30850fc68fb728f63393c4ec791c4e6459a5a3ca9e319e1deb08150a18a9b7d29e157173167de3b994d18e58946a30056fd090026d03401d76288c39bc79c4533621f4dc1bd8627426431edf58f275b58fbe4fb225ea37aedfb734a795781584a360629267c03f6e7605099787f2c6f8a806a799ca1633610aa7df4a00ffb6bc8d2a5a99ee20f342d3c61fa63801014ddcad9d88f7706ac450fddecbfdd64e5239435f0d7ab77bc00ff89deab391d7453ba5f0e21e888f4ed9fe7306704aa4452f6a370124407b2a43ff06ac872d0bc6040620a68592d2601bc37a8fe5e1956671fa6ccdaeac2e9dc10988580dbaff47da837b3fdc190fd284728130fa3d0345dbef2e347150a0997e80bacbf9b593e246107c11c4335cbcbf840f3ceec395b33d1e31e48dd84815d61b2fcc3f903438aa831dba81ba4b21006e60f864d82f7bd4adacf288ddcd59fb6b07644983422c8dafbec381a307090cbf3880e33bf6552904dd7bb2f10b23c2c0523bb21aa4c7a2f3b63d0f562ec11e8fc4877625607ce75bd8454372cdf5192f19e4f28e7ae8d120e45a982d1d16df7d01eadc6a40e93a0b6a262db16d1cf696388e758fd406542e48924a972c0708e5f4cf2418c84057e2e5418bd72f471e442913ca8cef0ed3b344ad66470f58dc196c845f902f5dfca3515c4cf12639cb2e7f0464404156057198fc4fb814ae46444050d5a3d825ecb4f73b90bbd5e8857430a840717b9d8057dee2e5f76dd7daffeb560a09d657005cd99affb347a607cd8c2ca3cc153fb6279317dd15f154301ab21d103fb271847745e43b478d2f03713040d70b358a336ac6e74965941c0867730cb10dad82a19d663e7aaaa93aacd19ba1ad2190400acccf6bbd511ee63be7da6ae579fd32dd2476ccaaf30fb392acd868e1b62ac05d776e35489390341da558c66ec6d1b10ac60cf022fa913359ee5c5aed521fd0a789bd900055503cc42b3dcdf68b148766c6c0a0628a05921c128d7cc1eb116056ff8caf67cf4829eefd9e2a0371397c393e5d32de5989e31efbbf949560edfbfb8a2c58cca7b58727a9fa6cdab2928a99548f13a3cb782496d43ef3e2ace913dbeda715c41ffaafe7088aa0f2f4b6ab07c75903235111a1d6e1ac728305dfda6d30f36f3dc2235379825d720e3922872a22e531b40bb3c26dc862bfc81f779cf50fb721fd3b1a019194a23a7dda511169619f3837fa0f12acb3337cb254efe3932daf2a71c76758cebc0e8a7532e4dd5e3cb15d340566e5016ba409fb29a297c5fadef886f6240021f3954d4111320f7dfa69f71315ed8baf2509a259b0e36f60b9998ea32a03ade2827f3f86d3a738e574f570910b8922fd2666ffe89b52b78b1cf3cff6814b1421d09a03922267f8cc2f44d02225b4515908d280b88e6a1aad1d88e55feb60595020e68bfee64a17f765a04a0a29b4ac2d60286ffcbeb8f6b8d1f6c9bacfd2710a8ba3531caafd4106b12f32ece35718f4002c553de1f39a6e4c74cf4a22a9fdbb33760c12a263cc8dce8d4050540bfe81e896b1b25f9f3808c31f24f9d8a9fa06be194863a0355451ec3b47ddc323af85c23cf2abe977e1694844752f95d1ea1288193d7698abf0407cb8aeedb97d7f264ad8b2468a629af4f1548e633569a70fb378c439bd9b371f1bdf0a300415278152346c58769b656a34d1b36cb721e5f32221bab0073384fcd6f804395c54a07f8e341c612723b205b4d0b2c1aff1c50ad7915c79d5de3fdbf1e9aec30644ddb0fa498bc9ccf2b5703a648d63c259d1f6b1cf41479a4f64d0aa1dabefe11eca37ac7bc3de0ec6e191b4f5b0af6a6688d76b3e2eeb01361fbd79726953c051ee939808654e3e1b4440936086f2251d4606823a3fc6776e2cd8bb7f4318d415c8e97ad80b6cf09e5f56ba1759e805db23987c55616444da289c87e6b2f061fd40de35a1fbe55cb41131f901ff67c8730aa810733fe762947fa8c25b77c64137a8cbbefa9c434663193143dbf661010cf6f173bcd6fb79019cbdda33088a26f7c76f627340d3b15a8036c63dcc455a05a6bc338ca246a99804d7096d19bd6bc9cea9369ee41faffad6b2ac0179db90b5135c7e08b95f45f481feb70214b828950320bed18c762c7da42abaea6094e70676d146478a9cfbcc60bfea218793414e08f7005428f22af9b02e7a38c0d5e38f015cb6ec02a78547ac66972596cc388d63af3e5b16ba4dc8b13ca14978fa9ed473cf2d9baa97a636e763856382bcb686664ee912f2be30820b4a51a0df2e892d65e9d006c6f1a70895b4f7042183acb20893b0dc42201d4b830a93519182c2e307dc8198cea6e29dcad2612beee2bee1771ac465a111db0cf2cc1d9195aa704ef2ec31bb1d3eb712f0d7ce842c4a7d0f9edf88357f268ab10a5fdd0f2cd13420fe7578bad6e11905ac7c621e1b9f69099b68f926389bce8af14d2b7e9caf8f55ec56b274157ccb903b437b4aff23590feb6e35305f33b1d0e9734335754a11cf94c6a9831b4a01539cb009c52a74aa1e97d905b29001385126a591ad8e3ec527412b28bb042035bfe687267e622d2a93fe8f90c34d29cb474d613749e736bdfd983b308ad4fc887da4b326400c7f3f6c957e08a955679a6ba711d812c74506887d181e2a5a8d0d9562b5680d80b04d5365126593e4d5b898aa4abab7b38bea358963c1dfb753663cf8fc8cfca551e4a1769fd4f6d6fcc226ee5e32f81e13f004e7f954f43c287007d5ae4b50aa79b039387db44d180ddd1669aaff187c3225a0980b34f999c400b34d9236800f8ede74ff342774a033a52a47957e6175e40273a1abec390dab203e33c3989344ede738119b515ec76befd4d17f2f61bbf03040016f2b0c2bc8455e9ec3b65bcf9c41e92f0739ea56cc94918a52fdd60a848a40dacb55b80949993d382012ab5afa0893d077ba0ccaa41b0c629298905a02e24df07c984a22931e5d35f4635c021fcbc12e570cccf0f17a3ca85f9d96e4e385b64debc5834641240b1b81435fb608931f7f7d6c372c8576bdc3dcee38d3744f4ea01c0e684b7a2d64ff31704173ec194de4b7ced89a051c1779aa35f5e744365870a42b7f8e8d23a99a63b1c5a4c49a5653c11c47b26caa8b42274f1a7f3397262308748b3ecf1672db60af209c28e42e3458d78729b70f83bdd0f3d812c261d64170dcf62b82c1700cb8b15d4434c5798e76019d4ae8a8230a41553e3dc53cea2443566e9d7e7ed0bc90034bac28ffdf2f99949a32b6795fae6bd2d33cf3cd405ea7b210db7fd2310dfc711965638e15b9c3f19e53c7d49a8a53aebf4aea4fe4fa92fbdf798644565fdded87c3a302cdac25ace77dd47407d08939e8a613ef6087c7da1817025506fca214c80b8ef21d8f53ae55947ea25aa0ad3ed18e8b3fe43a9838706752356d34ea5b50560e184dde30ef5b8216b16ad6368b678821e9a189254293d52272b0caaffa426526a0cbd6794d80d718e8dacb6286791abb5d176e61fb66c4b0020d30ba34dfdacc870c3888ac6960f767b0cd861852bc765e7d81f6389eda8ff408803add9939f773e8662667a3f2edb9bfce3fa0df714449ad72e37a4db5cae07dc155920fa7ee0e6557d8807e6c6a84d88bbba87f8dd1c997da54933e5e4369c6e1e4fbd2620b78bc84862c524480aa29d67c5df6fd67e73fb195fcff398406086e22f6f3ad322261804be1b33b596b25d57f3f9977f3f3142cc731d8bfb33302db86e50984e7fd0e67c1b230e4bb93df69fa881f4c85cfcce8e50ba7af2dabda8ab35889db971f106bf4a50324826ea7ffdd7aa553384c18ca767b01eea063f76f49928d7743f3080895f233954f5f2b106836df25fadcfeb79c0c93c20b14046c0eb23c81adcadc84daa917fc4b7dc5ea2ee308542a0b372846e0e7d38e5c66f23dd78c4ec5c4433540cec293e6a77db2b630b4dd605fe48c9195f62126874423700545a40b9a9d7e8f2b2caa505632a5106011434f14216ddc63cf4d72dd50393aec449871f00de0b1dbbcf56dc727a7e5cd0ea4d3d1ba3d517c47e515f0a6d297d9a23bb2d175a5c33347e7e1a70049b35124b8da1c46b4e6ba7f21aa2a17b5d8caebc277d312adc161748f3912d17eae6a11fd42385bb62", 0x1000, 0x3}, {&(0x7f0000000300)="1dbdb03ed82daab8990ea736f7f73b8363e297293641b7c19a357c41e9968d8be85dd554e586605e83e775df8e652b83480a922389156a48adfd2ae0945ea464bdd2530426e28186c4255f191027455c4b19ad040c7b191f574cd5b107a31b8b2b0358f49066c67e968079272fe94e9229d7da55fbe28775d6877e493f516a7621dad08a5eb8e3c266dda227d1f19f152b6a9f91ff0f113090f69f5ffecbc6d96ecd9f04addda4b4cba0a35c4b6a533aae6519d98caf6ef81f41940b63cf9664762758ef6f618bc47d", 0xc9, 0x7f}], 0x100001, &(0x7f0000000140)={[{@unhide='unhide', 0x2c}, {@map_normal='map=normal', 0x2c}, {@utf8='utf8', 0x2c}, {@cruft='cruft', 0x2c}, {@nocompress='nocompress', 0x2c}]}) sendmsg$nl_route_sched(r2, &(0x7f0000000000)={&(0x7f0000000080)={0x10}, 0x0, &(0x7f00000008c0)={&(0x7f0000000dc0)=@gettaction={0x18, 0x32, 0x5, 0x0, 0x0, {}, [@action_gd=@TCA_ACT_TAB={0x4, 0x1}]}, 0x18}, 0x1}, 0x0) 05:01:29 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000000)="295ee1311f16f477671070") r1 = accept4(0xffffffffffffffff, &(0x7f0000000140)=@l2, &(0x7f00000000c0)=0x80, 0x800) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r1, 0x84, 0x8, &(0x7f00000001c0), &(0x7f0000000640)=0x4) socket$netlink(0x10, 0x3, 0x0) r2 = accept4$netrom(0xffffffffffffff9c, &(0x7f0000000480), &(0x7f00000004c0)=0x10, 0x800) pwritev(r2, &(0x7f0000000300)=[{&(0x7f00000002c0)="89be8339", 0x4}], 0x1, 0x0) ioctl$sock_netrom_SIOCGSTAMP(r2, 0x8906, &(0x7f0000000940)) pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$DRM_IOCTL_AGP_ENABLE(r3, 0x40086432, &(0x7f0000000700)=0xfffffffffffffffd) socketpair$inet_smc(0x2b, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl(r3, 0x8001, &(0x7f0000000ec0)="dbc34f32f04d15fd67445fdbec4fd373f1804efb07309281f5eec657ea18442cf6c49562241dc3ce5894847422474c4bdf254ac5b112e50beb40d38b13d3bf07d0f29f1bce0a11ea9aa7fcf75b45a9f15c30c5cb9a1e67b911bad42d8aa0e819f7ebc065759dde3b0b55a500c66f1d10327fc34f14e9c6edb898fdbe4cf5f48c9e1a10759a517cae6dee11b277696b60cc1ff625ee877cbfcdde9486e76981ef313c650a01c2422248fdea4d530847d54bbd137ac5a39a21de9cfa7a29d765246c269a05757c46fe9a9e75cb9cccf8a8b3a2713d6e7fc42d0bf773570076363a575da7fa02bfcf70621f162d0bea8c77c9b2a2889325ba26adc6d8301569ddebaad2485f5843ef77731fb1dc2f1722c819ff1ca2c0ff4f1e5fd90d3848e0e8b9ce7ccfc504f7343408c3f47d040f5539957db65405c55f2c2924ec9aa5d2731cb0617b") socketpair$inet(0x2, 0x20000002, 0xffff, &(0x7f0000001680)={0xffffffffffffffff}) getsockname$packet(r1, &(0x7f0000000880)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f00000008c0)=0x14) getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000580)={0x0, 0xfff, 0x1, 0x7fffffff}, &(0x7f00000005c0)=0x10) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r1, 0x84, 0x7b, &(0x7f0000000680)={r7, 0xa6}, 0x8) read(r5, &(0x7f0000000380)=""/235, 0x4a) r8 = socket(0x400000000010, 0x3, 0x0) bpf$BPF_PROG_ATTACH(0x8, &(0x7f0000000280)={r6, r3, 0x1, 0x1}, 0x10) write(r8, &(0x7f0000000340)="2400000021002551071c0165ff00fc020200000000100f000ee1000c08000f0000000000", 0x24) bpf$BPF_GET_MAP_INFO(0xf, &(0x7f0000000200)={r4, 0x28, &(0x7f0000000180)}, 0x10) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$SO_ATTACH_FILTER(r10, 0x1, 0x1a, &(0x7f0000000040)={0x2, &(0x7f0000000000)=[{0x50}, {0x6}]}, 0x10) sendmmsg(r9, &(0x7f0000003840)=[{{0x0, 0x0, &(0x7f0000002240), 0x1ba, &(0x7f00000022c0)}}, {{0x0, 0x0, &(0x7f00000026c0), 0x0, &(0x7f0000002700)}}], 0x75a, 0x0) 05:01:29 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x10}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:29 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x7400}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:29 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x3000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:29 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') getsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(r0, 0x84, 0x12, &(0x7f0000000280), &(0x7f00000002c0)=0x4) setsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f0000000140), 0x4) write$rdma_cm(r0, &(0x7f0000003240)=@create_id={0x0, 0x18, 0xfa00, {0x3, &(0x7f0000003200)={0xffffffff}, 0x2, 0x9}}, 0x20) write$rdma_cm(r0, &(0x7f0000003280)=@listen={0x7, 0x8, 0xfa00, {r1, 0x6}}, 0x10) readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r2 = socket$inet_tcp(0x2, 0x1, 0x0) r3 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl$VHOST_VSOCK_SET_GUEST_CID(r0, 0x4008af60, &(0x7f0000000400)={@any=0xffffffff}) link(&(0x7f0000000440)='./file0\x00', &(0x7f0000000480)='./file0\x00') ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r4, 0x84, 0x75, &(0x7f0000000500)={0x0}, &(0x7f0000000540)=0x8) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000580)={r5, @in={{0x2, 0x4e23, @multicast1=0xe0000001}}}, &(0x7f0000000640)=0x84) ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r2, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) readlinkat(r0, &(0x7f00000001c0)='./file0\x00', &(0x7f0000000240)=""/26, 0x1a) setsockopt$IP_VS_SO_SET_ZERO(r2, 0x0, 0x48f, &(0x7f0000000040)={0x0, @local={0xac, 0x14, 0x14, 0xaa}, 0x4e22, 0x200000000000003, 'lblcr\x00', 0x10, 0x80, 0xc}, 0x2c) fcntl$F_SET_RW_HINT(r0, 0x40c, &(0x7f00000004c0)=0x3) 05:01:29 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x5000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:29 executing program 4: r0 = socket(0x11, 0x100000803, 0x0) r1 = socket$inet6(0xa, 0x3, 0x8) ioctl(r1, 0x8912, &(0x7f0000000280)="025cc83d6d345f8f760070") ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000006c0)={'bond_slave_0\x00', 0x0}) ioctl$TUNSETIFINDEX(0xffffffffffffffff, 0x400454da, &(0x7f0000000700)=r2) r3 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000000)='/dev/urandom\x00', 0x40001, 0x0) ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000040)={"6966623000faffffffffffffff00", 0x5001}) [ 1085.996065] IPVS: set_ctl: invalid protocol: 0 172.20.20.170:20002 [ 1086.013034] binder: 30193:30195 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1086.022968] EXT4-fs (loop5): VFS: Can't find ext4 filesystem 05:01:29 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r2 = socket$inet6(0xa, 0x1, 0x0) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0xc800}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) getsockopt$SO_COOKIE(r0, 0x1, 0x39, &(0x7f0000000040), &(0x7f0000000140)=0x8) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1086.076831] ceph: device name is missing path (no : separator in /dev/loop5) [ 1086.108625] binder: 30193:30195 BC_FREE_BUFFER u0000000000000000 no match 05:01:29 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1200000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:29 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) r1 = syz_open_dev$usbmon(&(0x7f0000000240)='/dev/usbmon#\x00', 0x3, 0x20000) ioctl$PPPIOCGMRU(r1, 0x80047453, &(0x7f0000000280)) ioctl(r0, 0x4000008912, &(0x7f0000000540)="02e99c4225b14b451b8b806c4accd485bb5c7357389d494f2a9a1842af21bcd067693b54f494c17fc908c292cd713b98ebd8f38f7892fa3e45b9306c3d0ba3e0b2714a202486d85a63e46177c61f5769171c1e0f1aeb0a955ae5e745707610d4f03f0000000fc6272dbbea141dac4d6e1f76cf44efd816407a906df1edb739620f9f5d6d6d72c2fc44178695e4df19a6bd329b43ffb81aab1961a7a5b3a2162ca23a5cddcc4aabf6a9508cfaa37a939e44ceb03606b0bdb6960d12cda85ee21eded4c0e5b42a4d12ed2fcb6ff905578f2de3cabedc8d9b1ef68951d63070d69cb562bbdf7d1625d94b44ec4ad7b3a28a9ca28f3344b5672cc3703a1a214e8c3d41ead00ec436570bf606f656332712a7bed8c11f6f80a8291704f827caa9dea88e09b2fd9979fd1f6097091934dfabafb02bdb065e108ffb100de003c718e49baa195f203e1eadc6f4ebda35d2a9600f8d84b706b60e6b266b07b1846cd83744b5a7721d57b809af3f1286b91919a390964384a9a78514b9a5d9198165ae701b6c7a200e1917e464e192b0829d7ac851153913c2cae28d05f164338323e4f9088dc2891618a2177c7820db820586bdc12dc43c613a1291b73c8bea78013731164a717838a6fa62bab5058a514d73730d41b0543b879347b76770aaa8cf49ee9223202233831debdd079e6d940ebe73bad0702b69ec1fe4388fb954c5b75c7ba229b630bb90528663de255cbfa442acab45c40345b247ea8fe0f2eb312aa3008298cc1b71269b5484abb5d24a148a485c459fc7bc4d6b8114ff2c9708cc263939c990a74c336d219f882b62b084ab6d94dc12520d91dd43969294783565930c479e43b44208034ecacb92f204e6ed284cf2b7dbe144") unshare(0x24020400) r2 = perf_event_open(&(0x7f0000000140)={0x2, 0xb1, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r3 = open(&(0x7f00000001c0)='./file0\x00', 0x80400, 0x101) ioctl$SNDRV_CTL_IOCTL_TLV_WRITE(r3, 0xc008551b, &(0x7f0000000200)=ANY=[@ANYBLOB="070000100c00000000080000ff03000002000000"]) syz_open_procfs$namespace(0x0, &(0x7f0000000100)='ns/pid_for_children\x00') syz_open_procfs$namespace(0x0, &(0x7f00000000c0)='ns/pid_for_children\x00') r4 = fcntl$dupfd(r0, 0x406, r2) r5 = ioctl$LOOP_CTL_GET_FREE(r4, 0x4c82) clock_getres(0xbd6387011629ee16, &(0x7f0000000080)) ioctl$LOOP_CTL_REMOVE(0xffffffffffffffff, 0x4c81, r5) fgetxattr(0xffffffffffffffff, &(0x7f0000000400)=@known='system.sockprotoname\x00', &(0x7f0000000440)=""/246, 0xf6) ioctl$SNDRV_CTL_IOCTL_TLV_WRITE(r4, 0xc008551b, &(0x7f0000000000)=ANY=[@ANYBLOB="dfbf0000280000003f00000008000000080000000300000006000000010400006e020000ffffff7fff07000008000000"]) setsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000040)={0x7, 0x81, 0x5, 0x623, 0x8}, 0x14) 05:01:29 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETVNETBE(r0, 0x400454de, &(0x7f0000000040)) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(r0, 0x84, 0x6d, &(0x7f0000001d80)={0x0, 0x1000, "ce14f2ce692ea56dcbbb42efce5b868da00c6f3c11b42ab2b8e636c723b7f553de14663268a77357f0fd8ba5d7c0b1d291dd5363cdf69c48dda922f36d6aeacb3de1de8a457669733cd810e9b4dfb0947399298bf51d629873ac0987faccdcc539b7f8e5c4cbe51dcd39f2f2f2723896878d927d4e1bd84eaaf8fc8897f1e12ee782ac535a2e2e667f82541e44b355468369ff5b0f5d9af7af2c4083b1473e58f30f233f3a7f7d032e80926308d0b8217972c453610c595436a13304c15ea65ad0849d44ff2841fdec7ed4fa4f8822552b26e6df8e7a02f7e59d641d4324de46b714cb0622d687cb133d956ff51a127408b2b7f89fa5cb6bd557ddb0e9e6f737fe26a8f4ded8d8f90ab9a7f312bd45156be6a6cfe86787985d5b979a6af1e41fc2ec68327f71b32c7beba174b577567716aa330804d186002d20780bce70727424080e7f5899534c4f76f31efbc19aeb2a70ccf017ef2a79bec8cacb69f27b4110e78d4e7448f201f9ec74a5b0e83b63310299d3004e53c1f4044cf564390dc60baf5d6d3047fc514e5a1d242e2137b9f742a3f354efd8df3a3b708bfdefe2ae6ddca7a83341b0efb7a68dc215762c9d9cfde4cbb340c0d576cab32d4d26c4a8b1ee4d9cc78b1cc083edf1a3f63199b1570438fc4ccadc614b2e1b0c5d200ded07276c5758095fdc4d895e17c5824fd231f0c4d61e012d8d2732caf7b868a4c78503b6034387e259009eb84015167d3aa917604c2ca3cb3d39dcdbc30cb6e1affed09f28f6a76b6801852614813cba292887cc6cb8b47c95e3108ce03736bd185699289f57e2c0ac319277bd53d2f8b7845da5012f2f7eedec0bd878f75f9269001c3e351fbc5df63400b89826f0801c4d80249e029efaabe830b4975da53b19779734017b73a643bf80aa24b5150b9ea35e122a63cd90dafa714e8a8e19ed749bd6cce969be6314b84a25246aae84564896679dc695da239bc02d878ff13c665594e2a897995e8d0f69bda59f86bd4c36436c9bb7a0d9c6b980758895d76081330457932b7b315ce4a04c60c0b267905707837bb4f2010f098d0c0f5f03db43e1542fff569c055c0eb996d2c770891d3a4a5617109ddb19fa34a37a9fbc714ebf475b60746ea0b8bb0dd62a4b2f0b0cd6e5af2da2f89e510565a369385f82723df38eef423f808fd2788082fa4aaac5cb0e92c845224d95030e4360a34a0af7de2c5183d9082988a694ffeb353c75fd4fa6ec269ca655bb51cb9b22890b104209b6b2a410b6cb759789a4690fb31c52c3aaa038d20174d364378c7995288930a6b2dd6bc4b619df50ee8f4a4c290517e567c6e4d9943722dd82158f17e6ef943ed6e4dce5b897d30f1066dd70ca546d68ee68e2f7ea5b52925c5e21deac4dc8fb93b09ce3b4f12821d7a4a4a9cc9058c3d7f7ac82035b6c98542b4a4fa361d46cffafb6bd64e2b8b5965021868ba17740c620e34016727b27c1e6e3f88c183b0b87e61ea22d5d5f06ecd899ac396dc953f843a82a51cfebe7d719334a581d1334423c073701d5ebda647d68ec8832b36202caacf170cca8c29c7038ea9e1130c88112d54f287b4e33bc4f58772185b30f3f787e27a545626581570ba116ec73cdeecee2ce080f574077e01c5e443438c9d5226a588c4bae862369dca0cccc73ebec49f81b92aea565dbf4df4b8de00d8d4cb30d9b42a406eb296687aade920534239ce6a0368a6c22951a3c8097033d156275e77bdf647f03c3a8c383ace3cc059df0e3569d2e1ad33c811436ea4bf0260dbd1469748fec99706233be96412c2e90c0616ae61813b7be7996f9d4f9aa6ad49c764c97877d79e31edf13c3f1f60c236eb77d9ea382e4e467866ab5d84e7f78239ebe7cf417e07c746d700cbaa0cdaa8b6f235cadb48c3437dae6b1e9741ab7bef0fa3911de79e673dc6bc7cb140892022049f6ccdb61586f37a974bc4c7a1f9823722b417682d736ee14e86f44fb6a9fedecc75e006f3caca33aad23c2587d1c70db6c5915bce4e1187ce1b6722c57c564a9d91c1e2706a664274a9297827db48f1a6828b1b4a93c972a5585bf3adecf8c15c4cb4a9aea149cc41fdbe2ab204a398cf6f1dc38beb7a44791da0cf3c706859d4655fb09a82db777a0fea776a6d5c2e5cb7192525fb6163cc01af2a2037882cb8354dfdb29baae5dc3ae2693f4749af6a209f595cd4e917de96937804fb1812fe46b968edfc18ea968305ae5740666a2d8f135de43064533b77ed4e230140752b0a515ef84211e3a01647d77c5570e727ec84608b87f877d48865674ca6e7b54dcf2c774ca07fa670d3e0cda29764236bc72f49d483c68c3c2afc8d3613e3b50d08b48625a70e22881b2c33d3f13ca3ebcb345d7896ff7fc57c0570594845472b05833793a4ccda1ae951974f604b6d57681dfbb973f9003387b5a19945304b796b65c6e0301b4b8b00994feb35cf6325a2730ccf2f5b6b3b093a9d07a0319419c4d325418da16e87ccaa3e215315f12e9f5db1f7385cd834414ea93c09ef1559371d76e463f01a31dcea73e561014c46f893f0942b0658defc8e34a30db15d0800e2c8baf09ce2980277e9af5362c6193636e5936a3453b8d3436f7d5585d04d0f3c4725f573d307fa8a4e1a0447e7be19d3f8551b8dfb57b2d920e3827c1f48a917f04824f795b77f2f12a1040bb13db5a6bab92a91bbd59044a2f48e1f3e0da3e57d804cea71e9c112e40f7fffdb844e86bc4d7c7e0eee2227f6ec8ae3627ec703f790f6356a9e5ccdb0fc3847f8d848ed11aed16b8956cc29dab77174dada151e3372bcfe804bf85f67ab2b8c630f80c3833a5f2169d28f504ff9ea049be905b966c79953063d672eb26edebde859bb10a16353156f89feef6fba77ada382f071ce2c5d7ac1815dc9667484fb9597d452580abde695729dc09860ee226d88fba242a1dde748569d17403956a670bc25d46ea43545160038d1a45a07bd473b78e6d1787ed1ae53934aaddcd983d2875634523297594fd4a714ba85a221001d0c17868400015a263a1c08782d21d63fe80274c5214cc62c4af7340dc926f9f7e71e84b6c215383eeb3e9bf36af83cbd1101c9ade4a015e9c70f35e54ff51ad5d5ad7f0e5f501e253609945c5d620b5f03379f7f996e19f2f3b40a57e3fd95b804b039b22e77ec5d4789cc621b94d0a1f96ef2b749393aab3875857b8ed0996bb406f93a3871a984feb32431269df0672d53220dc709188242d7780ab425e8fdecf2a446203d2058db863edff5e4f51ba0ec3b42255dbe59370f52bbb4c064f10d9b429825f971a60bddbbce3051480ffbf871620d391241812a2ef07aeac0358f4b15fc55a3dcd2aa76f3076008dbd6893ade09c54715efa24c86b7bbeeed19a4cd28c632a19b2ccf2b0a1b86ee67f8b0fcaba19a68d056b46ecf16297a29e712a0cd756213e4d8a4249697708f40203edcb1eeeb15de0b724abbf1793b354be96827cf21b7a8007405293a3d37a334a9de028a8c5aa7d0fe56ed16c86cbab477037fc4672f15992206651e63a53b4b6ebf696453da4d8c91ea8e5a7159a2748766ff3fa1bb12fbbe2c75057b5a54d7e2605465a8476fdbacf59faf24890cc76b24f4184331a7754ff3d3b052acfe21eb0e9175a1a993fc72a64da044d0cf1a39e46ee840a599a6a8aeba7e3817cff5c490c591c98fdc00f65bc7a5d2dc4a5dc962c00ab50376797043890dae63447b5620ae7901c52dcbc21a217ab5139bdc5857572b8496c873a908b10ba34176b17c0cc7e6acd81428ed579bf84df47763aaf39e8998d2bf6d7e04a815bcaa364fbb8144f2ba78141daa587eae54b7bab917004520c099797156201785855bc28b704baabf18619c5f252e9acb6b3d44af4c3052029be680e1fd06df1a38ae9c92c6ebd8a1013d4b508056142e455dad1269e3763b799c0938cb3dede942be16b3864114d3dfc7a4ea0af401c4fa96303a85516eb3c5c66c95e54141fd112fd81fff0aa48d766d249b295a5bb7bdf864f2e214c0cffd9e06db864f1869452572b8792c9ba8217b50d22c3e1a495ec173740cbdcb0e037314cac41a9cee33d33367b0eb608713dd85b950f85e3d239751217dfa76deb6321df95200ea276fba3f3cb883997c7932e00f830bb475cc1842845cbea4edd02e7e2006a925dc5995f4735c2c659bc2ab244087ad0512f07cefc59ac18daaa6875ace94ad5feea7209e43e3e51a1a77e6891bbddce7d36462656748a901dd60b38e5b8a3f4a21b9c33605abe7e1ec7b6c3d4540bc1cf8846285bf3384513ac4f615ff8526fd84bd958ddbff2bd2615147a78b73773f572487fa001bae00369b87d818ff243e3efcadcaea0887ebeb0e7da75afcc2581a59cbe44f137ecf0bac9bf646a19e78bf5ce933d3b25b79149a4b1a98b604a999b2e7a9fa2f685c4d6334771efe913395a3b3a965e451237345735eb1b063c9b177409aae8ca503b3c8bb42d5bd34b8b0ea21c94c200f7018884a2e90af9fb12f082ed46911277bda2212d998ae3d89fc8d9c1e071522406e7dbc2f647bce4ef8a893e3bdd62c272aaf3924a49410aaa37634e835f6393a8f6fc4532cd8c6181502430ce69b4b009ea1305a32246ed89b24eb23e174108fbea584ec7bb3163788163126d0f94a617acf2ad9ab49f8c1c992cab2314088871bb2e903b04803d5424c684e94ec345ca2fadab8fdbb9afcb4a2e7036a4bb66d289837d6fd4789ff997c415d171a6a9a77d19f5f9451cbec90b8f66eab3aec2fd048f7fc86acb5bcce1cfa0badb73886f2a0a373d5d693fdec47c9ab204b344c3c05181e720300663e2bd3ee2ec74314e949a21934030250dae15f5099a921328a10ed567c3018ec66a95f24ab50e0cf6db68f15a4efb7f8f6548ae75d85bcdf9d5582f505c6c876d8ce01101ac4e02053e18276f38f08bc82cbdc0b94a946b34af834f2859ce25dde4ad76656206d17f0b17dcda52db2ed77df317fb57a34c789c1914fdd3de8e4a4a3676f7090190e5fdd13b4e314d8e2811e1aa482fd5ee62425f37b61584f0bb24672804d02de233da31da7a86da7f28c72dabc3289f65ec48983e666da937e5127185e5c034d93ddec2693513c81abb96ca247090f0c5705e40ed4a0406ec461033eb5923f8c16e4c65ee771ad9a4a6a53aad5fad99999e84a483ef74d05fb127431c9c6de5b6ae7b3dd311da6314f62ebe6cdf6b6a33e1366e10d16065b1caaa6c5ae6418683cef261724081ab8c8495fdd22d706da0569a8c127dbb98951bbedfe8506c5d20a32d1cc91e3a70a5e1a8c6766f47be86375c73044375758ca23c3667a9849bd0a7c064b0abfba4593480004138665a085903ae01e7d44eee1f596a39a90dcf60ef9acab39ee0ab7d56240c17e84a2e0877c0c0c8820a163c19b2501d87abf2479856d5a980f81f2f281f72eb876864d5d8301f63a706e75bcf4cf7fc1477d9a850004d3b61ad5b32e934c4af9c27c82fc3952c8a246776419b1ea8383404360772630bdba2e991238672bc570062ac6a7d9cdda1f2f7582ec86d2924fb23f263c94b2f345ea8239ba9df977ac158d3b84032f9ada789795cabbb438fde851411b0fb2b6856ee1e2fbc5a10570d940384885d7129dd0bdc776e5435b8aea0f8dccb60d1c96fe7fa7759985891ec04b121e1f5af03e94f40d4879fe6a962e4780d1ad27d0644739a833ab73240013b97c471b595cc74ac8a6bc3c9724bf6477350e3c2f4084fe354dd536708df1205dac83647c91a0f0b6819"}, &(0x7f0000000140)=0x1008) setsockopt$inet_sctp6_SCTP_MAXSEG(r3, 0x84, 0xd, &(0x7f00000001c0)=@assoc_id=r4, 0x4) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1086.220775] binder: 30193:30195 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:29 executing program 4: r0 = creat(&(0x7f0000000700)='./bus\x00', 0x0) ftruncate(r0, 0x8200) r1 = open(&(0x7f000000fffa)='./bus\x00', 0x0, 0x0) openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.net/syz0\x00', 0x200002, 0x0) r2 = socket$alg(0x26, 0x5, 0x0) bind$alg(r2, &(0x7f00000000c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'ctr-blowfish-asm\x00'}, 0x58) setsockopt$ALG_SET_KEY(r2, 0x117, 0x1, &(0x7f0000003100)="b7f2288a", 0x4) r3 = accept$alg(r2, 0x0, 0x0) write$binfmt_script(r3, &(0x7f0000000000)=ANY=[@ANYBLOB="1821206bf70000efffffff00000000"], 0xf) sendfile(r3, r1, &(0x7f0000002ec0), 0xfffffffe) socket$inet_icmp(0x2, 0x2, 0x1) [ 1086.261275] binder: 30193:30195 BC_FREE_BUFFER u0000000000000000 no match [ 1086.454988] FAULT_INJECTION: forcing a failure. [ 1086.454988] name failslab, interval 1, probability 0, space 0, times 0 [ 1086.466321] CPU: 1 PID: 30212 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1086.473264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1086.482630] Call Trace: [ 1086.485242] dump_stack+0x1b9/0x294 [ 1086.488896] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1086.494797] ? unwind_get_return_address+0x61/0xa0 [ 1086.499749] ? graph_lock+0x170/0x170 [ 1086.503563] should_fail.cold.4+0xa/0x1a [ 1086.507617] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1086.512715] ? __lock_is_held+0xb5/0x140 [ 1086.516780] ? __kmalloc_node_track_caller+0x47/0x70 [ 1086.521890] ? graph_lock+0x170/0x170 [ 1086.525689] ? __x64_sys_sendto+0xe1/0x1a0 [ 1086.529923] ? find_held_lock+0x36/0x1c0 [ 1086.533982] ? __lock_is_held+0xb5/0x140 [ 1086.538033] ? check_same_owner+0x320/0x320 [ 1086.542346] ? rcu_note_context_switch+0x710/0x710 [ 1086.547282] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1086.552564] __should_failslab+0x124/0x180 [ 1086.556797] should_failslab+0x9/0x14 [ 1086.560582] kmem_cache_alloc_node+0x272/0x780 [ 1086.565163] ? __kmalloc_node_track_caller+0x47/0x70 [ 1086.570280] __alloc_skb+0x111/0x780 [ 1086.573989] ? skb_scrub_packet+0x580/0x580 [ 1086.578314] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1086.583843] ? ip_generic_getfrag+0x11c/0x2d0 [ 1086.588331] ? ip_reply_glue_bits+0xc0/0xc0 [ 1086.592685] ? raw_getfrag+0x15b/0x220 [ 1086.596564] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1086.601574] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1086.606588] ? raw_destroy+0x30/0x30 [ 1086.610298] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1086.616087] ? ipv4_mtu+0x375/0x580 [ 1086.619706] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1086.625168] ? lock_acquire+0x1dc/0x520 [ 1086.629142] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1086.634669] ? ip_setup_cork+0x4dc/0x7c0 [ 1086.638719] ip_append_data.part.48+0xf3/0x180 [ 1086.643301] ? raw_destroy+0x30/0x30 [ 1086.647002] ip_append_data+0x6d/0x90 [ 1086.650793] ? raw_destroy+0x30/0x30 [ 1086.654498] raw_sendmsg+0x1dae/0x29b0 [ 1086.658378] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1086.663469] ? rcu_report_qs_rnp+0x790/0x790 [ 1086.667869] ? graph_lock+0x170/0x170 [ 1086.671667] ? expand_files.part.8+0x9a0/0x9a0 [ 1086.676246] ? check_same_owner+0x320/0x320 [ 1086.680573] ? lock_downgrade+0x8e0/0x8e0 [ 1086.684708] ? lock_release+0xa10/0xa10 [ 1086.688666] ? check_same_owner+0x320/0x320 [ 1086.692973] ? __check_object_size+0x95/0x5d9 [ 1086.697457] inet_sendmsg+0x19f/0x690 [ 1086.701242] ? __might_sleep+0x95/0x190 [ 1086.705203] ? ipip_gro_receive+0x100/0x100 [ 1086.709526] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1086.715074] ? security_socket_sendmsg+0x94/0xc0 [ 1086.719828] ? ipip_gro_receive+0x100/0x100 [ 1086.724136] sock_sendmsg+0xd5/0x120 [ 1086.727833] __sys_sendto+0x3d7/0x670 [ 1086.731626] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1086.736285] ? wait_for_completion+0x870/0x870 [ 1086.740882] ? __lock_is_held+0xb5/0x140 [ 1086.744962] ? __sb_end_write+0xac/0xe0 [ 1086.748950] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1086.754502] ? fput+0x130/0x1a0 [ 1086.757799] ? ksys_write+0x1a6/0x250 [ 1086.762771] ? __ia32_sys_read+0xb0/0xb0 [ 1086.766847] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1086.772401] __x64_sys_sendto+0xe1/0x1a0 [ 1086.776475] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1086.781511] do_syscall_64+0x1b1/0x800 [ 1086.785409] ? finish_task_switch+0x1ca/0x840 [ 1086.791957] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1086.796909] ? syscall_return_slowpath+0x30f/0x5c0 [ 1086.801865] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1086.807250] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1086.812123] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1086.817324] RIP: 0033:0x4559f9 [ 1086.820502] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1086.839756] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1086.847462] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1086.854719] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1086.860763] ALSA: seq fatal error: cannot create timer (-22) [ 1086.861982] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1086.861993] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1086.862003] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000037 05:01:30 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xffffffff00000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:30 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x2000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:30 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) ioctl$VHOST_GET_VRING_BASE(r0, 0xc008af12, &(0x7f0000000040)) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) r4 = shmat(0xffffffffffffffff, &(0x7f0000ffd000/0x2000)=nil, 0x4000) shmdt(r4) 05:01:30 executing program 7: socket$inet6_tcp(0xa, 0x1, 0x0) r0 = openat$nullb(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/nullb0\x00', 0x4002, 0x0) fallocate(r0, 0x0, 0x0, 0x7fffffffffffffff) r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x10100, 0x0) r2 = dup3(r0, r0, 0x80000) getsockopt$bt_BT_RCVMTU(r1, 0x112, 0xd, &(0x7f0000000100)=0x800, &(0x7f0000000140)=0x2) renameat(r1, &(0x7f0000000040)='./file0\x00', r2, &(0x7f0000000080)='./file0\x00') ioctl$KDSIGACCEPT(r2, 0x4b4e, 0x2e) 05:01:30 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f00000000c0)="295ed277a4200100360070") r1 = socket(0xa, 0x1, 0x0) getsockopt$sock_int(r1, 0x1, 0x22, &(0x7f0000004f40), &(0x7f0000000000)=0x4) r2 = gettid() r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000100)='/dev/zero\x00', 0x400, 0x0) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x100, 0x3f, 0x1, 0x0, 0x2, 0x1, 0x7, 0x9, 0x9758, 0x5, 0xffff, 0x20, 0x6, 0x9, 0x1, 0xbc1b, 0x7dd, 0x2, 0x4, 0xe38e, 0x1ff, 0x6b9, 0x7, 0x2, 0x10001, 0x3, 0x5, 0xfffffffffffffff7, 0x401, 0x8, 0x1, 0x10000, 0xfffffffffffffff8, 0x40, 0x7335, 0x0, 0xaf6d, 0x1, @perf_config_ext={0x2b40000000000000, 0x9}, 0x8000, 0x8000, 0x20, 0x3, 0x6, 0x6, 0x9}, r2, 0x2, r3, 0x1) 05:01:30 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0xa}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:30 executing program 1 (fault-call:4 fault-nth:56): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:30 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="2957e1311f16f477671070") r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r2, 0xae60) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) socket$nl_xfrm(0x10, 0x3, 0x6) ioctl$KVM_SET_LAPIC(r3, 0x4400ae8f, &(0x7f0000000240)={"0d48c1fedfedda2782cffab40681152b3bf9130fe9873689af4f63aeb0fbd45246146977168a29c16c0d1d5c9b91cfdac4b6cc7e8beddd032075d11104171867ecd140948d756859debeda601d44059ca6c31228e45aa5957a839151c2ea7fd0a37a51f5cbfe09f2e9822fa6c89d3eaec4b93bf1c6daf19b9b72a58b7192efc993dc01adbc0781cdff49fc6175b4bf66ba6a75042827a8e6faad508998d8b03dfb7e39c8d63fa974989d95f197d7b75ffe7b3cb607c89241337641353158fbcd3f2a6d24c7a0e74ba34016c8b97639060bd6492b6c33a0fe55237646ba600bcb84f1d7e9f9d0f790fde6ff38d9c2dd2a80e9b82867facd1cb1660a46871dfcc781e99595dd45a741f060ab602b8c67b988c33246e4043d2bff774b9dc289764a0441c0346cbb49d8020c54f5c0bbe5f4b6e0565850ef08f7f6b53d51ae948e93b0b2ee8cea54cd8a11ed54fccecb2b4008335bbe4d70fbb9c058525db6178d894a762558b5dbba9df210354d8abae5002683d9322cbbe91c14f3bbd6d833f92523563dac9fdfae51b6732bde82817612e93dac753f2a02b1db5844f60577e385846b2709a214e8b1545581e393770bcc649cfb62e07d337a88b2067b848a241295babceb908a1adbac8543d2541251daefa14a8de75f81347151c00b2b7842d86f66c3ccc924a5658b7998e803d99c14b6983980f4a308bd7c6d1d5f27b2eec9234954cf52106a505b273e9071b984e4f48c90bcc398f095e374fe1fb54b8349210b895f7bb25cf7d0a83a0722f1fca5f5b18ed3b4eb2f3f05db58ace2debe5058056764349837294a7e656e9f443ed5098d8b3d3be2f601f10871f61a8cd63889c9323bab28977d88ba0d59decb43c8835d860fe0ec656aec56bfe6485e0c2b158ffaf0bd557c5629324f5767a80dbedbf0d5c89a7de3cfc6878530f69ae862e42ad239eaa784e070b6b9613a0a138a4997930c6447a96335e6a743ce1247ae46b691c661e96f1dfdb758ce18c239e8ccd0ac82c68226b64e5211b56544dce4b7f14e0794682c817d6db335bfebdffd42e56bebf3720b9f12dc0331c0b3169792f0600fbf9e18a15b125fb437de12ed4560ff5b98e5519ec79d5c6fe86c87c40f61b1585cabe393d5f93cb796ee528f1f6a37f5931cb0b21a47eff5672ebc8097cd9a88a4ac7b2d260514316fc0093e3a102dcf5e02b4e88f54c5ed8b9c0cc0bf9e236882e224e6629c699d8281465ffbbb0f1640e95397f4d457cfe35516470a4392f3cb2ac46776404b7fa12d53c20c6be84be0c54d730b6783fdebf63bbe71ca7cc01c6807f4bd1b8454fb22dbf09540e820a9e5604439c3136f79c7945e016ff048e71ee49c746b3432feb3136d3220e8be824a058410b98e310112e75c3f097d4c6275d3dc2979309336db56c62263668d32971a08d9c263b8ada37063"}) ioctl$KVM_SET_IRQCHIP(r2, 0x8208ae63, &(0x7f0000000080)=@ioapic={0x2, 0x0, 0x0, 0x0, 0x0, [{0x0, 0xfff}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, 0x0, 0x0, [], 0x1ff}]}) [ 1087.054348] ALSA: seq fatal error: cannot create timer (-22) [ 1087.092701] binder: 30247:30254 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1087.103870] FAULT_INJECTION: forcing a failure. [ 1087.103870] name failslab, interval 1, probability 0, space 0, times 0 [ 1087.115170] CPU: 0 PID: 30250 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1087.122110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1087.131472] Call Trace: [ 1087.134085] dump_stack+0x1b9/0x294 [ 1087.137735] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1087.142944] ? is_bpf_text_address+0xd7/0x170 [ 1087.147457] ? kernel_text_address+0x79/0xf0 [ 1087.151882] ? __unwind_start+0x166/0x330 [ 1087.156051] should_fail.cold.4+0xa/0x1a [ 1087.160218] ? __save_stack_trace+0x7e/0xd0 [ 1087.164564] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1087.169681] ? graph_lock+0x170/0x170 [ 1087.173531] ? save_stack+0x43/0xd0 [ 1087.177158] ? kasan_kmalloc+0xc4/0xe0 [ 1087.181059] ? kasan_slab_alloc+0x12/0x20 [ 1087.185199] ? find_held_lock+0x36/0x1c0 [ 1087.189249] ? __lock_is_held+0xb5/0x140 [ 1087.193304] ? check_same_owner+0x320/0x320 [ 1087.197616] ? rcu_note_context_switch+0x710/0x710 [ 1087.202535] __should_failslab+0x124/0x180 [ 1087.206761] should_failslab+0x9/0x14 [ 1087.210559] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1087.215658] __kmalloc_node_track_caller+0x33/0x70 [ 1087.220580] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1087.225325] __alloc_skb+0x14d/0x780 [ 1087.229027] ? skb_scrub_packet+0x580/0x580 [ 1087.233338] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1087.238876] ? ip_generic_getfrag+0x11c/0x2d0 [ 1087.243578] ? ip_reply_glue_bits+0xc0/0xc0 [ 1087.247894] ? raw_getfrag+0x15b/0x220 [ 1087.251765] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1087.256772] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1087.261780] ? raw_destroy+0x30/0x30 [ 1087.265488] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1087.271278] ? ipv4_mtu+0x375/0x580 [ 1087.274921] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1087.280368] ? lock_acquire+0x1dc/0x520 [ 1087.284347] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1087.289871] ? ip_setup_cork+0x4dc/0x7c0 [ 1087.293924] ip_append_data.part.48+0xf3/0x180 [ 1087.298493] ? raw_destroy+0x30/0x30 [ 1087.302194] ip_append_data+0x6d/0x90 [ 1087.305979] ? raw_destroy+0x30/0x30 [ 1087.309687] raw_sendmsg+0x1dae/0x29b0 [ 1087.313575] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1087.318668] ? rcu_report_qs_rnp+0x790/0x790 [ 1087.323068] ? graph_lock+0x170/0x170 [ 1087.326866] ? expand_files.part.8+0x9a0/0x9a0 [ 1087.331435] ? check_same_owner+0x320/0x320 [ 1087.335754] ? lock_downgrade+0x8e0/0x8e0 [ 1087.339889] ? lock_release+0xa10/0xa10 [ 1087.343851] ? check_same_owner+0x320/0x320 [ 1087.348172] ? __check_object_size+0x95/0x5d9 [ 1087.352659] inet_sendmsg+0x19f/0x690 [ 1087.356444] ? __might_sleep+0x95/0x190 [ 1087.360406] ? ipip_gro_receive+0x100/0x100 [ 1087.364716] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1087.370241] ? security_socket_sendmsg+0x94/0xc0 [ 1087.374980] ? ipip_gro_receive+0x100/0x100 [ 1087.379292] sock_sendmsg+0xd5/0x120 [ 1087.382995] __sys_sendto+0x3d7/0x670 [ 1087.386787] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1087.391447] ? wait_for_completion+0x870/0x870 [ 1087.396019] ? __lock_is_held+0xb5/0x140 [ 1087.400078] ? __sb_end_write+0xac/0xe0 [ 1087.404046] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1087.409568] ? fput+0x130/0x1a0 [ 1087.412835] ? ksys_write+0x1a6/0x250 [ 1087.416635] ? __ia32_sys_read+0xb0/0xb0 [ 1087.420686] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1087.425519] __x64_sys_sendto+0xe1/0x1a0 [ 1087.429575] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1087.434580] do_syscall_64+0x1b1/0x800 [ 1087.438455] ? finish_task_switch+0x1ca/0x840 [ 1087.442940] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1087.447857] ? syscall_return_slowpath+0x30f/0x5c0 [ 1087.452776] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1087.458128] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1087.462960] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1087.468134] RIP: 0033:0x4559f9 [ 1087.471307] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1087.490561] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1087.498258] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 05:01:30 executing program 5: openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x0, 0x0) r0 = syz_open_dev$sndseq(&(0x7f0000923000)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000068f50)={{0x80}, "706f72ff070000000000000000000000000b000000000000000000001f0000ffffff03000000ef000003ff02000000000012000000000000000000000600", 0x1000000c7, 0x80003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6}) r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x400000, 0x0) r2 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r2, 0x8912, &(0x7f0000000040)="0047fc2f07d82c99240970") close(r1) 05:01:30 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x3f000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1087.505534] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1087.512788] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1087.520043] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1087.527298] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000038 [ 1087.547931] binder: 30247:30254 BC_FREE_BUFFER u0000000000000000 no match 05:01:30 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ppoll(&(0x7f0000000000)=[{r0, 0x6300}, {r0, 0x2000}, {r0, 0x100}, {r0, 0x200}, {r0, 0x9005}, {r0, 0x20}, {r0, 0x100a}], 0x7, &(0x7f0000000040), &(0x7f0000000080)={0x7fff}, 0x8) syz_mount_image$ntfs(&(0x7f0000000300)='ntfs\x00', &(0x7f0000000380)='./file0\x00', 0x0, 0x1, &(0x7f0000000440)=[{&(0x7f0000000400)}], 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="6e94adb4cba7a645ad198ad9206c733deaf57469736f383835392d342c00"]) socketpair(0x0, 0x0, 0x0, &(0x7f0000000200)) syz_open_dev$usbmon(&(0x7f0000000140)='/dev/usbmon#\x00', 0x0, 0x0) 05:01:30 executing program 5: r0 = socket$kcm(0x29, 0x2, 0x0) ioctl(r0, 0x8912, &(0x7f0000000000)="0047fc2f07d82c99240970") r1 = perf_event_open(&(0x7f0000c86f88)={0x2, 0x70, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = timerfd_create(0x6, 0x0) dup2(r2, r1) 05:01:30 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl(r3, 0x5, &(0x7f0000000400)="f618ed4c9b88dfac618a96a108e009ae1b657d3bf5311196039b2fc170a335f276dfb31fce4a8470f0e8766d5dda6540f0456a7b065672d0ed4ce844b6b0831ca8019466473a976070e4c03e3f46ab9e9db5f4fed2bb609c1ec8c0dd4d633702450bc614cd175a4489e34f66aa24652da611198188bf65b6d228d64d1f380e00c19ba0bb64e8caeb6fd471c3e7786f9b334f584c70257ef65210e85480b049c1d0ada55482bd848fba942ba47700381b9f3e1b8d03ecbee85ccc51f9a8a8517d1417ce3fa79593e690f1f4ce0472541943fd0d002218b3ec0f1db32cbbbd92ca89379306e7a72f6fed5d5385d3ae0f51a299509d5b") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) [ 1087.612007] binder: 30247:30254 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:30 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x9000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1087.671572] binder: 30247:30254 BC_FREE_BUFFER u0000000000000000 no match [ 1087.715795] ntfs: (device loop7): parse_options(): Unrecognized mount option n”­´Ë§¦E­ŠÙ ls. [ 1087.724633] ntfs: (device loop7): parse_options(): Unrecognized mount option . 05:01:31 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x6c, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:31 executing program 4: mkdir(&(0x7f0000fd5ff8)='./file0\x00', 0x0) mount(&(0x7f0000000c00)='./file0\x00', &(0x7f0000000c40)='./file0\x00', &(0x7f0000000000)='devtmpfs\x00', 0x0, &(0x7f0000000cc0)) mkdir(&(0x7f0000000080)='./file0/file0\x00', 0x0) rename(&(0x7f0000000040)='./file0/file0\x00', &(0x7f0000000140)='./file0/file1\x00') r0 = add_key(&(0x7f0000000180)='blacklist\x00', &(0x7f00000001c0)={0x73, 0x79, 0x7a, 0x3}, &(0x7f0000000200)="fd49cfb70f3527ae786c87bd1c72f827adb8eb9c16841a15741730bd75ddc38724345fd7bcacf345b7eb4f5928f06d7b3bb008234d0ca9b1b33bb6268320aeb81335eea090c7df51509bd3bff2be39a632e542ca44508a7143e353bc4990", 0x5e, 0xfffffffffffffffe) keyctl$read(0xb, r0, &(0x7f0000000280)=""/64, 0x40) r1 = syz_open_dev$admmidi(&(0x7f00000002c0)='/dev/admmidi#\x00', 0x3f, 0x181080) clock_gettime(0x0, &(0x7f0000000300)={0x0, 0x0}) ioctl$SNDRV_RAWMIDI_IOCTL_STATUS(r1, 0xc0385720, &(0x7f0000000340)={0x1, {r2, r3+30000000}, 0x1000, 0x3}) r4 = fcntl$dupfd(0xffffffffffffff9c, 0x406, 0xffffffffffffff9c) ioctl$EVIOCGPHYS(r4, 0x80404507, &(0x7f00000000c0)=""/80) 05:01:31 executing program 1 (fault-call:4 fault-nth:57): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1087.840636] binder: 30301:30304 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1087.871586] FAULT_INJECTION: forcing a failure. [ 1087.871586] name failslab, interval 1, probability 0, space 0, times 0 [ 1087.883018] CPU: 1 PID: 30307 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1087.885520] binder: 30301:30304 BC_FREE_BUFFER u0000000000000000 no match [ 1087.889951] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1087.889957] Call Trace: [ 1087.889984] dump_stack+0x1b9/0x294 [ 1087.890015] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1087.917935] ? unwind_get_return_address+0x61/0xa0 [ 1087.922885] ? graph_lock+0x170/0x170 [ 1087.926707] should_fail.cold.4+0xa/0x1a [ 1087.930788] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1087.935884] ? __lock_is_held+0xb5/0x140 [ 1087.939933] ? __kmalloc_node_track_caller+0x47/0x70 [ 1087.945022] ? graph_lock+0x170/0x170 [ 1087.948814] ? __x64_sys_sendto+0xe1/0x1a0 [ 1087.953036] ? find_held_lock+0x36/0x1c0 [ 1087.957087] ? __lock_is_held+0xb5/0x140 [ 1087.961142] ? check_same_owner+0x320/0x320 [ 1087.965454] ? rcu_note_context_switch+0x710/0x710 [ 1087.970372] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1087.975652] __should_failslab+0x124/0x180 [ 1087.979879] should_failslab+0x9/0x14 [ 1087.983670] kmem_cache_alloc_node+0x272/0x780 [ 1087.988251] ? __kmalloc_node_track_caller+0x47/0x70 [ 1087.993345] __alloc_skb+0x111/0x780 [ 1087.997047] ? skb_scrub_packet+0x580/0x580 [ 1088.001365] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1088.006891] ? ip_generic_getfrag+0x11c/0x2d0 [ 1088.011373] ? ip_reply_glue_bits+0xc0/0xc0 [ 1088.015737] ? raw_getfrag+0x15b/0x220 [ 1088.019613] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1088.024621] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1088.029627] ? raw_destroy+0x30/0x30 [ 1088.033339] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1088.039146] ? ipv4_mtu+0x375/0x580 [ 1088.042762] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1088.048204] ? lock_acquire+0x1dc/0x520 [ 1088.052166] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1088.057694] ? ip_setup_cork+0x4dc/0x7c0 [ 1088.061746] ip_append_data.part.48+0xf3/0x180 [ 1088.066314] ? raw_destroy+0x30/0x30 [ 1088.070026] ip_append_data+0x6d/0x90 [ 1088.073813] ? raw_destroy+0x30/0x30 [ 1088.077517] raw_sendmsg+0x1dae/0x29b0 [ 1088.081403] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1088.086496] ? rcu_report_qs_rnp+0x790/0x790 [ 1088.090894] ? graph_lock+0x170/0x170 [ 1088.094685] ? expand_files.part.8+0x9a0/0x9a0 [ 1088.099252] ? check_same_owner+0x320/0x320 [ 1088.103574] ? lock_downgrade+0x8e0/0x8e0 [ 1088.107709] ? lock_release+0xa10/0xa10 [ 1088.111671] ? check_same_owner+0x320/0x320 [ 1088.115981] ? __check_object_size+0x95/0x5d9 [ 1088.120464] inet_sendmsg+0x19f/0x690 [ 1088.124252] ? __might_sleep+0x95/0x190 [ 1088.128215] ? ipip_gro_receive+0x100/0x100 [ 1088.132527] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1088.138051] ? security_socket_sendmsg+0x94/0xc0 [ 1088.142794] ? ipip_gro_receive+0x100/0x100 [ 1088.147106] sock_sendmsg+0xd5/0x120 [ 1088.150827] __sys_sendto+0x3d7/0x670 [ 1088.154640] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1088.159299] ? wait_for_completion+0x870/0x870 [ 1088.163871] ? __lock_is_held+0xb5/0x140 [ 1088.167930] ? __sb_end_write+0xac/0xe0 [ 1088.171894] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1088.177426] ? fput+0x130/0x1a0 [ 1088.180695] ? ksys_write+0x1a6/0x250 [ 1088.184484] ? __ia32_sys_read+0xb0/0xb0 [ 1088.188534] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1088.194063] __x64_sys_sendto+0xe1/0x1a0 [ 1088.198110] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1088.203113] do_syscall_64+0x1b1/0x800 [ 1088.206984] ? finish_task_switch+0x1ca/0x840 [ 1088.211468] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1088.216385] ? syscall_return_slowpath+0x30f/0x5c0 [ 1088.221302] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1088.226656] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1088.231518] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1088.236705] RIP: 0033:0x4559f9 [ 1088.239875] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1088.259135] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1088.266861] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1088.274120] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1088.281532] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1088.288806] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1088.296063] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000039 [ 1088.321955] binder: 30301:30304 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1088.351113] binder: 30301:30304 BC_FREE_BUFFER u0000000000000000 no match 05:01:31 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") fcntl$F_SET_FILE_RW_HINT(r2, 0x40e, &(0x7f00000001c0)=0x1) sendto$ipx(r0, &(0x7f0000000040)="c93d72ca02a40425f4a7c38ec09637b13e539baf13b756d5bce77bcc8b5ffe8061d8fc4745cd2770d30fae8f3fe09ce479f146ccfdb858ab03e290", 0x195, 0x24040800, &(0x7f0000000140)={0x4, 0x2, 0x1, "45d5e94b28de", 0x1}, 0x10) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r0, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x10}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) fallocate(r1, 0x18, 0x6, 0xc7) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:31 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0xffffff7f00000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:31 executing program 5: r0 = socket$inet6(0xa, 0x2, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000000)="295ee1311f16f477671070") pipe2(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80000) ioctl$BLKALIGNOFF(r1, 0x127a, &(0x7f0000000080)) r2 = socket$l2tp(0x2b, 0x1, 0x1) ioctl$SIOCSIFMTU(r2, 0x8922, &(0x7f00000000c0)={'ip6gretap0\x00', 0x4}) 05:01:31 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x3f00000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:31 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x74000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:31 executing program 7: r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000ff4)='/dev/rfkill\x00', 0x1, 0x0) write$eventfd(r0, &(0x7f0000000000)=0x20500000002, 0x8) remap_file_pages(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x2000001, 0xbb, 0x100010) 05:01:31 executing program 4: r0 = syz_open_dev$sndseq(&(0x7f0000000080)='/dev/snd/seq\x00', 0x0, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000000}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT(r0, 0xc04c5349, &(0x7f00000013c0)={0x0, 0x0, 'client0\x00', 0x0, "9e40f2452de294ab", "99dba658cc63144de86c1896569896737e859d855192d6a169b7d4c083f70fd7"}) openat$sequencer(0xffffffffffffff9c, &(0x7f0000004900)='/dev/sequencer\x00', 0x0, 0x0) 05:01:31 executing program 1 (fault-call:4 fault-nth:58): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1088.445130] binder: 30324:30326 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1088.470158] ip6gretap0: Invalid MTU 4 requested, hw min 68 [ 1088.486288] binder: 30324:30326 BC_FREE_BUFFER u0000000000000000 no match [ 1088.497915] FAULT_INJECTION: forcing a failure. [ 1088.497915] name failslab, interval 1, probability 0, space 0, times 0 [ 1088.509257] CPU: 1 PID: 30338 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1088.516195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1088.525541] Call Trace: [ 1088.528124] dump_stack+0x1b9/0x294 [ 1088.531753] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1088.536967] ? perf_trace_lock_acquire+0xe3/0x980 [ 1088.541816] ? kernel_text_address+0x79/0xf0 [ 1088.546216] ? __unwind_start+0x166/0x330 [ 1088.550385] should_fail.cold.4+0xa/0x1a [ 1088.554442] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1088.559545] ? graph_lock+0x170/0x170 [ 1088.563339] ? save_stack+0x43/0xd0 [ 1088.566958] ? kasan_slab_alloc+0x12/0x20 [ 1088.571123] ? find_held_lock+0x36/0x1c0 [ 1088.575182] ? __lock_is_held+0xb5/0x140 [ 1088.579249] ? check_same_owner+0x320/0x320 [ 1088.583564] ? rcu_note_context_switch+0x710/0x710 [ 1088.588495] __should_failslab+0x124/0x180 [ 1088.592745] should_failslab+0x9/0x14 [ 1088.596537] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1088.601639] __kmalloc_node_track_caller+0x33/0x70 [ 1088.606577] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1088.611329] __alloc_skb+0x14d/0x780 [ 1088.615036] ? skb_scrub_packet+0x580/0x580 [ 1088.619350] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1088.624880] ? ip_generic_getfrag+0x11c/0x2d0 [ 1088.629372] ? ip_reply_glue_bits+0xc0/0xc0 [ 1088.633692] ? raw_getfrag+0x15b/0x220 [ 1088.637569] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1088.642582] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1088.647602] ? raw_destroy+0x30/0x30 [ 1088.651311] ? perf_trace_lock+0x900/0x900 [ 1088.655554] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1088.661456] ? ipv4_mtu+0x375/0x580 [ 1088.665079] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1088.670532] ? lock_acquire+0x1dc/0x520 [ 1088.674512] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1088.680042] ? ip_setup_cork+0x4dc/0x7c0 [ 1088.684098] ip_append_data.part.48+0xf3/0x180 [ 1088.688672] ? raw_destroy+0x30/0x30 [ 1088.692379] ip_append_data+0x6d/0x90 [ 1088.696180] ? raw_destroy+0x30/0x30 [ 1088.699894] raw_sendmsg+0x1dae/0x29b0 [ 1088.703795] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1088.708901] ? graph_lock+0x170/0x170 [ 1088.712708] ? expand_files.part.8+0x9a0/0x9a0 [ 1088.717297] ? lock_downgrade+0x8e0/0x8e0 [ 1088.721442] ? lock_release+0xa10/0xa10 [ 1088.725411] ? __check_object_size+0x95/0x5d9 [ 1088.729902] inet_sendmsg+0x19f/0x690 [ 1088.733699] ? __might_sleep+0x95/0x190 [ 1088.737666] ? ipip_gro_receive+0x100/0x100 [ 1088.741982] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1088.747513] ? security_socket_sendmsg+0x94/0xc0 [ 1088.752259] ? ipip_gro_receive+0x100/0x100 [ 1088.756578] sock_sendmsg+0xd5/0x120 [ 1088.760286] __sys_sendto+0x3d7/0x670 [ 1088.764078] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1088.768742] ? wait_for_completion+0x870/0x870 [ 1088.773343] ? __lock_is_held+0xb5/0x140 [ 1088.777417] ? __sb_end_write+0xac/0xe0 [ 1088.781384] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1088.786912] ? fput+0x130/0x1a0 [ 1088.790186] ? ksys_write+0x1a6/0x250 [ 1088.793982] ? __ia32_sys_read+0xb0/0xb0 [ 1088.798032] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1088.803563] __x64_sys_sendto+0xe1/0x1a0 [ 1088.807619] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1088.812628] do_syscall_64+0x1b1/0x800 [ 1088.816520] ? finish_task_switch+0x1ca/0x840 [ 1088.821005] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1088.825935] ? syscall_return_slowpath+0x30f/0x5c0 [ 1088.830865] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1088.836243] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1088.841090] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1088.846271] RIP: 0033:0x4559f9 [ 1088.849450] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1088.868830] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1088.876535] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1088.883795] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1088.891052] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 05:01:32 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x500000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:32 executing program 7: r0 = syz_open_dev$tun(&(0x7f0000000280)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={"d202b999cf85000000000088f301e710", 0x102}) fstat(r0, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$TUNSETGROUP(r0, 0x400454ce, r1) ioctl$TUNDETACHFILTER(r0, 0x401054d6, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000280)='/dev/net/tun\x00', 0x0, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f00000000c0)={"d202b999cf85000000000088f301e710", 0x102}) [ 1088.898308] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1088.905588] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000003a 05:01:32 executing program 5: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e3}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vhost-vsock\x00', 0x2, 0x0) r0 = openat$vnet(0xffffffffffffff9c, &(0x7f00000005c0)='/dev/vhost-net\x00', 0x2, 0x0) ioctl$VHOST_SET_FEATURES(r0, 0x4008af00, &(0x7f0000e4e000)=0x200000000) write$vnet(r0, &(0x7f00000003c0)={0x1, {&(0x7f0000000440)=""/207, 0xcf, &(0x7f0000000600)=""/50, 0x0, 0x402}}, 0x68) write$vnet(r0, &(0x7f0000a8d000)={0x1, {&(0x7f0000000000)=""/24, 0xffffffc7, &(0x7f0000b4cf9b)=""/101, 0x0, 0x2}}, 0x68) write$vnet(r0, &(0x7f000046df98)={0x1, {&(0x7f0000000040)=""/28, 0x1c, &(0x7f0000e9afb7)=""/73, 0x0, 0x3}}, 0x68) 05:01:32 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) socket$inet6(0xa, 0x805, 0x8) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") clock_gettime(0x0, &(0x7f0000000040)={0x0, 0x0}) ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r0, 0xc4c85512, &(0x7f0000000400)={{0x9, 0x5, 0x800, 0x5d, 'syz1\x00', 0x8eca}, 0x0, [0x3, 0x401, 0x40, 0x8, 0xccf, 0x3ff, 0x3, 0x846c, 0x7ff8000000, 0x3, 0x20, 0x10001, 0x957c, 0x8, 0xffffffff, 0x6, 0x8, 0x800, 0xaa3, 0x7ff, 0x2, 0xc00000, 0x100000001, 0x8, 0x9, 0x4, 0x312, 0x85b, 0xfc, 0xffffffffffff8000, 0x5, 0xfffffffffffffffe, 0x5, 0x22c0, 0x80000000, 0x0, 0x0, 0x6, 0x81, 0x9, 0x6c, 0xfffffffffffffd3d, 0x8000, 0xff, 0x3, 0x7, 0x10000, 0x100, 0x8, 0x2, 0x1f63, 0x3, 0x3, 0xe75, 0x7, 0x8, 0x0, 0x7, 0x7, 0x9, 0x5, 0x100, 0xf14, 0x3, 0x401, 0x2, 0xc, 0x2, 0x1, 0x4, 0x100000001, 0xffffffffffffffbb, 0x6, 0x1, 0x3, 0xffff, 0x4, 0x8, 0xffff, 0x916, 0x5, 0x8, 0x6, 0xa3, 0x8, 0x10000, 0xa5, 0x8, 0x7, 0x9, 0x0, 0x200, 0x1e6, 0xb507, 0xc0, 0x0, 0x8, 0x1, 0x3ff, 0x5000000, 0x0, 0x3f, 0x1, 0x80, 0xd685, 0x81, 0x7, 0x2, 0x198b, 0x0, 0x2, 0x1, 0x5, 0x200, 0x7, 0x0, 0x1, 0x3f, 0x9, 0x2, 0x1, 0xfffffffffffff000, 0x4, 0x2, 0x100000000, 0x1, 0x4, 0x7ff], {r4, r5+10000000}}) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) r6 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_SET_DEST(r0, &(0x7f0000000900)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x8010}, 0xc, &(0x7f00000002c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="5a1589ac", @ANYRES16=r6, @ANYBLOB="100029bd7000ffdbdf250600000008000400810000002800030014000600fe8000000000000000000000000000aa08000100020000000800030000000000"], 0x44}, 0x1, 0x0, 0x0, 0x40000}, 0x80) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000940)=""/242, 0xf2}], 0x291) [ 1088.949802] binder: 30324:30326 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:32 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xff0f000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1089.010605] binder: 30324:30326 BC_FREE_BUFFER u0000000000000000 no match 05:01:32 executing program 4: openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) fcntl$addseals(r0, 0x409, 0x4) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r0, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text32={0x20, &(0x7f0000000380)="0ca43ef30fbd57b80f23c20f1366d26565df9d0500000066ba2000edc4e1d1fc37b8010000000f01d90fc75b05c744240098d30000c74424025f5539d6c7442406000000000f011424", 0x49}], 0x1, 0x24, &(0x7f00000002c0), 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text16={0x10, &(0x7f00000001c0)="640f602cd8a0020066b9800000c00f326635004000000f30dfdd65640f22930f01d1baf80c66b878ea428966efbafc0cb83e38ef262e642626360f2193cad3126766c7442400110900006766c74424021001c0fe6766c744240600000000670f011c24", 0x63}], 0x1, 0x0, &(0x7f00000002c0), 0x0) ioctl$KVM_RUN(r0, 0xae80, 0x0) ioctl$KVM_RUN(r0, 0xae80, 0x0) 05:01:32 executing program 7: r0 = epoll_create1(0xfffffffffffffffc) r1 = epoll_create1(0x0) fcntl$lock(r1, 0x7, &(0x7f0000000000)) fcntl$lock(r0, 0x7, &(0x7f0000000000)={0x2, 0x0, 0x0, 0x1000000}) 05:01:32 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x1000000000000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:32 executing program 5: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180)='/dev/ptmx\x00', 0x4000001, 0x0) ioctl$TCSETS(r0, 0x40045431, &(0x7f00003b9fdc)) r1 = syz_open_pts(r0, 0x0) r2 = syz_open_dev$usbmon(&(0x7f0000000140)='/dev/usbmon#\x00', 0x5, 0x2c000) getsockopt$bt_rfcomm_RFCOMM_CONNINFO(r2, 0x12, 0x2, &(0x7f00000001c0)=""/140, &(0x7f0000000280)=0x8c) r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000)='/dev/hwrng\x00', 0x10000, 0x0) getpeername$packet(r3, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f0000000100)=0x14) write(r0, &(0x7f0000000080)="bc11fc0a53", 0x5) ioctl$FIONREAD(r1, 0x541b, &(0x7f0000000040)) 05:01:32 executing program 1 (fault-call:4 fault-nth:59): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1089.216466] binder: 30375:30376 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1089.252631] FAULT_INJECTION: forcing a failure. [ 1089.252631] name failslab, interval 1, probability 0, space 0, times 0 [ 1089.264002] CPU: 0 PID: 30381 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1089.265040] binder: 30375:30376 BC_FREE_BUFFER u0000000000000000 no match [ 1089.270938] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1089.270945] Call Trace: [ 1089.270972] dump_stack+0x1b9/0x294 [ 1089.270995] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1089.271015] ? unwind_get_return_address+0x61/0xa0 [ 1089.271032] ? graph_lock+0x170/0x170 [ 1089.271056] should_fail.cold.4+0xa/0x1a [ 1089.311498] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1089.316592] ? __lock_is_held+0xb5/0x140 [ 1089.320641] ? __kmalloc_node_track_caller+0x47/0x70 [ 1089.325734] ? graph_lock+0x170/0x170 [ 1089.329525] ? __x64_sys_sendto+0xe1/0x1a0 [ 1089.333749] ? find_held_lock+0x36/0x1c0 [ 1089.337802] ? __lock_is_held+0xb5/0x140 [ 1089.341856] ? check_same_owner+0x320/0x320 [ 1089.346170] ? rcu_note_context_switch+0x710/0x710 [ 1089.351090] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1089.356369] __should_failslab+0x124/0x180 [ 1089.360594] should_failslab+0x9/0x14 [ 1089.364387] kmem_cache_alloc_node+0x272/0x780 [ 1089.368965] ? __kmalloc_node_track_caller+0x47/0x70 [ 1089.374060] __alloc_skb+0x111/0x780 [ 1089.377762] ? skb_scrub_packet+0x580/0x580 [ 1089.382075] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1089.387607] ? ip_generic_getfrag+0x11c/0x2d0 [ 1089.392109] ? ip_reply_glue_bits+0xc0/0xc0 [ 1089.396424] ? raw_getfrag+0x15b/0x220 [ 1089.400296] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1089.405303] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1089.410310] ? raw_destroy+0x30/0x30 [ 1089.414021] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1089.419806] ? __schedule+0x809/0x1e30 [ 1089.423681] ? ipv4_mtu+0x375/0x580 [ 1089.427296] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1089.432754] ? lock_acquire+0x1dc/0x520 [ 1089.436732] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1089.442274] ? ip_setup_cork+0x4dc/0x7c0 [ 1089.446323] ip_append_data.part.48+0xf3/0x180 [ 1089.453982] ? raw_destroy+0x30/0x30 [ 1089.457711] ip_append_data+0x6d/0x90 [ 1089.461503] ? raw_destroy+0x30/0x30 [ 1089.465208] raw_sendmsg+0x1dae/0x29b0 [ 1089.469099] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1089.474209] ? rcu_report_qs_rnp+0x790/0x790 [ 1089.478623] ? graph_lock+0x170/0x170 [ 1089.482422] ? expand_files.part.8+0x9a0/0x9a0 [ 1089.486993] ? check_same_owner+0x320/0x320 [ 1089.491317] ? lock_downgrade+0x8e0/0x8e0 [ 1089.495456] ? lock_release+0xa10/0xa10 [ 1089.499441] ? check_same_owner+0x320/0x320 [ 1089.503748] ? __check_object_size+0x95/0x5d9 [ 1089.508233] inet_sendmsg+0x19f/0x690 [ 1089.512020] ? __might_sleep+0x95/0x190 [ 1089.515981] ? ipip_gro_receive+0x100/0x100 [ 1089.520293] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1089.525819] ? security_socket_sendmsg+0x94/0xc0 [ 1089.530564] ? ipip_gro_receive+0x100/0x100 [ 1089.534876] sock_sendmsg+0xd5/0x120 [ 1089.538579] __sys_sendto+0x3d7/0x670 [ 1089.542380] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1089.547043] ? wait_for_completion+0x870/0x870 [ 1089.551614] ? __lock_is_held+0xb5/0x140 [ 1089.555689] ? __sb_end_write+0xac/0xe0 [ 1089.559652] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1089.565190] ? fput+0x130/0x1a0 [ 1089.568459] ? ksys_write+0x1a6/0x250 [ 1089.572249] ? __ia32_sys_read+0xb0/0xb0 [ 1089.576300] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1089.581826] __x64_sys_sendto+0xe1/0x1a0 [ 1089.585876] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1089.590885] do_syscall_64+0x1b1/0x800 [ 1089.594757] ? finish_task_switch+0x1ca/0x840 [ 1089.599238] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1089.604154] ? syscall_return_slowpath+0x30f/0x5c0 [ 1089.609073] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1089.614425] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1089.619256] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1089.624434] RIP: 0033:0x4559f9 [ 1089.627605] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1089.646846] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1089.654542] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1089.662223] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1089.669484] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1089.676740] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1089.684003] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000003b [ 1089.718117] binder: 30375:30376 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1089.734965] binder: 30375:30376 BC_FREE_BUFFER u0000000000000000 no match 05:01:33 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) ioctl$KVM_GET_ONE_REG(r0, 0x4010aeab, &(0x7f0000000040)={0x5, 0x3}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:33 executing program 1 (fault-call:4 fault-nth:60): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:33 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x300000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:33 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x1000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:33 executing program 5: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x200000008912, &(0x7f0000000000)="025cc83d6d345f8f760070") umount2(&(0x7f0000000040)='../file0\x00', 0x2) mkdir(&(0x7f0000f4eff8)='./file0\x00', 0x0) mount(&(0x7f000000a000)='./file0\x00', &(0x7f0000026ff8)='./file0\x00', &(0x7f0000000000)='devpts\x00', 0x0, &(0x7f0000000140)) chdir(&(0x7f0000000600)='./file0\x00') umount2(&(0x7f0000000180)='../file0\x00', 0x2) chdir(&(0x7f0000000280)='/\x00') 05:01:33 executing program 7: mkdir(&(0x7f0000000000)='./file0\x00', 0x0) mount(&(0x7f000000a000)='./file0\x00', &(0x7f0000026ff8)='./file0\x00', &(0x7f0000000300)='ramfs\x00', 0x0, &(0x7f00000007c0)) mount(&(0x7f0000d04000)='./file0\x00', &(0x7f0000903000)='./file0\x00', &(0x7f0000000340)='bdev\x00', 0x100000, &(0x7f00000002c0)) mount(&(0x7f0000000240)='./file0\x00', &(0x7f0000000280)='.', &(0x7f0000000380)="045b898f73", 0x1004, 0x0) mount(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)='.', &(0x7f0000000140)='vxfs\x00', 0x3080, &(0x7f0000000200)) r0 = syz_open_dev$mice(&(0x7f0000000980)='/dev/input/mice\x00', 0x0, 0x100) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r0, 0x402c5342, &(0x7f00000009c0)={0x200000002000, 0x40, 0xbe3, {0x0, 0x1c9c380}, 0x9, 0x400}) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x105) getsockopt$inet_sctp_SCTP_CONTEXT(0xffffffffffffffff, 0x84, 0x11, &(0x7f0000000200)={0x0, 0x8f}, &(0x7f00000002c0)=0x8) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDR_INFO(r1, 0x84, 0xf, &(0x7f00000003c0)={r2, @in={{0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x15}}}, 0xc8, 0x1, 0x0, 0x5, 0x6}, &(0x7f0000000480)=0x98) accept4$inet6(r0, 0x0, &(0x7f0000000a40), 0x80800) ioctl$FS_IOC_GETFSLABEL(r1, 0x81009431, &(0x7f0000000c40)) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl(r4, 0x4000008912, &(0x7f0000000100)="2957e1311f16f477671070") recvmsg(r4, &(0x7f0000000840)={&(0x7f00000004c0)=@in6={0x0, 0x0, 0x0, @mcast2}, 0x80, &(0x7f0000000780)=[{&(0x7f0000000540)=""/63, 0x3f}, {&(0x7f0000000580)=""/54, 0x36}, {&(0x7f00000006c0)=""/149, 0x95}, {&(0x7f00000005c0)}], 0x4, &(0x7f00000007c0)=""/102, 0x66}, 0x40) mount(&(0x7f00000008c0)='.', &(0x7f0000000080)='.', &(0x7f0000753000)='mslos\x00', 0x5010, &(0x7f0000000ac0)) mount(&(0x7f00008deff8)='/\x00', &(0x7f00000000c0)='./file0\x00', &(0x7f0000000180)="6e66730039ad695ab91f0928267795ce2b07ba848ecc6b7c69", 0x2007a00, &(0x7f0000000140)) accept$packet(r1, &(0x7f0000000a80)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev}, &(0x7f0000000ac0)=0x14) setsockopt$RDS_GET_MR_FOR_DEST(r1, 0x114, 0x7, &(0x7f0000000b80)={@hci={0x1f, r5}, {&(0x7f0000000b00)=""/34, 0x22}, &(0x7f0000000b40)}, 0xa0) mkdir(&(0x7f0000000940)='./file0\x00', 0x41) getsockopt$inet_sctp_SCTP_CONTEXT(r1, 0x84, 0x11, &(0x7f0000000880)={r3, 0x2}, &(0x7f0000000900)=0x8) ioctl$PERF_EVENT_IOC_PAUSE_OUTPUT(r1, 0x40042409, 0x1) umount2(&(0x7f0000000040)='./file0\x00', 0x2) 05:01:33 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x2000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:33 executing program 4: r0 = openat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x0, 0x80) ioctl$KDSIGACCEPT(r0, 0x4b4e, 0x21) ioctl$EVIOCSREP(r0, 0x40084503, &(0x7f0000000040)=[0x0, 0x2]) ioctl$VT_RESIZE(r0, 0x5609, &(0x7f0000000080)={0x10000, 0x6, 0x1}) ioctl$DRM_IOCTL_ADD_MAP(r0, 0xc0286415, &(0x7f00000000c0)={&(0x7f0000ffa000/0x4000)=nil, 0x200, 0x3, 0x2, &(0x7f0000ffd000/0x2000)=nil, 0x3}) r1 = accept4$packet(r0, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, &(0x7f0000000140)=0x14, 0x800) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000180)={'veth0_to_bond\x00', 0x1000}) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000200)='IPVS\x00') sendmsg$IPVS_CMD_GET_SERVICE(r0, &(0x7f00000002c0)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x2000}, 0xc, &(0x7f0000000280)={&(0x7f0000000240)={0x1c, r2, 0x804, 0x70bd27, 0x25dfdbfd, {0x4}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x40000}, 0x8080) ioctl$KVM_SET_CPUID(r0, 0x4008ae8a, &(0x7f0000000300)={0x1, 0x0, [{0x0, 0x100000001, 0x0, 0x2, 0x4eb3}]}) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000340)={0x0, 0x1000, 0x30}, &(0x7f0000000380)=0xc) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f00000003c0)={r3, 0x9}, &(0x7f0000000400)=0x8) ioctl$SG_SET_FORCE_PACK_ID(r0, 0x227b, &(0x7f0000000440)=0x1) getsockopt$inet_sctp_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f0000000480)={r3, 0x9, 0x9, 0x6076}, &(0x7f00000004c0)=0x10) r6 = syz_open_dev$adsp(&(0x7f0000000500)='/dev/adsp#\x00', 0x7f, 0x80000) getsockopt$sock_cred(r6, 0x1, 0x11, &(0x7f0000000540)={0x0}, &(0x7f0000000580)=0xc) r8 = gettid() kcmp$KCMP_EPOLL_TFD(r7, r8, 0x7, r1, &(0x7f00000005c0)={r6, r1, 0x3}) ioctl$KVM_SET_SREGS(r6, 0x4138ae84, &(0x7f0000000600)={{0x17004, 0x2000, 0xb, 0x9, 0xffffffffffffffe1, 0x8000, 0x0, 0x4, 0x7, 0x200, 0x80000001, 0x101}, {0x4004, 0x4000, 0xd, 0x3, 0x3, 0x8, 0x1, 0x8307, 0x3, 0x4, 0xfffffffffffffff7, 0x9}, {0x6000, 0x16000, 0x1f, 0xfffffffeffffffff, 0x1, 0x401, 0x8, 0x80000001, 0x100000000, 0x10001, 0x4, 0x2}, {0x1000, 0xf000, 0xf, 0x3f, 0x4, 0xa7, 0x5, 0x7afdd8d3, 0x80000000, 0x3, 0x92c, 0x81}, {0x10f000, 0x1, 0x0, 0x4570, 0x4, 0x7fffffff, 0xffff, 0x401, 0x81, 0x8, 0x9, 0x8f1d}, {0x0, 0x1000, 0xf, 0x6, 0x7, 0x1, 0x200, 0xfffffffffffffff8, 0x7fca, 0x4, 0x9}, {0x6004, 0xf46eb5bbb9a18b6a, 0x10, 0x4, 0x9, 0x621, 0x9, 0x3ff, 0x80000001, 0x400, 0x7, 0x7ff}, {0x1000, 0x0, 0xf, 0x0, 0x10001, 0x7, 0x4, 0x7fffffff, 0x1, 0x8000, 0x4, 0x4}, {0x2, 0x1}, {0xf004, 0x6001}, 0x2, 0x0, 0xf000, 0x400000, 0x5, 0x8800, 0x106002, [0x6bea, 0x0, 0x7, 0x5]}) getsockopt$inet_sctp6_SCTP_GET_PEER_ADDR_INFO(r6, 0x84, 0xf, &(0x7f0000000740)={r5, @in={{0x2, 0x4e23, @loopback=0x7f000001}}, 0x5, 0x8, 0x232, 0xfa08, 0x6}, &(0x7f0000000800)=0x98) ioctl$FS_IOC_RESVSP(r1, 0x40305828, &(0x7f0000000840)={0x0, 0x6, 0x0, 0x6}) setsockopt$inet_sctp6_SCTP_PR_SUPPORTED(r6, 0x84, 0x71, &(0x7f0000000880)={r4, 0x7}, 0x8) getsockopt$inet_sctp_SCTP_AUTO_ASCONF(r6, 0x84, 0x1e, &(0x7f00000008c0), &(0x7f0000000900)=0x4) ioctl$KVM_SET_MSRS(r6, 0x4008ae89, &(0x7f0000000940)={0x5, 0x0, [{0xbff, 0x0, 0x100}, {0xbff, 0x0, 0x1}, {0xbff, 0x0, 0xffffffffffff9440}, {0xbff, 0x0, 0xfffffffff25c1f5b}, {0x277, 0x0, 0x2}]}) setsockopt$inet_sctp_SCTP_I_WANT_MAPPED_V4_ADDR(r0, 0x84, 0xc, &(0x7f00000009c0)=0x9, 0x4) io_setup(0xfffffffffffff3ec, &(0x7f0000000a00)=0x0) io_cancel(r9, &(0x7f0000000b40)={0x0, 0x0, 0x0, 0x2, 0x8, r6, &(0x7f0000000a40)="608553065729d66e632cd2dcc26e1313175e70face91d44edc9cd535d713584869620ab7f766ddca660ebcfce4e17222dc34db825631f0e522a283962abbfe4141a1786bf1533793de60b15d9e3d16ba3d16af31517545ff8a1267eee256b2328e2943d13fb7a4bc05c64b6db647517c0bb73fdab3828b443cf7d6b6e6e0fbd59d1f517bd73b6a37374d5008059b7ba417474086c7bd6614e383b87b31c7911c2bf21ebba005719a51e4bc7e764b7f876cac6c3eaab322968498e92f5b9057629df09a30ca2a801a62e79027d6d45a839aeb3044451bd05f8d35bb79d445a0a50a", 0xe1, 0x3, 0x0, 0x1, r0}, &(0x7f0000000b80)) ioctl$TIOCNXCL(r0, 0x540d) socketpair$inet6(0xa, 0x0, 0x8001, &(0x7f0000000bc0)) ioctl$SG_SET_FORCE_PACK_ID(r6, 0x227b, &(0x7f0000000c00)) [ 1090.067734] binder: 30407:30408 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1090.084658] FAULT_INJECTION: forcing a failure. [ 1090.084658] name failslab, interval 1, probability 0, space 0, times 0 [ 1090.095979] CPU: 0 PID: 30406 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1090.102915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1090.112275] Call Trace: 05:01:33 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = syz_open_dev$mouse(&(0x7f0000000040)='/dev/input/mouse#\x00', 0x7, 0x80000) bpf$MAP_CREATE(0x0, &(0x7f0000000080)={0xa, 0x6, 0x8, 0x3, 0x0, r2, 0x2}, 0x2c) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text32={0x20, &(0x7f0000000100)="2e0f2e343d00100000660f65864b5100000f06b80a0000000f23c00f21f835010000000f23f80f2366660f352eff49000f35f40f72f31b", 0x37}], 0x1, 0x5d, &(0x7f0000000580), 0x0) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0x4008ae89, &(0x7f0000000000)={0x3, 0x0, [{0x87a}, {0x0, 0x0, 0x4}, {0x40000bf7}]}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 1090.114890] dump_stack+0x1b9/0x294 [ 1090.118537] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1090.122683] binder: 30407:30408 BC_FREE_BUFFER u0000000000000000 no match [ 1090.123741] ? is_bpf_text_address+0xd7/0x170 [ 1090.123765] ? kernel_text_address+0x79/0xf0 [ 1090.139578] ? __unwind_start+0x166/0x330 [ 1090.143751] should_fail.cold.4+0xa/0x1a [ 1090.147828] ? __save_stack_trace+0x7e/0xd0 [ 1090.152175] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1090.157307] ? graph_lock+0x170/0x170 [ 1090.161135] ? save_stack+0x43/0xd0 [ 1090.164779] ? kasan_kmalloc+0xc4/0xe0 [ 1090.168674] ? kasan_slab_alloc+0x12/0x20 [ 1090.172822] ? find_held_lock+0x36/0x1c0 [ 1090.176882] ? __lock_is_held+0xb5/0x140 [ 1090.180948] ? check_same_owner+0x320/0x320 [ 1090.185274] ? rcu_note_context_switch+0x710/0x710 [ 1090.190203] __should_failslab+0x124/0x180 [ 1090.194462] should_failslab+0x9/0x14 [ 1090.198254] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1090.203353] __kmalloc_node_track_caller+0x33/0x70 [ 1090.208283] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1090.213033] __alloc_skb+0x14d/0x780 [ 1090.216735] ? skb_scrub_packet+0x580/0x580 [ 1090.221043] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1090.226577] ? ip_generic_getfrag+0x11c/0x2d0 [ 1090.231083] ? ip_reply_glue_bits+0xc0/0xc0 [ 1090.235399] ? raw_getfrag+0x15b/0x220 [ 1090.239272] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1090.244286] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1090.249320] ? raw_destroy+0x30/0x30 [ 1090.253028] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1090.258832] ? ipv4_mtu+0x375/0x580 [ 1090.262450] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1090.267905] ? lock_acquire+0x1dc/0x520 [ 1090.271872] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1090.277395] ? ip_setup_cork+0x4dc/0x7c0 [ 1090.281445] ip_append_data.part.48+0xf3/0x180 [ 1090.286016] ? raw_destroy+0x30/0x30 [ 1090.289721] ip_append_data+0x6d/0x90 [ 1090.293506] ? raw_destroy+0x30/0x30 [ 1090.297209] raw_sendmsg+0x1dae/0x29b0 [ 1090.301095] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1090.306188] ? rcu_report_qs_rnp+0x790/0x790 [ 1090.310588] ? graph_lock+0x170/0x170 [ 1090.314423] ? expand_files.part.8+0x9a0/0x9a0 [ 1090.318991] ? check_same_owner+0x320/0x320 [ 1090.323317] ? lock_downgrade+0x8e0/0x8e0 [ 1090.327453] ? lock_release+0xa10/0xa10 [ 1090.331425] ? check_same_owner+0x320/0x320 [ 1090.335740] ? __check_object_size+0x95/0x5d9 [ 1090.340226] inet_sendmsg+0x19f/0x690 [ 1090.344012] ? __might_sleep+0x95/0x190 [ 1090.347993] ? ipip_gro_receive+0x100/0x100 [ 1090.352304] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1090.357832] ? security_socket_sendmsg+0x94/0xc0 [ 1090.362573] ? ipip_gro_receive+0x100/0x100 [ 1090.366883] sock_sendmsg+0xd5/0x120 [ 1090.370585] __sys_sendto+0x3d7/0x670 [ 1090.374375] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1090.379036] ? wait_for_completion+0x870/0x870 [ 1090.383612] ? __lock_is_held+0xb5/0x140 [ 1090.387667] ? __sb_end_write+0xac/0xe0 [ 1090.391632] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1090.397152] ? fput+0x130/0x1a0 [ 1090.400421] ? ksys_write+0x1a6/0x250 [ 1090.404213] ? __ia32_sys_read+0xb0/0xb0 [ 1090.408260] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1090.413791] __x64_sys_sendto+0xe1/0x1a0 [ 1090.417838] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1090.422841] do_syscall_64+0x1b1/0x800 [ 1090.426716] ? finish_task_switch+0x1ca/0x840 [ 1090.431203] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1090.436122] ? syscall_return_slowpath+0x30f/0x5c0 [ 1090.441039] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1090.446400] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1090.451234] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1090.456410] RIP: 0033:0x4559f9 [ 1090.459580] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1090.478821] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1090.486517] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1090.493784] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1090.501061] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1090.508319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 05:01:33 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @loopback=0x7f000001}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:33 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x58000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1090.515590] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000003c [ 1090.537596] binder: 30407:30408 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:33 executing program 5: setsockopt$inet6_mreq(0xffffffffffffffff, 0x29, 0x1d, &(0x7f0000000040)={@mcast2={0xff, 0x2, [], 0x1}}, 0x14) r0 = shmget(0x3, 0x2000, 0x20, &(0x7f0000ffb000/0x2000)=nil) shmctl$SHM_LOCK(r0, 0xb) [ 1090.565803] binder: 30407:30408 BC_FREE_BUFFER u0000000000000000 no match 05:01:33 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x4000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:33 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xc00}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1090.741428] binder: 30445:30446 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1090.796120] binder: 30445:30446 BC_FREE_BUFFER u0000000000000000 no match [ 1090.827026] binder: 30445:30446 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1090.845052] binder: 30445:30446 BC_FREE_BUFFER u0000000000000000 no match [ 1090.944646] ALSA: seq fatal error: cannot create timer (-22) 05:01:34 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x3000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:34 executing program 4: socket$unix(0x1, 0x1, 0x0) r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(r0, &(0x7f0000003000)=@file={0x1, "e91f7189591e9233614b00"}, 0xc) listen(r0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) connect(r1, &(0x7f0000931ff4)=@un=@file={0x1, "e91f7189591e9233614b00"}, 0xc) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f00000003c0)={0x73, 0x79, 0x7a, 0x3}, &(0x7f0000000400)="dc1214e7db415a9046ee494a6713068554eb625c3023d118a2617c2ec865c3667fc727", 0x23, 0xfffffffffffffffd) r3 = add_key(&(0x7f0000000440)='cifs.spnego\x00', &(0x7f0000000480)={0x73, 0x79, 0x7a, 0x0}, &(0x7f00000004c0)="f11af7cd39a3a4961916726ebad858780c76cc2dfc19f7a20bbfda90b6c83be22483cd9dbad5161eee89d2be09393275361a97ba567c9888ea745ec690da03bdea", 0x41, 0x0) r4 = request_key(&(0x7f0000000540)='.dead\x00', &(0x7f0000000580)={0x73, 0x79, 0x7a, 0x0}, &(0x7f00000005c0)='eth1em0\x00', 0x0) keyctl$dh_compute(0x17, &(0x7f0000000600)={r2, r3, r4}, &(0x7f0000000640)=""/4096, 0x1000, &(0x7f0000001680)={&(0x7f0000001640)={'sha512-ssse3\x00'}}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000040)={{{@in=@rand_addr, @in=@remote}}, {{}, 0x0, @in6}}, &(0x7f00000001c0)=0xe8) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000200)={{{@in6=@ipv4={[], [], @remote}, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in6=@remote}}, &(0x7f0000000300)=0xe8) connect(r0, &(0x7f0000000340)=@hci={0x1f, r5, 0x2}, 0xffffffffffffffaf) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) dup2(r1, r0) 05:01:34 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1e000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:34 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl$TIOCSWINSZ(r0, 0x5414, &(0x7f0000000040)={0x3f, 0x8000, 0x361eb50c, 0x1}) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) readv(r3, &(0x7f0000000240)=[{&(0x7f0000000140)=""/47, 0x2f}, {&(0x7f0000001d80)=""/4096, 0x1000}, {&(0x7f00000001c0)=""/31, 0x1f}], 0x3) 05:01:34 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x7a00, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:34 executing program 1 (fault-call:4 fault-nth:61): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:34 executing program 7: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcs\x00', 0x1, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) getsockopt$inet_sctp_SCTP_STATUS(0xffffffffffffffff, 0x84, 0xe, &(0x7f0000000140)={0x0, 0x7, 0x0, 0xfff, 0x1, 0x0, 0x20, 0x0, {0x0, @in6={{0xa, 0x4e20, 0x0, @ipv4={[], [0xff, 0xff]}}}}}, &(0x7f0000000200)=0xb0) timer_create(0x7, &(0x7f0000000000)={0x0, 0x32, 0x4, @tid=0xffffffffffffffff}, &(0x7f0000000040)=0x0) timer_gettime(r3, &(0x7f0000000080)) r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r2, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000280)=[@text64={0x40, &(0x7f0000000500)="0f0866b8ed008ec066ba4000b000eed2a807000000410f01cab98e0b0000b862000000ba000000000f30b90b0800000f320fc72a8f2a60128f00000000003000000fc7aa00100000", 0x48}], 0x0, 0x0, &(0x7f0000000040), 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$KVM_RUN(r4, 0xae80, 0x0) 05:01:34 executing program 5: sendmsg$nl_netfilter(0xffffffffffffffff, &(0x7f0000289000)={&(0x7f0000000040)={0x10}, 0xc, &(0x7f0000058000)={&(0x7f000023f000)=ANY=[@ANYBLOB="840008000000000000bd7000ffffffff0022fffc0c00000000000000000000005b659a62290ffc380c2dbfdc5ee079520b27dd66c1358939679f13e1a04810d464fba7f4c1b4e2bf501fb1bb949869c2984d914d9f040e5e4fcd4dd3050bc1700612dbc30c0c91745fa158cf0d70309f7f1969136edfd73294c0356da8d9adabf19d"], 0x82}, 0x1}, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000400)={0xe, 0x4, 0x4, 0x8}, 0x2c) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000040)={r1, &(0x7f00000001c0)}, 0x10) setsockopt$inet6_tcp_int(r0, 0x6, 0x2000000000000020, &(0x7f000023f000)=0xa, 0x263) [ 1091.114044] ALSA: seq fatal error: cannot create timer (-22) 05:01:34 executing program 5: r0 = socket$inet6(0xa, 0xe, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") unshare(0x400) fcntl$getflags(r0, 0x40a) r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x8902, 0x0) ioctl$KVM_CHECK_EXTENSION_VM(r1, 0xae03, 0x6) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000300)='/dev/snapshot\x00', 0x101000, 0x0) getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7, &(0x7f0000000200), &(0x7f0000000240)=0x4) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f00000000c0)={r1, &(0x7f0000000040)="5f3689e5756fb8be8e881de4730e1bbae1283c2f2a40f4d07dd7be6385524b2fd40c161a2a71e3fe5b5ee7d563eec7b1a8ab4fac736d29e4e895d60f8f19a5ca2dc3", &(0x7f0000000140)=""/173}, 0x18) getsockopt$bt_rfcomm_RFCOMM_LM(r1, 0x12, 0x3, &(0x7f0000000280), &(0x7f00000002c0)=0x4) [ 1091.158371] binder: 30465:30467 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1091.194336] binder: 30465:30467 BC_FREE_BUFFER u0000000000000000 no match 05:01:34 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x18000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:34 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) socket$inet_tcp(0x2, 0x1, 0x0) r1 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r2 = socket$inet6(0xa, 0x1, 0x0) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:34 executing program 4: perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e4}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$can_bcm(0x1d, 0x2, 0x2) connect$can_bcm(r0, &(0x7f0000000180)={0x1d}, 0x10) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000005d40)={'vcan0\x00', 0x0}) sendmsg$can_bcm(r0, &(0x7f0000000140)={&(0x7f0000000000)={0x1d, r1}, 0x10, &(0x7f0000000040)={&(0x7f00000000c0)={0x5, 0x0, 0x0, {0x0, 0x2710}, {0x77359400}, {}, 0x8, @can={{}, 0x0, 0x0, 0x0, 0x0, "c4d981ae211e6951"}}, 0x20000108}, 0x1}, 0x0) uselib(&(0x7f0000000080)='./file0\x00') [ 1091.243619] binder: 30465:30467 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1091.270413] binder: 30465:30467 BC_FREE_BUFFER u0000000000000000 no match [ 1091.311881] Unknown ioctl 44547 [ 1091.326850] FAULT_INJECTION: forcing a failure. [ 1091.326850] name failslab, interval 1, probability 0, space 0, times 0 [ 1091.338245] CPU: 1 PID: 30470 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1091.345189] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1091.354558] Call Trace: [ 1091.357171] dump_stack+0x1b9/0x294 [ 1091.360826] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1091.361444] Unknown ioctl 44547 [ 1091.366025] ? unwind_get_return_address+0x61/0xa0 [ 1091.366047] ? graph_lock+0x170/0x170 [ 1091.366073] should_fail.cold.4+0xa/0x1a [ 1091.382132] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1091.387258] ? __lock_is_held+0xb5/0x140 [ 1091.391339] ? __kmalloc_node_track_caller+0x47/0x70 [ 1091.396456] ? graph_lock+0x170/0x170 [ 1091.400271] ? __x64_sys_sendto+0xe1/0x1a0 [ 1091.404540] ? find_held_lock+0x36/0x1c0 [ 1091.408633] ? __lock_is_held+0xb5/0x140 [ 1091.412734] ? check_same_owner+0x320/0x320 [ 1091.417095] ? rcu_note_context_switch+0x710/0x710 [ 1091.422048] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1091.427351] __should_failslab+0x124/0x180 [ 1091.431617] should_failslab+0x9/0x14 [ 1091.435444] kmem_cache_alloc_node+0x272/0x780 [ 1091.440054] ? __kmalloc_node_track_caller+0x47/0x70 [ 1091.445194] __alloc_skb+0x111/0x780 [ 1091.448935] ? skb_scrub_packet+0x580/0x580 [ 1091.453295] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1091.458856] ? ip_generic_getfrag+0x11c/0x2d0 [ 1091.463382] ? ip_reply_glue_bits+0xc0/0xc0 [ 1091.467747] ? raw_getfrag+0x15b/0x220 [ 1091.471660] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1091.476724] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1091.481784] ? raw_destroy+0x30/0x30 [ 1091.485538] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1091.491383] ? ipv4_mtu+0x375/0x580 [ 1091.495031] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1091.500506] ? lock_acquire+0x1dc/0x520 [ 1091.504494] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1091.510039] ? ip_setup_cork+0x4dc/0x7c0 [ 1091.514095] ip_append_data.part.48+0xf3/0x180 [ 1091.518665] ? raw_destroy+0x30/0x30 [ 1091.522372] ip_append_data+0x6d/0x90 [ 1091.526161] ? raw_destroy+0x30/0x30 [ 1091.529865] raw_sendmsg+0x1dae/0x29b0 [ 1091.533790] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1091.538885] ? rcu_report_qs_rnp+0x790/0x790 [ 1091.543287] ? graph_lock+0x170/0x170 [ 1091.547079] ? expand_files.part.8+0x9a0/0x9a0 [ 1091.551648] ? check_same_owner+0x320/0x320 [ 1091.555976] ? lock_downgrade+0x8e0/0x8e0 [ 1091.560113] ? lock_release+0xa10/0xa10 [ 1091.564074] ? check_same_owner+0x320/0x320 [ 1091.568385] ? __check_object_size+0x95/0x5d9 [ 1091.572870] inet_sendmsg+0x19f/0x690 [ 1091.576655] ? __might_sleep+0x95/0x190 [ 1091.580624] ? ipip_gro_receive+0x100/0x100 [ 1091.584939] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1091.590467] ? security_socket_sendmsg+0x94/0xc0 [ 1091.595207] ? ipip_gro_receive+0x100/0x100 [ 1091.599516] sock_sendmsg+0xd5/0x120 [ 1091.603218] __sys_sendto+0x3d7/0x670 [ 1091.607010] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1091.611680] ? wait_for_completion+0x870/0x870 [ 1091.616254] ? __lock_is_held+0xb5/0x140 [ 1091.620313] ? __sb_end_write+0xac/0xe0 [ 1091.624279] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1091.629800] ? fput+0x130/0x1a0 [ 1091.633068] ? ksys_write+0x1a6/0x250 [ 1091.636855] ? __ia32_sys_read+0xb0/0xb0 [ 1091.640901] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1091.646428] __x64_sys_sendto+0xe1/0x1a0 [ 1091.650476] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1091.655482] do_syscall_64+0x1b1/0x800 [ 1091.659366] ? finish_task_switch+0x1ca/0x840 [ 1091.663855] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1091.668774] ? syscall_return_slowpath+0x30f/0x5c0 [ 1091.673692] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1091.679062] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1091.683909] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1091.689083] RIP: 0033:0x4559f9 [ 1091.692253] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 05:01:34 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0xfffffdfd, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:34 executing program 5: r0 = socket$vsock_stream(0x28, 0x1, 0x0) r1 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000000)='/dev/rtc0\x00', 0x12280, 0x0) ioctl$ASHMEM_SET_PROT_MASK(r1, 0x40087705, &(0x7f0000000040)={0x1f, 0x7}) setsockopt$SO_VM_SOCKETS_BUFFER_SIZE(r0, 0x28, 0x6, &(0x7f0000000140)=0x3f420f0000000000, 0x21d) [ 1091.711492] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1091.719197] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1091.726453] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1091.733710] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1091.740965] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1091.748223] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000003d [ 1091.791056] binder: 30495:30497 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1091.814989] binder: 30495:30497 BC_FREE_BUFFER u0000000000000000 no match [ 1091.837079] binder: 30495:30497 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1091.850166] binder: 30495:30497 BC_FREE_BUFFER u0000000000000000 no match [ 1092.066978] ALSA: seq fatal error: cannot create timer (-22) 05:01:35 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r1, &(0x7f0000000180)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc-serpent-avx\x00'}, 0x58) setsockopt$ALG_SET_KEY(r1, 0x117, 0x1, &(0x7f0000000380)="42ace9b20b6da1c4aa7226a048090e47993a5a082cd0ad79d7e200000000000000dc58518ba2c49e9dcb5a7f0833da06e38ce6dc00684d7e6d2b0b6a43d83b98f66cb764127dc48fb9af817554b2f8ee68fce8c03244eead7c68ad6ea1a2588c70a26379a5e14e4a3badf606a407b40864d8691e9649c2cd8bda3c7846f012b77f076788eb1a5b3abfe95ff4c5b207bbd7c0a2ebcf6af27d51ea33f6b72dab9762a3719cb72fe03a3546936e5b875d9dec54ecacee44e832700d7a65c207e1dec844e9a3147a67591b01b240b0c7d24ad1d225d8425b3735f12ccddee8fa43052dc6a4c1b3a332661adb17e210d91d0ee6bc5398da07d8f4119cca813a5da3e52bdcfcdda1355e5c7e114bd264ccbd6dc52c1f2a6780000000000000000000000000", 0x122) r2 = accept$alg(r1, 0x0, 0x0) sendmmsg$alg(r2, &(0x7f0000003e80)=[{0x0, 0x0, &(0x7f00000023c0), 0x218, &(0x7f0000000200)=[@op={0x18, 0x117, 0x3, 0x1}], 0x18}], 0x1, 0x0) recvmsg(r2, &(0x7f0000000000)={&(0x7f0000000040)=@alg, 0x80, &(0x7f0000000140)=[{&(0x7f0000002840)=""/4096, 0x7ffff000}], 0x1, &(0x7f00000000c0)=""/87, 0x57}, 0x0) 05:01:35 executing program 5: r0 = socket$inet6(0xa, 0x8000000000001, 0x0) socketpair(0x19, 0x5, 0x7, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$VT_RELDISP(r2, 0x5605) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'bond_slave_0\x00'}) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") timer_create(0x2, &(0x7f0000044000)={0x0, 0x12}, &(0x7f0000044000)) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x3, 0x31, 0xffffffffffffffff, 0x0) open$dir(&(0x7f0000000080)='./file0\x00', 0x210500, 0x10) timer_settime(0x0, 0x0, &(0x7f000004a000)={{0x0, 0x1}, {0x0, 0xe4c}}, &(0x7f0000040000)) ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f00000001c0)={r0, r0, 0x8, 0x5, &(0x7f0000000140)="65c24bc1685a519b50b11c4593ce710dd1ed9f825a3d28aa7e7c761421b3442c40ee9bb004b0f711304e2c5d07ecda954a4b0da75185b80be92acc04f5152192f8673203ab8f5863034910e6d9fb01e45a17759b588637a2406b5825c38e706fde59f4055e7a72", 0x400, 0x9, 0xffffffffffffffff, 0x401, 0x80000001, 0x80, 0x7fffffff, "a68d055ec62f8f42e11d3e751e1687886cc89a1cc117e29ee663fb5411e5035e8aae48a69a01ed11a10d9f77a7317bc17414b837e7d955f30c7e5e9ce149541e8bb38fdcc12ddff73e81faca9ab5c5ab9840c516a926349d6c35c4b019ba21fc54aabe7a26e23e9699e1dfa7cd086b2cad5b4615d2b148e29e2987ab70027cc75ceaf6fc49d3a4a7778e8206c857ab754585c6b1e5a188057f7409c615cccbcb54d6a24d46097745506f364703ae0e2e1572ab96"}) timer_gettime(0x0, &(0x7f0000000040)) 05:01:35 executing program 6: readv(0xffffffffffffffff, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = syz_open_dev$tun(&(0x7f0000000280)='/dev/net/tun\x00', 0x0, 0x800) r2 = socket$inet6(0xa, 0x1, 0x0) ioctl(r2, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r0, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) bpf$BPF_MAP_GET_NEXT_ID(0xc, &(0x7f0000000040)=0x3f, 0x4) readv(0xffffffffffffffff, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) socketpair$inet6_sctp(0xa, 0x1, 0x84, &(0x7f0000000000)) 05:01:35 executing program 7: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="025cc83d6d345f8f760070") mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0) r1 = userfaultfd(0x0) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f0000002000)={0xaa}) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000001000)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r2 = creat(&(0x7f0000000040)='./file0\x00', 0x2) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={r2, 0x3, 0x1, 0x9, &(0x7f0000000080)=[0x0, 0x0, 0x0], 0x3}, 0x20) r3 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_mreqsrc(r3, 0x6, 0xe, &(0x7f0000013ff4)={@dev={0xac, 0x14}, @rand_addr, @local={0xac, 0x14, 0xffffffffffffffff, 0xaa}}, 0xc) r4 = dup3(r1, r3, 0x0) mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x2, 0x32, 0xffffffffffffffff, 0x0) fcntl$getflags(r3, 0x408) ioctl$sock_inet_tcp_SIOCOUTQNSD(r4, 0x894b, &(0x7f0000000140)) ioctl$UFFDIO_ZEROPAGE(r1, 0x8010aa02, &(0x7f00000c0ff0)={&(0x7f0000011000/0x3000)=nil, 0x3000}) 05:01:35 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x7, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:35 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x12000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:35 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x4000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:35 executing program 1 (fault-call:4 fault-nth:62): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) [ 1092.237373] ALSA: seq fatal error: cannot create timer (-22) [ 1092.287562] binder: 30520:30521 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1092.299017] FAULT_INJECTION: forcing a failure. [ 1092.299017] name failslab, interval 1, probability 0, space 0, times 0 [ 1092.308095] binder: 30520:30521 BC_FREE_BUFFER u0000000000000000 no match [ 1092.310366] CPU: 1 PID: 30519 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1092.324380] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1092.333737] Call Trace: [ 1092.336325] dump_stack+0x1b9/0x294 [ 1092.339940] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1092.345121] ? is_bpf_text_address+0xd7/0x170 [ 1092.349626] ? kernel_text_address+0x79/0xf0 [ 1092.354023] ? __unwind_start+0x166/0x330 [ 1092.358171] should_fail.cold.4+0xa/0x1a [ 1092.362220] ? __save_stack_trace+0x7e/0xd0 [ 1092.366530] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1092.371656] ? graph_lock+0x170/0x170 [ 1092.375450] ? save_stack+0x43/0xd0 [ 1092.379063] ? kasan_kmalloc+0xc4/0xe0 [ 1092.382938] ? kasan_slab_alloc+0x12/0x20 [ 1092.387079] ? find_held_lock+0x36/0x1c0 [ 1092.391136] ? __lock_is_held+0xb5/0x140 [ 1092.395193] ? check_same_owner+0x320/0x320 [ 1092.399507] ? rcu_note_context_switch+0x710/0x710 [ 1092.404455] __should_failslab+0x124/0x180 [ 1092.408688] should_failslab+0x9/0x14 [ 1092.412479] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1092.417576] __kmalloc_node_track_caller+0x33/0x70 [ 1092.422501] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1092.427247] __alloc_skb+0x14d/0x780 [ 1092.430950] ? skb_scrub_packet+0x580/0x580 [ 1092.435263] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1092.440790] ? ip_generic_getfrag+0x11c/0x2d0 [ 1092.445275] ? ip_reply_glue_bits+0xc0/0xc0 [ 1092.449597] ? raw_getfrag+0x15b/0x220 [ 1092.453470] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1092.458479] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1092.463486] ? raw_destroy+0x30/0x30 [ 1092.467199] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1092.472987] ? ipv4_mtu+0x375/0x580 [ 1092.476689] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1092.482135] ? lock_acquire+0x1dc/0x520 [ 1092.486101] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1092.492147] ? ip_setup_cork+0x4dc/0x7c0 [ 1092.496203] ip_append_data.part.48+0xf3/0x180 [ 1092.500774] ? raw_destroy+0x30/0x30 [ 1092.504488] ip_append_data+0x6d/0x90 [ 1092.508280] ? raw_destroy+0x30/0x30 [ 1092.511986] raw_sendmsg+0x1dae/0x29b0 [ 1092.515871] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1092.520966] ? rcu_report_qs_rnp+0x790/0x790 [ 1092.525369] ? graph_lock+0x170/0x170 [ 1092.529165] ? expand_files.part.8+0x9a0/0x9a0 [ 1092.533755] ? check_same_owner+0x320/0x320 [ 1092.538099] ? lock_downgrade+0x8e0/0x8e0 [ 1092.542240] ? lock_release+0xa10/0xa10 [ 1092.546201] ? check_same_owner+0x320/0x320 [ 1092.550512] ? __check_object_size+0x95/0x5d9 [ 1092.555002] inet_sendmsg+0x19f/0x690 [ 1092.558788] ? __might_sleep+0x95/0x190 [ 1092.562748] ? ipip_gro_receive+0x100/0x100 [ 1092.567059] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1092.572594] ? security_socket_sendmsg+0x94/0xc0 [ 1092.577338] ? ipip_gro_receive+0x100/0x100 [ 1092.581645] sock_sendmsg+0xd5/0x120 [ 1092.585346] __sys_sendto+0x3d7/0x670 [ 1092.589138] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1092.593798] ? wait_for_completion+0x870/0x870 [ 1092.598371] ? __lock_is_held+0xb5/0x140 [ 1092.602430] ? __sb_end_write+0xac/0xe0 [ 1092.606395] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1092.611959] ? fput+0x130/0x1a0 [ 1092.615229] ? ksys_write+0x1a6/0x250 [ 1092.619020] ? __ia32_sys_read+0xb0/0xb0 [ 1092.623069] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1092.627900] __x64_sys_sendto+0xe1/0x1a0 [ 1092.631949] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1092.636952] do_syscall_64+0x1b1/0x800 [ 1092.640830] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1092.645762] ? syscall_return_slowpath+0x30f/0x5c0 [ 1092.650683] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1092.656044] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1092.660892] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1092.666067] RIP: 0033:0x4559f9 [ 1092.669239] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1092.688482] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1092.696181] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1092.703434] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1092.710689] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1092.717943] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1092.725199] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000003e 05:01:35 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x1f400000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1092.743138] binder: 30520:30521 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1092.754211] binder: 30520:30521 BC_FREE_BUFFER u0000000000000000 no match 05:01:35 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x48000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:35 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x9}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:36 executing program 1 (fault-call:4 fault-nth:63): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:36 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0xffff000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1092.863633] binder: 30549:30553 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1092.888137] binder: 30549:30553 BC_FREE_BUFFER u0000000000000000 no match [ 1092.918182] binder: 30549:30553 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1092.926299] binder: 30549:30553 BC_FREE_BUFFER u0000000000000000 no match 05:01:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x10000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:36 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x1e}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:36 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0xc00000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1093.016343] binder: 30565:30566 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1093.030198] binder: 30565:30566 BC_FREE_BUFFER u0000000000000000 no match [ 1093.079453] binder: 30565:30566 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1093.098708] binder: 30565:30566 BC_FREE_BUFFER u0000000000000000 no match [ 1093.215682] FAULT_INJECTION: forcing a failure. [ 1093.215682] name failslab, interval 1, probability 0, space 0, times 0 [ 1093.226978] CPU: 1 PID: 30556 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1093.233917] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1093.243277] Call Trace: [ 1093.245886] dump_stack+0x1b9/0x294 [ 1093.249543] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1093.254757] ? unwind_get_return_address+0x61/0xa0 [ 1093.259694] ? graph_lock+0x170/0x170 [ 1093.263514] should_fail.cold.4+0xa/0x1a [ 1093.267609] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1093.272722] ? __lock_is_held+0xb5/0x140 [ 1093.276782] ? __kmalloc_node_track_caller+0x47/0x70 [ 1093.281889] ? graph_lock+0x170/0x170 [ 1093.285687] ? __x64_sys_sendto+0xe1/0x1a0 [ 1093.289922] ? find_held_lock+0x36/0x1c0 [ 1093.293990] ? __lock_is_held+0xb5/0x140 [ 1093.298077] ? check_same_owner+0x320/0x320 [ 1093.302398] ? rcu_note_context_switch+0x710/0x710 [ 1093.307317] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1093.312587] __should_failslab+0x124/0x180 [ 1093.316832] should_failslab+0x9/0x14 [ 1093.320625] kmem_cache_alloc_node+0x272/0x780 [ 1093.325198] ? __kmalloc_node_track_caller+0x47/0x70 [ 1093.330302] __alloc_skb+0x111/0x780 [ 1093.334018] ? skb_scrub_packet+0x580/0x580 [ 1093.338357] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1093.343906] ? ip_generic_getfrag+0x11c/0x2d0 [ 1093.348418] ? ip_reply_glue_bits+0xc0/0xc0 [ 1093.352763] ? raw_getfrag+0x15b/0x220 [ 1093.356664] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1093.361707] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1093.366750] ? raw_destroy+0x30/0x30 [ 1093.370491] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1093.376305] ? ipv4_mtu+0x375/0x580 [ 1093.379927] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1093.385379] ? lock_acquire+0x1dc/0x520 [ 1093.389356] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1093.394906] ? ip_setup_cork+0x4dc/0x7c0 [ 1093.398968] ip_append_data.part.48+0xf3/0x180 [ 1093.403549] ? raw_destroy+0x30/0x30 [ 1093.407253] ip_append_data+0x6d/0x90 [ 1093.411050] ? raw_destroy+0x30/0x30 [ 1093.414757] raw_sendmsg+0x1dae/0x29b0 [ 1093.418639] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1093.423747] ? rcu_report_qs_rnp+0x790/0x790 [ 1093.428171] ? graph_lock+0x170/0x170 [ 1093.431988] ? expand_files.part.8+0x9a0/0x9a0 [ 1093.436556] ? check_same_owner+0x320/0x320 [ 1093.440875] ? lock_downgrade+0x8e0/0x8e0 [ 1093.445013] ? lock_release+0xa10/0xa10 [ 1093.448983] ? check_same_owner+0x320/0x320 [ 1093.453293] ? __check_object_size+0x95/0x5d9 [ 1093.457807] inet_sendmsg+0x19f/0x690 [ 1093.461605] ? __might_sleep+0x95/0x190 [ 1093.465580] ? ipip_gro_receive+0x100/0x100 [ 1093.469898] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1093.475423] ? security_socket_sendmsg+0x94/0xc0 [ 1093.480166] ? ipip_gro_receive+0x100/0x100 [ 1093.484481] sock_sendmsg+0xd5/0x120 [ 1093.488185] __sys_sendto+0x3d7/0x670 [ 1093.491990] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1093.496661] ? wait_for_completion+0x870/0x870 [ 1093.501238] ? __lock_is_held+0xb5/0x140 [ 1093.505351] ? __sb_end_write+0xac/0xe0 [ 1093.509347] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1093.514891] ? fput+0x130/0x1a0 [ 1093.518172] ? ksys_write+0x1a6/0x250 [ 1093.521997] ? __ia32_sys_read+0xb0/0xb0 [ 1093.526056] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1093.531604] __x64_sys_sendto+0xe1/0x1a0 [ 1093.535685] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1093.540700] do_syscall_64+0x1b1/0x800 [ 1093.544583] ? finish_task_switch+0x1ca/0x840 [ 1093.549098] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1093.554031] ? syscall_return_slowpath+0x30f/0x5c0 [ 1093.558955] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1093.564315] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1093.569161] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1093.574341] RIP: 0033:0x4559f9 [ 1093.577517] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1093.596695] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1093.604392] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1093.611660] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1093.618938] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1093.626287] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1093.633549] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 000000000000003f 05:01:36 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x700000000000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:36 executing program 4: bpf$MAP_CREATE(0x0, &(0x7f0000346fd4)={0x0, 0x0, 0x0, 0x104d}, 0x2c) recvmmsg(0xffffffffffffffff, &(0x7f0000003c00)=[{{&(0x7f0000000000)=@nl=@proc, 0x80, &(0x7f0000001380)=[{&(0x7f0000000080)=""/199, 0xc7}, {&(0x7f0000000180)=""/4096, 0x1000}, {&(0x7f0000001180)=""/56, 0x38}, {&(0x7f00000011c0)=""/66, 0x42}, {&(0x7f0000001240)=""/16, 0x10}, {&(0x7f0000001280)=""/83, 0x53}, {&(0x7f0000001300)=""/124, 0x7c}], 0x7, &(0x7f0000001400)=""/164, 0xa4}, 0x4}, {{&(0x7f00000014c0)=@in6={0x0, 0x0, 0x0, @dev}, 0x80, &(0x7f00000016c0)=[{&(0x7f0000001540)=""/159, 0x9f}, {&(0x7f0000001600)=""/131, 0x83}], 0x2, &(0x7f0000001700)=""/227, 0xe3, 0xe9}, 0xab3}, {{0x0, 0x0, &(0x7f0000001a00)=[{&(0x7f0000001800)=""/49, 0x31}, {&(0x7f0000001840)=""/110, 0x6e}, {&(0x7f00000018c0)=""/162, 0xa2}, {&(0x7f0000001980)=""/128, 0x80}], 0x4, &(0x7f0000001a40)=""/150, 0x96, 0x5}, 0x8}, {{&(0x7f0000001b00)=@pppol2tp={0x0, 0x0, {0x0, 0xffffffffffffffff, {0x0, 0x0, @loopback}}}, 0x80, &(0x7f0000001cc0)=[{&(0x7f0000001b80)=""/119, 0x77}, {&(0x7f0000001c00)=""/192, 0xc0}], 0x2, &(0x7f0000001d00)=""/4096, 0x1000, 0x7}, 0x80}, {{&(0x7f0000002d00)=@pppol2tpin6={0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, @loopback}}}, 0x80, &(0x7f0000002dc0)=[{&(0x7f0000002d80)=""/12, 0xc}], 0x1, &(0x7f0000002e00)=""/111, 0x6f, 0x3051}, 0x2}, {{&(0x7f0000002e80)=@pppol2tpv3in6={0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, @mcast1}}}, 0x80, &(0x7f0000003000)=[{&(0x7f0000002f00)=""/42, 0x2a}, {&(0x7f0000002f40)=""/167, 0xa7}], 0x2, &(0x7f0000003040)=""/202, 0xca, 0x10000}, 0x8}, {{&(0x7f0000003140)=@nfc, 0x80, &(0x7f0000003380)=[{&(0x7f00000031c0)=""/130, 0x82}, {&(0x7f0000003280)=""/254, 0xfe}], 0x2, &(0x7f00000033c0)=""/32, 0x20, 0x5}, 0x3d}, {{&(0x7f0000003400)=@hci, 0x80, &(0x7f0000003880)=[{&(0x7f0000003480)=""/119, 0x77}, {&(0x7f0000003500)=""/106, 0x6a}, {&(0x7f0000003580)}, {&(0x7f00000035c0)=""/56, 0x38}, {&(0x7f0000003600)=""/214, 0xd6}, {&(0x7f0000003700)=""/43, 0x2b}, {&(0x7f0000003740)=""/95, 0x5f}, {&(0x7f00000037c0)=""/146, 0x92}], 0x8, 0x0, 0x0, 0xffffffffffffd5b0}, 0x80}, {{0x0, 0x0, &(0x7f0000003ac0)=[{&(0x7f0000003900)=""/27, 0x1b}, {&(0x7f0000003940)=""/106, 0x6a}, {&(0x7f00000039c0)=""/87, 0x57}, {&(0x7f0000003a40)=""/126, 0x7e}], 0x4, &(0x7f0000003b00)=""/220, 0xdc, 0x7}, 0x2}], 0x9, 0x20, &(0x7f0000003e40)={0x77359400}) r1 = syz_genetlink_get_family_id$team(&(0x7f0000003ec0)='team\x00') getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000003f00)={{{@in6=@local, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@rand_addr}, 0x0, @in=@multicast2}}, &(0x7f0000004000)=0xe8) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffff9c, 0x8933, &(0x7f0000004040)={'vcan0\x00', 0x0}) sendmsg$TEAM_CMD_NOOP(r0, &(0x7f0000004240)={&(0x7f0000003e80)={0x10, 0x0, 0x0, 0x96b6c889831152ff}, 0xc, &(0x7f0000004200)={&(0x7f0000004080)={0x144, r1, 0x100, 0x70bd29, 0x25dfdbfc, {}, [{{0x8, 0x1, r2}, {0x128, 0x2, [{0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x5}}}, {0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x1}}}, {0x38, 0x1, @notify_peers_interval={{0x24, 0x1, 'notify_peers_interval\x00'}, {0x8, 0x3, 0x3}, {0x8, 0x4, 0x2}}}, {0x40, 0x1, @name={{0x24, 0x1, 'mode\x00'}, {0x8, 0x3, 0x5}, {0x10, 0x4, 'loadbalance\x00'}}}, {0x3c, 0x1, @user_linkup_enabled={{{0x24, 0x1, 'user_linkup_enabled\x00'}, {0x8, 0x3, 0x6}, {0x4, 0x4}}, {0x8, 0x6, r3}}}]}}]}, 0x144}, 0x1, 0x0, 0x0, 0x40000}, 0x24000000) bpf$PROG_LOAD(0x5, &(0x7f00000ba000)={0x1, 0x5, &(0x7f0000346fc8)=ANY=[@ANYBLOB="180000000000000000000000000080001f1100000000faff00000000000000009500000000000000"], &(0x7f000031cff6)='syzkaller\x00', 0x5c6e, 0x34d, &(0x7f00001a7f05)=""/251}, 0x48) 05:01:36 executing program 7: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000380)='/dev/kvm\x00', 0x0, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl(r4, 0x4000008912, &(0x7f0000000100)="2957e1311f16f477671070") r5 = socket$inet_udp(0x2, 0x2, 0x0) connect$inet(r5, &(0x7f0000000000)={0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, 0x10) r6 = socket(0xa, 0x1, 0x0) setsockopt$inet_MCAST_JOIN_GROUP(r6, 0x0, 0x2a, &(0x7f0000000040)={0x2, {{0x2, 0x0, @multicast2=0xe0000002}}}, 0x88) setsockopt$inet_mreq(r5, 0x0, 0x17, &(0x7f0000000140)={@multicast1=0xe0000001, @local={0xac, 0x14, 0x14, 0xaa}}, 0x8) syz_kvm_setup_cpu$x86(r2, r3, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000140)=[@textreal={0x8, &(0x7f00000000c0)="36f20f019b00800f1ee7660f110c653e36ac0f09670f009c680d0000000fe1f40fc72e93000f00996d3c360f01d1", 0x2e}], 0x1, 0x80000037, &(0x7f0000000180), 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 05:01:36 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x4}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:36 executing program 1 (fault-call:4 fault-nth:64): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:36 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x18}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:36 executing program 5: mkdir(&(0x7f0000fd5ff8)='./file0\x00', 0x0) chroot(&(0x7f000009a000)='./file0\x00') chdir(&(0x7f0000cd2ff8)='./file0\x00') symlink(&(0x7f0000000140)='..', &(0x7f0000272ff7)='../file0\x00') mount(&(0x7f0000fb6000)='./file0\x00', &(0x7f0000d78000)='.', &(0x7f0000000400)='ubifs\x00', 0x1004, 0x0) chroot(&(0x7f0000000080)='../file0\x00') lstat(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)) pivot_root(&(0x7f00000001c0)='.', &(0x7f0000000200)='..') syz_genetlink_get_family_id$team(&(0x7f0000000040)='team\x00') 05:01:36 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) ioctl$sock_bt_cmtp_CMTPGETCONNINFO(r0, 0x800443d3, &(0x7f0000000040)={{0xe03, 0x3, 0x2, 0xffffffff00000001, 0x3, 0xfffffffffffffffe}, 0x5, 0x0, 0x652}) [ 1093.704015] binder: 30596:30598 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1093.720022] FAULT_INJECTION: forcing a failure. [ 1093.720022] name failslab, interval 1, probability 0, space 0, times 0 [ 1093.731342] CPU: 1 PID: 30594 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1093.738282] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1093.741805] binder: 30596:30598 BC_FREE_BUFFER u0000000000000000 no match [ 1093.747641] Call Trace: [ 1093.747667] dump_stack+0x1b9/0x294 [ 1093.747688] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1093.747707] ? is_bpf_text_address+0xd7/0x170 [ 1093.747726] ? kernel_text_address+0x79/0xf0 [ 1093.747744] ? __unwind_start+0x166/0x330 [ 1093.779165] should_fail.cold.4+0xa/0x1a [ 1093.783246] ? __save_stack_trace+0x7e/0xd0 [ 1093.787602] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1093.792737] ? graph_lock+0x170/0x170 [ 1093.796561] ? save_stack+0x43/0xd0 [ 1093.800201] ? kasan_kmalloc+0xc4/0xe0 [ 1093.802306] binder: 30596:30598 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1093.804093] ? kasan_slab_alloc+0x12/0x20 [ 1093.804118] ? find_held_lock+0x36/0x1c0 [ 1093.804140] ? __lock_is_held+0xb5/0x140 [ 1093.804168] ? check_same_owner+0x320/0x320 [ 1093.804184] ? rcu_note_context_switch+0x710/0x710 [ 1093.804204] __should_failslab+0x124/0x180 [ 1093.822767] binder: 30596:30598 BC_FREE_BUFFER u0000000000000000 no match [ 1093.823365] should_failslab+0x9/0x14 [ 1093.823384] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1093.823412] __kmalloc_node_track_caller+0x33/0x70 [ 1093.823430] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1093.823447] __alloc_skb+0x14d/0x780 [ 1093.823466] ? skb_scrub_packet+0x580/0x580 [ 1093.870418] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1093.875954] ? ip_generic_getfrag+0x11c/0x2d0 [ 1093.880446] ? ip_reply_glue_bits+0xc0/0xc0 [ 1093.884773] ? raw_getfrag+0x15b/0x220 [ 1093.888652] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1093.893671] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1093.898680] ? raw_destroy+0x30/0x30 [ 1093.902391] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1093.908180] ? ipv4_mtu+0x375/0x580 [ 1093.911799] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1093.917253] ? lock_acquire+0x1dc/0x520 [ 1093.921219] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1093.926749] ? ip_setup_cork+0x4dc/0x7c0 [ 1093.930800] ip_append_data.part.48+0xf3/0x180 [ 1093.935375] ? raw_destroy+0x30/0x30 [ 1093.939081] ip_append_data+0x6d/0x90 [ 1093.942868] ? raw_destroy+0x30/0x30 [ 1093.946575] raw_sendmsg+0x1dae/0x29b0 [ 1093.950468] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1093.955568] ? rcu_report_qs_rnp+0x790/0x790 [ 1093.959969] ? graph_lock+0x170/0x170 [ 1093.963766] ? expand_files.part.8+0x9a0/0x9a0 [ 1093.968335] ? check_same_owner+0x320/0x320 [ 1093.972661] ? lock_downgrade+0x8e0/0x8e0 [ 1093.976804] ? lock_release+0xa10/0xa10 [ 1093.980765] ? check_same_owner+0x320/0x320 [ 1093.985076] ? __check_object_size+0x95/0x5d9 [ 1093.989564] inet_sendmsg+0x19f/0x690 [ 1093.993349] ? __might_sleep+0x95/0x190 [ 1093.997311] ? ipip_gro_receive+0x100/0x100 [ 1094.001624] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1094.007149] ? security_socket_sendmsg+0x94/0xc0 [ 1094.011892] ? ipip_gro_receive+0x100/0x100 [ 1094.016200] sock_sendmsg+0xd5/0x120 [ 1094.019900] __sys_sendto+0x3d7/0x670 [ 1094.023688] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1094.028352] ? wait_for_completion+0x870/0x870 [ 1094.032924] ? __lock_is_held+0xb5/0x140 [ 1094.036997] ? __sb_end_write+0xac/0xe0 [ 1094.040962] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1094.046486] ? fput+0x130/0x1a0 [ 1094.049752] ? ksys_write+0x1a6/0x250 [ 1094.053541] ? __ia32_sys_read+0xb0/0xb0 [ 1094.057587] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1094.063115] __x64_sys_sendto+0xe1/0x1a0 [ 1094.067166] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1094.072172] do_syscall_64+0x1b1/0x800 [ 1094.076224] ? finish_task_switch+0x1ca/0x840 [ 1094.080707] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1094.085628] ? syscall_return_slowpath+0x30f/0x5c0 [ 1094.090549] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1094.095903] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1094.100744] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1094.105920] RIP: 0033:0x4559f9 [ 1094.109094] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1094.128342] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1094.136039] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1094.143298] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 05:01:36 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") fanotify_init(0x8, 0x0) 05:01:37 executing program 4: r0 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={0xffffffffffffff9c, 0x7, 0x1, 0x5, &(0x7f0000000040)=[0x0, 0x0, 0x0, 0x0, 0x0], 0x5}, 0x20) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x75, &(0x7f0000000100)={0x0, 0x3f}, &(0x7f0000000140)=0x8) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000180)={0x80000001, 0x0, 0xd, 0x6, 0x3, 0x6, 0x65, 0x7, r1}, &(0x7f00000001c0)=0x20) r2 = semget$private(0x0, 0x1, 0x10) semctl$GETZCNT(r2, 0x1, 0xf, &(0x7f0000000200)=""/106) r3 = socket(0x200000000000011, 0x3, 0x8) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000002c0)={'bridge0\x00', 0x0}) bind$packet(r0, &(0x7f0000000000)={0x11, 0x0, r4, 0x1, 0x0, 0x6}, 0x14) sendmsg$kcm(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000380)=[{&(0x7f0000000080)="25af4c79dc434a0d7c5fca7102e348a5719a2b8fe76d19d54b443d5fcb0389e62d55d7fc4f2c506226f4132ab2d4", 0x2e}], 0x1, &(0x7f0000000400)}, 0x0) r5 = getpgrp(0xffffffffffffffff) ptrace$PTRACE_SECCOMP_GET_METADATA(0x420d, r5, 0x10, &(0x7f0000000300)={0xff}) [ 1094.150554] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1094.157824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1094.165078] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000040 05:01:37 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) ioctl$DRM_IOCTL_RES_CTX(r0, 0xc0106426, &(0x7f0000000140)={0x8, &(0x7f0000000040)=[{}, {}, {}, {}, {}, {0x0}, {}, {}]}) ioctl$DRM_IOCTL_SET_SAREA_CTX(r0, 0x4010641c, &(0x7f00000001c0)={r3, &(0x7f0000000400)=""/195}) r4 = socket$inet6(0xa, 0x1, 0x0) ioctl(r4, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:37 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x3f00000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:37 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x5000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:37 executing program 1 (fault-call:4 fault-nth:65): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:37 executing program 5: r0 = socket$kcm(0x29, 0x2, 0x0) ioctl(r0, 0x8912, &(0x7f0000000440)="0047fc2f07d82c99240970") r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x400, 0x0) syz_open_pts(r1, 0x408002) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000005240)={{{@in6=@ipv4={[], [], @multicast2}}}, {{@in=@loopback}, 0x0, @in6=@local}}, &(0x7f0000005340)=0xe8) accept4$packet(r1, &(0x7f00000054c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, &(0x7f0000005500)=0x14, 0x800) bpf$PROG_LOAD(0x5, &(0x7f0000005380)={0x4, 0x200000000000018c, &(0x7f0000000080)=ANY=[@ANYBLOB="00000000000004000c"], &(0x7f0000005540)="73797a6b616c6c6572e551bf487a013070c9b7993e944100", 0x0, 0xc3, &(0x7f0000009f3d)=""/195, 0xfffffffffffffffd, 0x2, [], r2, 0x2000000000004}, 0x48) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x5, &(0x7f0000001fd8)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0xffffffc7}, [@ldst={0x7}], {0x95}}, &(0x7f0000003ff6)='GPL\x00', 0x5, 0x437, &(0x7f000000cf3d)=""/195}, 0x48) [ 1094.313266] binder: 30631:30633 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1094.350159] binder: 30631:30633 BC_FREE_BUFFER u0000000000000000 no match 05:01:37 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x500000000000000}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:37 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0xe2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xd84, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0) getsockopt$bt_l2cap_L2CAP_LM(r0, 0x6, 0x3, &(0x7f0000000040), &(0x7f0000000080)=0x4) [ 1094.405138] binder: 30631:30633 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1094.415167] FAULT_INJECTION: forcing a failure. [ 1094.415167] name failslab, interval 1, probability 0, space 0, times 0 [ 1094.426546] CPU: 0 PID: 30643 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1094.433485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1094.439454] binder: 30631:30633 BC_FREE_BUFFER u0000000000000000 no match [ 1094.442840] Call Trace: [ 1094.442867] dump_stack+0x1b9/0x294 [ 1094.442887] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1094.442911] ? unwind_get_return_address+0x61/0xa0 [ 1094.466149] ? graph_lock+0x170/0x170 [ 1094.469979] should_fail.cold.4+0xa/0x1a [ 1094.474067] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1094.479190] ? __lock_is_held+0xb5/0x140 [ 1094.483268] ? __kmalloc_node_track_caller+0x47/0x70 [ 1094.488391] ? graph_lock+0x170/0x170 [ 1094.492214] ? __x64_sys_sendto+0xe1/0x1a0 [ 1094.496467] ? find_held_lock+0x36/0x1c0 [ 1094.500550] ? __lock_is_held+0xb5/0x140 [ 1094.504638] ? check_same_owner+0x320/0x320 [ 1094.508980] ? rcu_note_context_switch+0x710/0x710 [ 1094.513932] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1094.519227] __should_failslab+0x124/0x180 [ 1094.523479] should_failslab+0x9/0x14 [ 1094.527297] kmem_cache_alloc_node+0x272/0x780 [ 1094.531902] ? __kmalloc_node_track_caller+0x47/0x70 [ 1094.537044] __alloc_skb+0x111/0x780 [ 1094.540773] ? skb_scrub_packet+0x580/0x580 [ 1094.545112] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1094.550659] ? ip_generic_getfrag+0x11c/0x2d0 05:01:37 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0xff0f}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1094.555169] ? ip_reply_glue_bits+0xc0/0xc0 [ 1094.559501] ? raw_getfrag+0x15b/0x220 [ 1094.563401] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1094.568438] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1094.573473] ? raw_destroy+0x30/0x30 [ 1094.577210] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1094.583033] ? ipv4_mtu+0x375/0x580 [ 1094.586677] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1094.592151] ? lock_acquire+0x1dc/0x520 [ 1094.596145] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1094.601698] ? ip_setup_cork+0x4dc/0x7c0 [ 1094.605785] ip_append_data.part.48+0xf3/0x180 [ 1094.610384] ? raw_destroy+0x30/0x30 [ 1094.614120] ip_append_data+0x6d/0x90 [ 1094.617940] ? raw_destroy+0x30/0x30 [ 1094.621665] raw_sendmsg+0x1dae/0x29b0 [ 1094.625573] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1094.630683] ? rcu_report_qs_rnp+0x790/0x790 [ 1094.635111] ? graph_lock+0x170/0x170 [ 1094.638934] ? expand_files.part.8+0x9a0/0x9a0 [ 1094.643531] ? check_same_owner+0x320/0x320 [ 1094.647887] ? lock_downgrade+0x8e0/0x8e0 [ 1094.652054] ? lock_release+0xa10/0xa10 [ 1094.656041] ? check_same_owner+0x320/0x320 [ 1094.660380] ? __check_object_size+0x95/0x5d9 [ 1094.664889] inet_sendmsg+0x19f/0x690 [ 1094.668702] ? __might_sleep+0x95/0x190 [ 1094.672692] ? ipip_gro_receive+0x100/0x100 [ 1094.677037] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1094.682592] ? security_socket_sendmsg+0x94/0xc0 [ 1094.687364] ? ipip_gro_receive+0x100/0x100 [ 1094.691697] sock_sendmsg+0xd5/0x120 [ 1094.695424] __sys_sendto+0x3d7/0x670 [ 1094.699239] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1094.703933] ? wait_for_completion+0x870/0x870 [ 1094.708534] ? __lock_is_held+0xb5/0x140 [ 1094.712621] ? __sb_end_write+0xac/0xe0 [ 1094.716604] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1094.722143] ? fput+0x130/0x1a0 [ 1094.725423] ? ksys_write+0x1a6/0x250 [ 1094.729215] ? __ia32_sys_read+0xb0/0xb0 [ 1094.733284] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1094.738830] __x64_sys_sendto+0xe1/0x1a0 [ 1094.742907] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1094.747921] do_syscall_64+0x1b1/0x800 [ 1094.751804] ? finish_task_switch+0x1ca/0x840 [ 1094.756308] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1094.761243] ? syscall_return_slowpath+0x30f/0x5c0 [ 1094.766167] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1094.771529] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1094.776390] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1094.781568] RIP: 0033:0x4559f9 [ 1094.784743] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1094.804005] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1094.811712] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1094.818978] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1094.826234] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1094.833494] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1094.840754] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000041 [ 1094.850937] ALSA: seq fatal error: cannot create timer (-22) 05:01:38 executing program 1 (fault-call:4 fault-nth:66): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:38 executing program 7: r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)="2f70726f632f7379732f6e6574ff7f0000342f76732f7365637572655f74637000", 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1) syz_fuseblk_mount(&(0x7f0000976000)='./file0\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) fcntl$getflags(r0, 0x401) mmap$xdp(&(0x7f00004c9000/0x3000)=nil, 0x3000, 0x3, 0x10, r0, 0x180000000) 05:01:38 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x600000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:38 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl$KVM_DEASSIGN_PCI_DEVICE(r0, 0x4040ae72, &(0x7f0000000040)={0x28d, 0x14000000000, 0x265, 0x1, 0x6d}) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:38 executing program 4: mmap(&(0x7f0000013000/0x2000)=nil, 0x2000, 0x4, 0x10, 0xffffffffffffffff, 0x0) r0 = userfaultfd(0x0) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000000)={0xaa}) r1 = socket$inet6(0xa, 0x1, 0x0) ioctl(r1, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000004fe0)={{&(0x7f0000011000/0x3000)=nil, 0x3000}, 0x1}) r2 = openat(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x800, 0x8) ioctl$VT_WAITACTIVE(r2, 0x5607) r3 = socket(0xa, 0x1, 0x0) getsockopt$inet6_int(r3, 0x29, 0x41, &(0x7f0000000100), &(0x7f0000013000)=0x4) close(r3) close(r0) setsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r1, 0x84, 0x8, &(0x7f0000000040)=0x800, 0x4) 05:01:38 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x5800}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) 05:01:38 executing program 5: r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x6, 0x4240) setsockopt$bt_hci_HCI_DATA_DIR(r0, 0x0, 0x1, &(0x7f0000000040)=0x9, 0x4) r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) openat$vcs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcs\x00', 0x101000, 0x0) listen(r1, 0x0) getsockopt$XDP_STATISTICS(r1, 0x11b, 0x7, &(0x7f00000000c0), &(0x7f0000000100)=0x18) 05:01:38 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x2000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1095.009395] ALSA: seq fatal error: cannot create timer (-22) [ 1095.056805] binder: 30676:30681 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1095.070719] FAULT_INJECTION: forcing a failure. [ 1095.070719] name failslab, interval 1, probability 0, space 0, times 0 [ 1095.082270] CPU: 1 PID: 30674 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1095.089209] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1095.098574] Call Trace: [ 1095.101177] dump_stack+0x1b9/0x294 [ 1095.104830] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1095.110034] ? is_bpf_text_address+0xd7/0x170 [ 1095.114547] ? kernel_text_address+0x79/0xf0 [ 1095.118971] ? __unwind_start+0x166/0x330 [ 1095.123143] should_fail.cold.4+0xa/0x1a [ 1095.127222] ? __save_stack_trace+0x7e/0xd0 [ 1095.131562] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1095.136690] ? graph_lock+0x170/0x170 [ 1095.140511] ? save_stack+0x43/0xd0 [ 1095.144153] ? kasan_kmalloc+0xc4/0xe0 [ 1095.148051] ? kasan_slab_alloc+0x12/0x20 05:01:38 executing program 7: openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x10000, 0x0) r0 = socket$inet_smc(0x2b, 0x1, 0x0) listen(r0, 0x2755) getsockname(r0, &(0x7f0000000040)=@pppol2tpv3in6={0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, @dev}}}, &(0x7f00000000c0)=0x80) socket$inet6(0xa, 0x0, 0x24d8) r1 = syz_open_dev$adsp(&(0x7f00000001c0)='/dev/adsp#\x00', 0xffffffffffff5420, 0xc02) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS(r1, 0xc05c5340, &(0x7f0000000200)={0x3, 0x1000, 0x0, {}, 0x5, 0x3}) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000100)={'rose0\x00'}) setsockopt$IP_VS_SO_SET_EDIT(r0, 0x0, 0x483, &(0x7f0000000180)={0x3b, @local={0xac, 0x14, 0x14, 0xaa}, 0x4e20, 0x2, 'lblc\x00', 0x8, 0xe29, 0x2e}, 0x2c) memfd_create(&(0x7f0000000000)='cpusetvboxnet1\x00', 0x2) ioctl$sock_SIOCOUTQ(r0, 0x5411, &(0x7f0000001080)) [ 1095.151778] binder: 30676:30681 BC_FREE_BUFFER u0000000000000000 no match [ 1095.152211] ? find_held_lock+0x36/0x1c0 [ 1095.163192] ? __lock_is_held+0xb5/0x140 [ 1095.167280] ? check_same_owner+0x320/0x320 [ 1095.171619] ? rcu_note_context_switch+0x710/0x710 [ 1095.176574] __should_failslab+0x124/0x180 [ 1095.180825] should_failslab+0x9/0x14 [ 1095.184189] IPVS: set_ctl: invalid protocol: 59 172.20.20.170:20000 [ 1095.184636] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1095.196194] __kmalloc_node_track_caller+0x33/0x70 [ 1095.196214] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1095.196233] __alloc_skb+0x14d/0x780 [ 1095.196252] ? skb_scrub_packet+0x580/0x580 [ 1095.196272] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1095.196290] ? ip_generic_getfrag+0x11c/0x2d0 [ 1095.196309] ? ip_reply_glue_bits+0xc0/0xc0 [ 1095.196335] ? raw_getfrag+0x15b/0x220 [ 1095.196350] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1095.196379] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1095.196402] ? raw_destroy+0x30/0x30 [ 1095.196430] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1095.196452] ? ipv4_mtu+0x375/0x580 [ 1095.196471] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1095.196499] ? lock_acquire+0x1dc/0x520 [ 1095.196517] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1095.196533] ? ip_setup_cork+0x4dc/0x7c0 [ 1095.196554] ip_append_data.part.48+0xf3/0x180 [ 1095.196571] ? raw_destroy+0x30/0x30 [ 1095.196594] ip_append_data+0x6d/0x90 [ 1095.213226] IPVS: set_ctl: invalid protocol: 59 172.20.20.170:20000 [ 1095.214285] ? raw_destroy+0x30/0x30 [ 1095.214307] raw_sendmsg+0x1dae/0x29b0 [ 1095.214341] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1095.214367] ? rcu_report_qs_rnp+0x790/0x790 [ 1095.214394] ? graph_lock+0x170/0x170 [ 1095.313823] ? expand_files.part.8+0x9a0/0x9a0 [ 1095.318398] ? check_same_owner+0x320/0x320 [ 1095.322723] ? lock_downgrade+0x8e0/0x8e0 [ 1095.326864] ? lock_release+0xa10/0xa10 [ 1095.330828] ? check_same_owner+0x320/0x320 [ 1095.335140] ? __check_object_size+0x95/0x5d9 [ 1095.339627] inet_sendmsg+0x19f/0x690 [ 1095.343412] ? __might_sleep+0x95/0x190 [ 1095.347376] ? ipip_gro_receive+0x100/0x100 [ 1095.351690] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1095.357217] ? security_socket_sendmsg+0x94/0xc0 [ 1095.361959] ? ipip_gro_receive+0x100/0x100 [ 1095.366269] sock_sendmsg+0xd5/0x120 [ 1095.369973] __sys_sendto+0x3d7/0x670 [ 1095.373765] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1095.378428] ? wait_for_completion+0x870/0x870 [ 1095.382998] ? __lock_is_held+0xb5/0x140 [ 1095.387070] ? __sb_end_write+0xac/0xe0 [ 1095.391036] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1095.396558] ? fput+0x130/0x1a0 [ 1095.399825] ? ksys_write+0x1a6/0x250 [ 1095.403616] ? __ia32_sys_read+0xb0/0xb0 [ 1095.407661] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1095.413186] __x64_sys_sendto+0xe1/0x1a0 [ 1095.417236] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1095.422240] do_syscall_64+0x1b1/0x800 [ 1095.426116] ? finish_task_switch+0x1ca/0x840 [ 1095.430601] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1095.435517] ? syscall_return_slowpath+0x30f/0x5c0 [ 1095.440437] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1095.445792] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1095.450624] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1095.455799] RIP: 0033:0x4559f9 [ 1095.458972] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1095.478235] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1095.485934] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1095.493190] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 [ 1095.500468] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 05:01:38 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180)=[{&(0x7f0000000d80)=""/4096, 0x1000}], 0x1) openat$full(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full\x00', 0x0, 0x0) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, 'syzkaller0\x00'}) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) 05:01:38 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x58}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1095.507722] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1095.514977] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000042 [ 1095.543133] binder: 30676:30681 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:38 executing program 5: r0 = socket$inet6(0xa, 0x3, 0x100000000c) ioctl(r0, 0x8912, &(0x7f0000000000)="025cc83d6d345f8f760070") bpf$PROG_LOAD(0x5, &(0x7f0000000000)={0xf, 0x8, &(0x7f0000001000)=ANY=[@ANYBLOB="7a0af8ff1e000000bfa100000000000007010000f8ffffffb702000008000000bf130000000000008500000006000000b7000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00'}, 0x48) r1 = socket$xdp(0x2c, 0x3, 0x0) accept$packet(0xffffffffffffff9c, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @remote}, &(0x7f0000000240)=0x14) ioctl$sock_inet6_SIOCSIFADDR(r0, 0x8916, &(0x7f0000000280)={@ipv4={[], [0xff, 0xff], @rand_addr=0x7fffffff}, 0x17, r2}) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000040)={&(0x7f0000000000)=""/2, 0x1008000, 0x1000, 0x10000000000000}, 0x18) 05:01:38 executing program 1 (fault-call:4 fault-nth:67): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:38 executing program 4: r0 = memfd_create(&(0x7f0000000200)='\x00', 0x2) connect$bt_rfcomm(r0, &(0x7f0000000240)={0x1f, {0x4a, 0x6, 0x2, 0x7, 0x1000, 0xff}, 0x464}, 0x31b) r1 = socket$l2tp(0x18, 0x1, 0x1) connect$l2tp(r0, &(0x7f0000000380)=@pppol2tpv3in6={0x18, 0x1, {0x0, r0, 0x1, 0x4, 0x3, 0x2, {0xa, 0x4e20, 0x6, @mcast1={0xff, 0x1, [], 0x1}, 0x5}}}, 0x3a) ioctl$FS_IOC_GETFSLABEL(r1, 0x81009431, &(0x7f0000000100)) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x40, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_INFO(r2, 0xc0bc5310, &(0x7f0000000040)) [ 1095.579186] binder: 30676:30681 BC_FREE_BUFFER u0000000000000000 no match 05:01:38 executing program 7: r0 = gettid() socketpair(0x8000000000001e, 0x1, 0x0, &(0x7f000000dff8)={0xffffffffffffffff, 0xffffffffffffffff}) recvmmsg(r1, &(0x7f0000007640)=[{{0x0, 0x0, &(0x7f0000006100)=[{&(0x7f0000006040)=""/174, 0xae}], 0x1, &(0x7f0000007980)=""/4096, 0x1000}}, {{&(0x7f0000007140)=@pptp={0x0, 0x0, {0x0, @multicast2}}, 0x80, &(0x7f0000007500)=[{&(0x7f0000007480)=""/121, 0x79}], 0x1, &(0x7f0000007580)=""/138, 0x8a}}], 0x2, 0x0, &(0x7f0000007800)={0x77359400}) write$sndseq(r2, &(0x7f00000078c0)=[{0x0, 0xff, 0x0, 0x0, @time, {}, {}, @result}], 0x30) timer_create(0x0, &(0x7f0000044000)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) tkill(r0, 0x1000000000016) ioctl$sock_inet_SIOCGIFADDR(r1, 0x8915, &(0x7f0000000000)={'eql\x00', {0x2, 0x4e23}}) [ 1095.705299] FAULT_INJECTION: forcing a failure. [ 1095.705299] name failslab, interval 1, probability 0, space 0, times 0 [ 1095.716670] CPU: 1 PID: 30715 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1095.723602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1095.732955] Call Trace: [ 1095.735549] dump_stack+0x1b9/0x294 [ 1095.739180] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1095.744363] ? unwind_get_return_address+0x61/0xa0 [ 1095.749287] ? graph_lock+0x170/0x170 [ 1095.753084] should_fail.cold.4+0xa/0x1a [ 1095.757140] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1095.762234] ? __lock_is_held+0xb5/0x140 [ 1095.766280] ? __kmalloc_node_track_caller+0x47/0x70 [ 1095.771368] ? graph_lock+0x170/0x170 [ 1095.775160] ? __x64_sys_sendto+0xe1/0x1a0 [ 1095.779383] ? find_held_lock+0x36/0x1c0 [ 1095.783435] ? __lock_is_held+0xb5/0x140 [ 1095.787503] ? check_same_owner+0x320/0x320 [ 1095.791816] ? rcu_note_context_switch+0x710/0x710 [ 1095.796734] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 1095.802001] __should_failslab+0x124/0x180 [ 1095.806231] should_failslab+0x9/0x14 [ 1095.810023] kmem_cache_alloc_node+0x272/0x780 [ 1095.814592] ? __kmalloc_node_track_caller+0x47/0x70 [ 1095.819686] __alloc_skb+0x111/0x780 [ 1095.823391] ? skb_scrub_packet+0x580/0x580 [ 1095.827703] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1095.833228] ? ip_generic_getfrag+0x11c/0x2d0 [ 1095.837714] ? ip_reply_glue_bits+0xc0/0xc0 [ 1095.842030] ? raw_getfrag+0x15b/0x220 [ 1095.845907] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1095.850918] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1095.855928] ? raw_destroy+0x30/0x30 [ 1095.859638] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1095.865425] ? ipv4_mtu+0x375/0x580 [ 1095.869040] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1095.874488] ? lock_acquire+0x1dc/0x520 [ 1095.878450] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1095.883979] ? ip_setup_cork+0x4dc/0x7c0 [ 1095.888029] ip_append_data.part.48+0xf3/0x180 [ 1095.892606] ? raw_destroy+0x30/0x30 [ 1095.896316] ip_append_data+0x6d/0x90 [ 1095.900106] ? raw_destroy+0x30/0x30 [ 1095.903812] raw_sendmsg+0x1dae/0x29b0 [ 1095.907695] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1095.912793] ? rcu_report_qs_rnp+0x790/0x790 [ 1095.917224] ? graph_lock+0x170/0x170 [ 1095.921020] ? expand_files.part.8+0x9a0/0x9a0 [ 1095.925588] ? check_same_owner+0x320/0x320 [ 1095.929923] ? lock_downgrade+0x8e0/0x8e0 [ 1095.934063] ? lock_release+0xa10/0xa10 [ 1095.938023] ? check_same_owner+0x320/0x320 [ 1095.942333] ? __check_object_size+0x95/0x5d9 [ 1095.946820] inet_sendmsg+0x19f/0x690 [ 1095.950608] ? __might_sleep+0x95/0x190 [ 1095.954569] ? ipip_gro_receive+0x100/0x100 [ 1095.958881] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1095.964407] ? security_socket_sendmsg+0x94/0xc0 [ 1095.969154] ? ipip_gro_receive+0x100/0x100 [ 1095.973465] sock_sendmsg+0xd5/0x120 [ 1095.977165] __sys_sendto+0x3d7/0x670 [ 1095.980952] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1095.985613] ? wait_for_completion+0x870/0x870 [ 1095.990186] ? __lock_is_held+0xb5/0x140 [ 1095.994245] ? __sb_end_write+0xac/0xe0 [ 1095.998208] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1096.003727] ? fput+0x130/0x1a0 [ 1096.006995] ? ksys_write+0x1a6/0x250 [ 1096.010786] ? __ia32_sys_read+0xb0/0xb0 [ 1096.014837] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1096.020364] __x64_sys_sendto+0xe1/0x1a0 [ 1096.024414] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1096.029423] do_syscall_64+0x1b1/0x800 [ 1096.033304] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1096.038221] ? syscall_return_slowpath+0x30f/0x5c0 [ 1096.043139] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1096.048494] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1096.053328] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1096.058502] RIP: 0033:0x4559f9 [ 1096.061672] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1096.080915] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1096.088699] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1096.095956] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 05:01:39 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x68000000, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:39 executing program 6: r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='net/arp\x00') readv(r0, &(0x7f0000000180), 0x1000000000000063) socket$inet(0x2, 0x4, 0x6) r1 = socket$inet_tcp(0x2, 0x1, 0x0) r2 = syz_open_dev$tun(&(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0) r3 = socket$inet6(0xa, 0x1, 0x0) ioctl(r3, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller0\x00', 0x3}) ioctl$sock_inet_SIOCSARP(r1, 0x8955, &(0x7f0000000d00)={{0x2, 0x0, @remote={0xac, 0x14, 0x14, 0xbb}}, {0x0, @random="90da5bc97747"}, 0x8000000000008, {0x2, 0x0, @local={0xac, 0x14, 0x14, 0xaa}}, "73797a6b616c6c64bd00"}) ioctl$sock_inet_SIOCGIFBRDADDR(r3, 0x8919, &(0x7f0000000040)={'sit0\x00', {0x2, 0x4e20, @multicast1=0xe0000001}}) getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r0, 0x84, 0x66, &(0x7f0000000140)={0x0, 0x1}, &(0x7f00000001c0)=0x8) setsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r3, 0x84, 0x6, &(0x7f0000000400)={r4, @in={{0x2, 0x4e20, @local={0xac, 0x14, 0x14, 0xaa}}}}, 0x84) bind$inet6(r3, &(0x7f0000000180)={0xa, 0x4e22, 0x5cc, @loopback={0x0, 0x1}, 0x7}, 0x1c) readv(r0, &(0x7f0000000080)=[{&(0x7f0000000300)=""/242, 0xf2}], 0x1) ioctl$SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE(r0, 0x80045530, &(0x7f0000000240)=""/149) getsockopt$EBT_SO_GET_INFO(r1, 0x0, 0x80, &(0x7f00000004c0)={'nat\x00'}, &(0x7f0000000540)=0x78) [ 1096.103228] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1096.110505] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1096.117784] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000043 05:01:39 executing program 4: r0 = socket$vsock_stream(0x28, 0x1, 0x0) r1 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) r2 = dup3(r1, r0, 0x0) ioctl$sock_netrom_TIOCOUTQ(r2, 0x5411, &(0x7f0000000200)) fcntl$addseals(r1, 0x409, 0x8) 05:01:39 executing program 2: r0 = syz_open_dev$sndseq(&(0x7f0000ff0ff3)='/dev/snd/seq\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r0, 0xc08c5332, &(0x7f0000000200)={0x0, 0x0, 0x0, 'queue0\x00'}) read(r0, &(0x7f0000000040)=""/28, 0x1c) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000418f50)={{0x80}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f000019ffe9)={0xc1}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER(r0, 0x40605346, &(0x7f0000000000)={0x0, 0x0, {0x0, 0x0, 0x0, 0x6000000000000000}}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000380)='/dev/sequencer2\x00', 0x0, 0x0) 05:01:39 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000000)='map_files\x00') fchdir(r0) syz_fuseblk_mount(&(0x7f0000976000)='./file0\x00', &(0x7f0000dd3ff8)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) bpf$OBJ_GET_MAP(0x7, &(0x7f0000000080)={&(0x7f0000000040)='./file0\x00', 0x0, 0x8}, 0x10) [ 1096.176857] binder: 30724:30725 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1096.200932] binder: 30724:30725 BC_FREE_BUFFER u0000000000000000 no match 05:01:39 executing program 1 (fault-call:4 fault-nth:68): r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000080)="2957e1311f16f477671070") r1 = socket(0x1000000000000002, 0x3, 0x1) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='sit0\x00', 0x10) sendto$inet(r1, &(0x7f0000000000), 0xffeb, 0x0, &(0x7f0000000040)={0x2, 0x0, @multicast1=0xe0000001}, 0x10) 05:01:39 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x3}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1096.248096] binder: 30724:30725 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1096.309190] binder: 30724:30725 BC_FREE_BUFFER u0000000000000000 no match [ 1096.317881] FAULT_INJECTION: forcing a failure. [ 1096.317881] name failslab, interval 1, probability 0, space 0, times 0 [ 1096.329310] CPU: 0 PID: 30746 Comm: syz-executor1 Not tainted 4.17.0+ #93 [ 1096.336259] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1096.345629] Call Trace: [ 1096.348244] dump_stack+0x1b9/0x294 [ 1096.351902] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1096.357111] ? is_bpf_text_address+0xd7/0x170 [ 1096.361634] should_fail.cold.4+0xa/0x1a [ 1096.365709] ? __save_stack_trace+0x7e/0xd0 [ 1096.370050] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 1096.375173] ? graph_lock+0x170/0x170 [ 1096.378992] ? save_stack+0x43/0xd0 [ 1096.382632] ? kasan_kmalloc+0xc4/0xe0 [ 1096.386536] ? kasan_slab_alloc+0x12/0x20 [ 1096.390706] ? find_held_lock+0x36/0x1c0 [ 1096.394802] ? __lock_is_held+0xb5/0x140 [ 1096.398896] ? check_same_owner+0x320/0x320 [ 1096.403235] ? rcu_note_context_switch+0x710/0x710 [ 1096.408164] __should_failslab+0x124/0x180 [ 1096.412390] should_failslab+0x9/0x14 [ 1096.416181] kmem_cache_alloc_node_trace+0x26f/0x770 [ 1096.421284] __kmalloc_node_track_caller+0x33/0x70 [ 1096.426205] __kmalloc_reserve.isra.40+0x3a/0xe0 [ 1096.430952] __alloc_skb+0x14d/0x780 [ 1096.434656] ? skb_scrub_packet+0x580/0x580 [ 1096.438967] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1096.444492] ? ip_generic_getfrag+0x11c/0x2d0 [ 1096.448981] ? ip_reply_glue_bits+0xc0/0xc0 [ 1096.453306] ? raw_getfrag+0x15b/0x220 [ 1096.457258] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1096.462276] __ip_append_data.isra.47+0x21a6/0x2a60 [ 1096.467307] ? raw_destroy+0x30/0x30 [ 1096.471023] ? __ip_flush_pending_frames.isra.43+0x2d0/0x2d0 [ 1096.476814] ? ipv4_mtu+0x375/0x580 [ 1096.480433] ? __build_flow_key.constprop.54+0x5f0/0x5f0 [ 1096.485886] ? lock_acquire+0x1dc/0x520 [ 1096.489863] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 1096.495393] ? ip_setup_cork+0x4dc/0x7c0 [ 1096.499450] ip_append_data.part.48+0xf3/0x180 [ 1096.504024] ? raw_destroy+0x30/0x30 [ 1096.507729] ip_append_data+0x6d/0x90 [ 1096.511519] ? raw_destroy+0x30/0x30 [ 1096.515226] raw_sendmsg+0x1dae/0x29b0 [ 1096.519117] ? raw_send_hdrinc.isra.21+0x19b0/0x19b0 [ 1096.524209] ? zap_class+0x720/0x720 [ 1096.527917] ? graph_lock+0x170/0x170 [ 1096.531711] ? expand_files.part.8+0x9a0/0x9a0 [ 1096.536300] ? lock_downgrade+0x8e0/0x8e0 [ 1096.540442] ? lock_release+0xa10/0xa10 [ 1096.544404] ? check_same_owner+0x320/0x320 [ 1096.548714] ? __check_object_size+0x95/0x5d9 [ 1096.553238] inet_sendmsg+0x19f/0x690 [ 1096.557026] ? __might_sleep+0x95/0x190 [ 1096.560991] ? ipip_gro_receive+0x100/0x100 [ 1096.565303] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1096.570832] ? security_socket_sendmsg+0x94/0xc0 [ 1096.575573] ? ipip_gro_receive+0x100/0x100 [ 1096.579883] sock_sendmsg+0xd5/0x120 [ 1096.583602] __sys_sendto+0x3d7/0x670 [ 1096.587394] ? __ia32_sys_getpeername+0xb0/0xb0 [ 1096.592057] ? wait_for_completion+0x870/0x870 [ 1096.596641] ? __sb_end_write+0xac/0xe0 [ 1096.600607] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1096.606131] ? fput+0x130/0x1a0 [ 1096.609401] ? ksys_write+0x1a6/0x250 [ 1096.613192] ? __ia32_sys_read+0xb0/0xb0 [ 1096.617240] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 1096.622771] __x64_sys_sendto+0xe1/0x1a0 [ 1096.626839] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1096.631849] do_syscall_64+0x1b1/0x800 [ 1096.635723] ? finish_task_switch+0x1ca/0x840 [ 1096.640213] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1096.645133] ? syscall_return_slowpath+0x30f/0x5c0 [ 1096.650052] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1096.655410] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1096.660261] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1096.665440] RIP: 0033:0x4559f9 [ 1096.668616] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1096.687911] RSP: 002b:00007f928b330c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 1096.695609] RAX: ffffffffffffffda RBX: 00007f928b3316d4 RCX: 00000000004559f9 [ 1096.702865] RDX: 000000000000ffeb RSI: 0000000020000000 RDI: 0000000000000014 05:01:39 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x4c, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) 05:01:39 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x1200}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1096.710119] RBP: 000000000072bea0 R08: 0000000020000040 R09: 0000000000000010 [ 1096.717376] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015 [ 1096.724632] R13: 00000000004c0d2f R14: 00000000004d0790 R15: 0000000000000044 05:01:39 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x0) ioctl(r0, 0x4000008912, &(0x7f0000000100)="295ee1311f16f477671070") r1 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r1, &(0x7f0000001000)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000184000)={0x2, 0xd, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, [@sadb_x_policy={0x8, 0x12, 0x0, 0x3, 0x0, 0x0, 0x0, {0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @in=@multicast1=0xe0000001}}, @sadb_address={0x3, 0x6, 0x0, 0x0, 0x0, @in={0x2, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}}}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff, 0xbb}}}, @sadb_x_sec_ctx={0x1, 0x18}]}, 0x88}, 0x1}, 0x4000010) [ 1096.769692] binder: 30756:30757 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1096.780046] binder: 30756:30757 BC_FREE_BUFFER u0000000000000000 no match [ 1096.800382] binder: 30756:30757 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 05:01:39 executing program 3: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x6, 0x0) write$binfmt_elf32(r0, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x0, 0x0, 0x0, 0x20}, [{0x0, 0x0, 0x0, 0x0, 0x3f00}]}, 0x58) ioctl$BLKZEROOUT(0xffffffffffffffff, 0x127f, &(0x7f0000000080)) [ 1096.816431] binder: 30756:30757 BC_FREE_BUFFER u0000000000000000 no match [ 1096.844307] ================================================================== [ 1096.852066] BUG: KASAN: null-ptr-deref in xdp_umem_unaccount_pages.isra.5+0x3d/0x80 [ 1096.859873] Write of size 8 at addr 0000000000000060 by task syz-executor5/30714 [ 1096.867407] [ 1096.869051] CPU: 0 PID: 30714 Comm: syz-executor5 Not tainted 4.17.0+ #93 [ 1096.875977] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1096.885336] Call Trace: [ 1096.887951] dump_stack+0x1b9/0x294 05:01:40 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000140)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffff9c, 0xc018620b, &(0x7f0000000180)) mmap$binder(&(0x7f0000bfe000/0x400000)=nil, 0x400000, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000480)={0x1c, 0x0, &(0x7f0000000300)=[@clear_death={0x400c630f, 0x3}, @free_buffer={0x40086303}], 0x0, 0x68, &(0x7f0000000400)}) bind$inet(0xffffffffffffffff, &(0x7f0000000100)={0x2, 0x0, @multicast2=0xe0000002}, 0x10) sendto$inet(0xffffffffffffffff, &(0x7f0000fa0fff), 0xffffffffffffffc3, 0x0, &(0x7f0000e97fcf)={0x2, 0x0, @loopback=0x7f000001}, 0x10) [ 1096.891607] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1096.896814] ? kasan_check_write+0x14/0x20 [ 1096.901062] ? do_raw_spin_lock+0xc1/0x200 [ 1096.905303] ? vprintk_func+0x81/0xe7 [ 1096.909115] ? xdp_umem_unaccount_pages.isra.5+0x3d/0x80 [ 1096.914583] kasan_report.cold.7+0x6d/0x2fe [ 1096.918919] check_memory_region+0x13e/0x1b0 [ 1096.923336] kasan_check_write+0x14/0x20 [ 1096.927411] xdp_umem_unaccount_pages.isra.5+0x3d/0x80 [ 1096.932703] xdp_umem_create+0xd6c/0x10f0 [ 1096.936879] ? xdp_put_umem+0x240/0x240 [ 1096.940864] ? check_same_owner+0x320/0x320 [ 1096.945199] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 1096.950407] ? __might_sleep+0x95/0x190 [ 1096.954403] xsk_setsockopt+0x443/0x550 [ 1096.958392] ? xsk_init_queue+0xf0/0xf0 [ 1096.962377] ? dlci_ioctl_set+0x40/0x40 [ 1096.966367] ? schedule+0xef/0x430 [ 1096.969931] ? security_socket_setsockopt+0x94/0xc0 [ 1096.974963] __sys_setsockopt+0x1bd/0x390 [ 1096.979127] ? kernel_accept+0x310/0x310 [ 1096.983206] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1096.988765] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1096.993625] __x64_sys_setsockopt+0xbe/0x150 [ 1096.998035] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1097.003070] do_syscall_64+0x1b1/0x800 [ 1097.006945] ? finish_task_switch+0x1ca/0x840 [ 1097.011431] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1097.016348] ? syscall_return_slowpath+0x30f/0x5c0 [ 1097.021272] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1097.026629] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1097.031467] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1097.036643] RIP: 0033:0x4559f9 [ 1097.039814] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1097.059011] RSP: 002b:00007f7b75d66c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 1097.066716] RAX: ffffffffffffffda RBX: 00007f7b75d676d4 RCX: 00000000004559f9 [ 1097.073992] RDX: 0000000000000004 RSI: 000000000000011b RDI: 0000000000000015 [ 1097.081257] RBP: 000000000072bea0 R08: 0000000000000018 R09: 0000000000000000 [ 1097.088528] R10: 0000000020000040 R11: 0000000000000246 R12: 00000000ffffffff [ 1097.095796] R13: 00000000004c1035 R14: 00000000004d0d90 R15: 0000000000000000 [ 1097.103061] ================================================================== [ 1097.110417] Disabling lock debugging due to kernel taint [ 1097.115999] Kernel panic - not syncing: panic_on_warn set ... [ 1097.115999] [ 1097.123380] CPU: 0 PID: 30714 Comm: syz-executor5 Tainted: G B 4.17.0+ #93 [ 1097.131703] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1097.135814] ALSA: seq fatal error: cannot create timer (-22) [ 1097.141055] Call Trace: [ 1097.141078] dump_stack+0x1b9/0x294 [ 1097.141096] ? dump_stack_print_info.cold.2+0x52/0x52 [ 1097.141113] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 1097.141133] ? xdp_umem_unpin_pages.isra.4+0x350/0x410 [ 1097.168295] panic+0x22f/0x4de [ 1097.171479] ? add_taint.cold.5+0x16/0x16 [ 1097.175624] ? do_raw_spin_unlock+0x9e/0x2e0 [ 1097.177981] binder: 30773:30783 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1097.180037] ? do_raw_spin_unlock+0x9e/0x2e0 [ 1097.180057] ? xdp_umem_unaccount_pages.isra.5+0x3d/0x80 [ 1097.180079] kasan_end_report+0x47/0x4f [ 1097.187124] binder: 30773:30783 BC_FREE_BUFFER u0000000000000000 no match [ 1097.191415] kasan_report.cold.7+0x76/0x2fe [ 1097.191431] check_memory_region+0x13e/0x1b0 [ 1097.191446] kasan_check_write+0x14/0x20 [ 1097.191461] xdp_umem_unaccount_pages.isra.5+0x3d/0x80 [ 1097.191478] xdp_umem_create+0xd6c/0x10f0 [ 1097.201089] binder: 30773:30783 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 [ 1097.207804] ? xdp_put_umem+0x240/0x240 [ 1097.207819] ? check_same_owner+0x320/0x320 [ 1097.207836] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 1097.207848] ? __might_sleep+0x95/0x190 [ 1097.207866] xsk_setsockopt+0x443/0x550 [ 1097.238342] binder: 30773:30783 BC_FREE_BUFFER u0000000000000000 no match [ 1097.241338] ? xsk_init_queue+0xf0/0xf0 [ 1097.241356] ? dlci_ioctl_set+0x40/0x40 [ 1097.241369] ? schedule+0xef/0x430 [ 1097.241390] ? security_socket_setsockopt+0x94/0xc0 [ 1097.282126] __sys_setsockopt+0x1bd/0x390 [ 1097.286263] ? kernel_accept+0x310/0x310 [ 1097.290321] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1097.295867] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 1097.300704] __x64_sys_setsockopt+0xbe/0x150 [ 1097.305096] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 1097.310095] do_syscall_64+0x1b1/0x800 [ 1097.313965] ? finish_task_switch+0x1ca/0x840 [ 1097.318451] ? syscall_return_slowpath+0x5c0/0x5c0 [ 1097.323363] ? syscall_return_slowpath+0x30f/0x5c0 [ 1097.328286] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 1097.333641] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1097.338469] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1097.343648] RIP: 0033:0x4559f9 [ 1097.346820] Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1097.365968] RSP: 002b:00007f7b75d66c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 1097.373660] RAX: ffffffffffffffda RBX: 00007f7b75d676d4 RCX: 00000000004559f9 [ 1097.380917] RDX: 0000000000000004 RSI: 000000000000011b RDI: 0000000000000015 [ 1097.388177] RBP: 000000000072bea0 R08: 0000000000000018 R09: 0000000000000000 [ 1097.395442] R10: 0000000020000040 R11: 0000000000000246 R12: 00000000ffffffff [ 1097.402695] R13: 00000000004c1035 R14: 00000000004d0d90 R15: 0000000000000000 [ 1097.410450] Dumping ftrace buffer: [ 1097.413978] (ftrace buffer empty) [ 1097.417673] Kernel Offset: disabled [ 1097.421278] Rebooting in 86400 seconds..